During the training on event intelligence, our trainer Camden used the source field in the event to be evaluated and put into the dedup field via a Rule in the default global ruleset - it looked for regex “(135)”. I was able to do this after the training and have different alerts only have a single incident created.
There is something confusing in this, however. When I create a 3rd or 4th alert with the same regex, I expected it to also be triggered and fall into the same incident. They do, however, they seem to remove or “bump” the previous de-duped alert.
Can you help explain this behavior? Events that come in with payload source “135” and payload summary “There is a problem in test”, “There is a 2nd problem in test” show up de-duped and nested in the incident view only until there is a new event with source 135 and summary “There is a 3rd problem in test”… afterwhich the “2nd problem” seems to disappear completely.