FortiSOAR Discussions
Varsha1
New Contributor II

Clubbing of same type of offenses under same alerts

Hi Team,

 

Let say from SIEM Q-Radar we received an offense "ATTACK SIGNATURES OBSERVED BY IPS FROM EXTERNAL SOURCE"  and the same offense has triggered for same customer with same entities again after 1 hour.. now we want to club the offenses with below parameters 

 

[[

When same offense trigger

with same entities

under same tenant

for next 6 hours

club all of such in one alert and playbook should only run on the first offense  recorded in the alert

]] 

 

How can we achieve this ? 

 

Regards,

Shashank

1 REPLY 1
anarula
Staff
Staff

You can use Pre/Post Processing Rules feature that was introduced in v7.5.0

 

  • FortiSOAR includes a rule-based pre-processing feature that is activated before incoming records are stored in the database, providing the flexibility to make decisions such as dropping records based on predefined criteria. Additionally, the implementation of a post-processing rule improves record management by linking similar records based on specified similarity criteria. This post-processing rule enables intelligent linking of records, reduces reliance on resource-intensive playbooks and optimizes system performance. In summary, these rule-based pre- and post-processing features enhance the control and efficiency of the SOAR platform.

CTO (SOAR Business) | VP of Engineering