Aggregate Alerts
When multiple threats could generate multiple alerts, it can be easier to manage when they are all aggregated into one alert.
Credit card sales, for example, may yield a vast amount of cards being sold, each that could legitimately trigger an alert.
To enable easier management of this situation, you can group multiple threats into one aggregate alert. That way, all threats detected within a specified time frame will trigger only one alert, with the details of all of the cards in the alert. For example, aggregated Credit card for sale alert details are shown in the alert's Credit Card Details tab, as described in View credit card details.
When Certificate issues alerts are aggregated, one alert in the Alerts list consolidates and summarizes the status of the current threats and contains a link to the relevant Threats page, where you can see all the relevant threats for those scenarios. Separate alerts are not generated in these cases.
In some aggregated alerts, the Source URL field is not shown. You can find that by opening the related threat.
Aggregate alerts are shown on the Alerts page like all other alerts.
When you aggregate some alerts, you can also add additional options, described in the table below.
Alert type | See the aggregation details here | Additional options | Default aggregation |
---|---|---|---|
Certificate issues | In the Threats page | Rule Aggregate alerts triggered from the same rule. Certificate status Aggregate alerts with the same status. | Aggregated once a week, for all matched threats |
SSL issues | In the Threats page | Rule Aggregate alerts triggered from the same rule. | Aggregated once a week, for all matched threats |
Secret key | In the Threats page | Rule Aggregate alerts triggered from the same rule. Repository URL Aggregate alerts from the same repository. Secret type Aggregate alerts for the same secret type. Secret value Aggregate alerts for the same, unique secret. | Aggregated once a day per repository name, for all matched threats. |
Asset mentions | In the Threats page | Rule Aggregate alerts triggered from the same rule. Repository URL Aggregate alerts from the same repository. Repository creation date Aggregate alerts with the same repository creation date. | Aggregated daily, by file, for all matched alerts. If multiple assets were found multiple times in the same code file - 1 threat will be created. If a single asset was found multiple times in multiple code files - multiple threats will be created. |
Credit cards for sale | In the alert's Credit Cards for Sale tab | Rule Aggregate alerts triggered from the same rule. | Aggregated every 8 hours, for all matched threats. |
You can turn off aggregation and edit the aggregation settings.
Edit aggregation setting
You can turn aggregation off as well as modify the aggregation options.
To edit the aggregation of alerts:
- From Threat Command, choose the kind of alerts from the Alert Profiler.
This example uses Credit cards for sale, but applies to all the scenarios. - To stop aggregation, set the toggle to off.
- To modify the settings, click Modify.
- (Optional) You can change the time frame.
- (Optional) For Certificate issues or Secret key, you can set additional aggregation parameters.
- Select Use a parameter for aggregation.
- Select the parameter to use.
- Click Save Settings.