Question from event intelligence training on how deduplication works

During the training on event intelligence, our trainer Camden used the source field in the event to be evaluated and put into the dedup field via a Rule in the default global ruleset - it looked for regex “(135)”. I was able to do this after the training and have different alerts only have a single incident created.

There is something confusing in this, however. When I create a 3rd or 4th alert with the same regex, I expected it to also be triggered and fall into the same incident. They do, however, they seem to remove or “bump” the previous de-duped alert.

Can you help explain this behavior? Events that come in with payload source “135” and payload summary “There is a problem in test”, “There is a 2nd problem in test” show up de-duped and nested in the incident view only until there is a new event with source 135 and summary “There is a 3rd problem in test”… afterwhich the “2nd problem” seems to disappear completely.

Hi Nate! Thanks for getting in touch!

There is a slight difference between Alert Grouping and de-duplication where alert grouping will group the incoming events with different alert keys into one incident while de-duplicating will link the incoming event with the same alert key into the active alert.

Since we were replacing the provided dedup/alert key with the value from the source field, the alert key became 135 for all three events.

If you open the alert within incident #4, you can see an Alert Log which will relay all of the events which were deduplicated into the alert while it is active. You can even see the event rule which routed the event to this service and other actions that took place such as the alert summary being updated.

Deduplication is great when trying to reduce the noise of events tied to the same alert as well as auto-resolving the open alert.

On the other hand, you would want to use a different event field to extract for the alert key if you want to view the content of each event as individual alerts.