Group Tickets

When a new signal is received, LogMan.io Alerts looks for a ticket with the same group id value.

If there is one, the existing ticket is updated as follows:

• associated events from the incoming signal added to the existing ticket's data;
• associated tickets from the incoming signal added to the existing ticket's data;
• attributes (indicators of compromise) from the incoming signal added to the existing ticket's data;
• severity and risk score are updated if increased.

The responsibility of setting a common group id for a number of consecutive signals lies on a client service that sends its signals to the Alert Management.