AnsweredAssumed Answered

Incident Grouping with Destination User (Metakey)

Question asked by Visham Rawat on Feb 11, 2019
Latest reply on Feb 12, 2019 by Visham Rawat

I don't find the destination username metakey available for grouping alerts with incidents.

 

Many use cases, for instance 'Multiple login failures followed by a successful login' or 'Continuous login failures', etc. have users mapped uniquely to the destination user metakey.

This makes this metakey important for grouping alerts of a particular type or name.

Yet, this option is missing within an incident creation template.

 

Is there any way to group alerts to an incident by destination user?

 

Also, device ip is also not available as an option for such groupings.

Outcomes