Consolidating Alerts to Create Cases

Select RESPOND> Playbook> Consolidation.

Multiple alerts are generated from different alert sources that are integrated with SOAR. These alerts are automatically consolidated to create a case as per the configuration settings. The Consolidation page displays a list of rules to consolidate alerts to create cases.

When an alert reaches the consolidation plugin based on the rules, all the correlated alerts are consolidated to create a case. It is after this consolidation procedure that the system decides whether to create a new case or to add the alert into an existing one.

Consolidation rules are processed from top to bottom and only the first match is executed. Any alerts that matches the same consolidation rule is gathered in to the same case until that case status is Close. In that instance, a new case will be created and alerts are consolidated into this case.

Searching a Consolidation Filter
Creating a Consolidation Filter
Editing and Deleting a Consolidation Filter

Searching a Consolidation Filter

You can search a specific Consolidation Filter, through the Search option. Click the button next to search, to view search results based on ID, Rule Conditions, Timespan, Last Modified by, Modification Date, Rank and Actions.

Creating a Consolidation Filter

Click Create Consolidation Filter to create a new consolidation filter. In Consolidation Filter , specify the details for following fields:

Timespan: Value in minutes, hours, weeks or days. Timespan provides time intervals to consolidate alerts into one case.

Since Last Alert: Timespan will be calculated from the last alerts creation time.

Since First Alert: Timespan will be calculated from the first alerts creation time.

Until First Response: Consolidation will stop when the case is responded by an analyst. When this checkbox is selected, Fusion in the ArcSight Platform User's Guide will track the response status of the case and timespan and stop the consolidation at whichever comes first.

Create Conditions: Select a condition for alert consolidation from the following list of condition Types and Parameters:

Type: Type of the consolidation. Select from the list.
- Alert source is
- Alert source rule name is any of
- Alert source rule name is in list
- Alert source rule name matches regex
- Scope item category is
- Scope item role is
- Scope item value does not equal
- Scope item value equals
- Scope item value is in list
- Scope item value is not in list

Parameters: It varies depending on selected consolidation type.

The newly created Consolidation Filter is displayed on the Consolidation page and is in Disabled state by default. You must ensure enabling the Consolidation Filter before using it.

Editing and Deleting a Consolidation Filter

You can edit an existing consolidation filter by clicking the Edit button under the Actions column. When you click the Edit button, Consolidation Filter window is displayed. Specify the values as per your requirement and click Save.

You can delete an existing consolidation filter by clicking the Delete button under the Actions column.