True and false alerts in the same case

Mohit_Parashar · 10-24-2022 04:13 AM

Hello Team, Can someone help me to find-out solution for below problem?

This single case has total number of alerts 3, 1 of alerts is Truly malicious however other 2 are False. But the alerts club in same case. Now the challenge is If we will execute playbook it will take action against all the attach alerts.

Is there any solution we can make these alerts separately club and our playbook action on a case don't create any issue? Also can tell me why this is happening?

Thanks in advance

Andrew_Cook

You can move the malicious alert to a new case. Then run the in against the new case.

Check you didn't create any unnecessary entities that may have led to the alerts being automatically connected.

Mohit_Parashar

@Andrew_Cook thanks for the response, I checked the option to move the alert to a new case or create a new case, also to attach with new playbooks and execute accordingly however, I wanted to know what other criteria we can cover to differ the alerts following the entities and make the alerts separate if un-common entities are there.

just for the example - we have entities like our user, endpoint name and endpoint IP, few common windows file (Winlogon.exe, explorer.exe.........) executing a legitimate application those are business related and generating alerts as we are new to the SIEMPLIFY platform. Still there are few uncommon entities those are not business related and malicious clubbed to the same case because these uncommon entities also got executed with same common windows file (Winlogon.exe, explorer.exe.........).

I hope I am able to make the scenario clear.

Andrew_Cook

Ah, got it! You can do this through Blocklists (Settings→Environments→Blocklist). Select "Do not group alerts" and set one up for each entity that is causing issues.

View files in slack

Mohit_Parashar

Thanks @Andrew_Cook
We will be looking into it if it works else we will ask back for help