We want to merge alerts from 2 different sources , one uses email integration, and one uses API integration. Currently the event rule can not work with email, and global ruleset can work with email.
I found they have same event filed(CEF) and wondering if they can work together. I have added same dedup_key and summary to global rule and event rule, and expected alerts matched to these two rules will be merged into single incident which have same dedup_key and summary set by rules.
However, it did not work. So I guess the event field on global rule and event rule are on different layer or something? Is there any way to merge them into single incident? Or do we want to wait until email will be supported by event tule?