Solved: Understand how to create an overflow alert

preet_mehta · 09-09-2024 12:45 AM

Hi folks, for the sake of learning, I want to understand how the alert overflow mechanism works. In the documentation, it states that the alerts must have same environment, product and rule and should be ingested in a short time period.

I have created a connector that generates 2-5 alerts every second. This does fulfill the criteria of 50 alerts within 10 minutes. However, I do not see any overflow case being created.

As seen in the code above, I have used the is_overflowed method to test if the alert is an overflow or not. However, I do not see any overflow alert ingested.

Finally, the connector execution logs show "No data found for property key: overflow_settings". Does this log justify the behaviour ? Also, how should I set this overflow settings key ?

Thanks.

Kyle_M

Hi preet_mehta,

Your code looks correct based on the screenshot you provided. The log you mentioned should not justify the behavior you are seeing. I see the same log in my quick test and I am seeing the correct overflow behavior. Here is a screenshot of my code for reference (which looks very similar to yours)

Here are a few things to check:

Verify that the environment, product, and rule generator are the same for all of the alerts that are ingested
Add a logger statement after the 'if is_overflowed' condition to ensure it is hitting the condition
Ensure the alerts are not test alerts

Please let me know if you have any other questions.

Thanks!

View solution in original post

SoarAndy

OOTB (i.e. unless you changed Alert Grouping in settings), Alert grouping requires 2 things:
- The new Alert is within 2 hours of the existing Alert (which you should be ok with)
- And there is a matched Entity across both Alerts

Open each Case, and check the entities, did they find something in common?

View solution in original post

Kyle_M

Hi preet_mehta,

Your code looks correct based on the screenshot you provided. The log you mentioned should not justify the behavior you are seeing. I see the same log in my quick test and I am seeing the correct overflow behavior. Here is a screenshot of my code for reference (which looks very similar to yours)

Here are a few things to check:

Verify that the environment, product, and rule generator are the same for all of the alerts that are ingested
Add a logger statement after the 'if is_overflowed' condition to ensure it is hitting the condition
Ensure the alerts are not test alerts

Please let me know if you have any other questions.

Thanks!

preet_mehta

Hi,
I just tried again with keeping your points in mind. I can see the Overflow case generated as per expectations !
However, I also noticed that the alerts added in the Overflow case do have a separate Case as well, but with only that alert in it. Ex: If the Overflow case has 5 alerts, I see 5 separate cases for these alerts.

I guess, this is what confused me, but now, I see the Overflow Case which solves my purpose.

Thanks !

vanitharaj1208

Hi Kyle, i have few question

from the screen shot , why its shows time not mapped in overflow cases

Kyle_M

Hi vanitharaj1208,

Great question. When the overflow condition is met, the alert will skip Ontology mapping where the time is mapped. You will also notice that entities and other event information will not populate. This is to protect system resources and allow other alerts that are not in overflow be processed by the system.

SoarAndy

OOTB (i.e. unless you changed Alert Grouping in settings), Alert grouping requires 2 things:
- The new Alert is within 2 hours of the existing Alert (which you should be ok with)
- And there is a matched Entity across both Alerts

Open each Case, and check the entities, did they find something in common?

preet_mehta

Hi,
Thanks for the suggestions.
Yes, I did have entities in common, and the alerts were ingested in every 5 second interval.
After careful observation, and retrying the flow, I can now see the Overflow case generated.

Thanks.