How the Aurora Multi-Tenant Console groups alerts | Arctic Wolf Help Documentation

The Aurora Multi-Tenant Console uses the following criteria to group alerts from all your tenants and Aurora Endpoint Security services, automating the process to allow you to scope and optimize your threat-hunting and resolution activities to logical groupings of related alerts. The grouping logic is built and maintained by Arctic Wolf, and is dynamically designed to handle alerts from a range of integrated services. The result is a zero-touch experience that automates frequency and prevalence analysis, making it easier for you to triage and prioritize your cybersecurity efforts.

A new alert is added to an existing alert group when all of the following conditions are met:

The priority, classification, sub-classification, description, key indicators, and response of the alert match that group.
The alert occurs within 24 hours of the most recent alert in that group.
The alert is detected within 7 days (168 hours) of the oldest alert in that group.

A new alert group is created when an alert is detected that does not satisfy all of these conditions.

Priority

The priority of an alert, which correlates to the urgency of the issue and the potential impact on your organization’s environment, is factored into how alerts are grouped. The Alerts view groups the highest priority alerts across the telemetry sources to help you view and resolve the most important alerts first.

The factors that determine the priority of an alert vary by service:


Service	Factors
Aurora Protect Desktop	For threat alerts, the priority is always high in the Alerts view, even if the priority of the alert is lower in Protection > Threats in the management console. The purpose of this elevated priority in the Alerts view is to indicate the urgency of malware detections. For memory protection alerts, the priority is determined by the nature of the memory protection event, as configured by Arctic Wolf cybersecurity analysts. The priority of the events are based on the overall severity and relevance for investigation.
Aurora Focus	The priority is determined by the configuration of the Aurora Focus detection rules.

Classification and sub-classification

The alert classification and sub-classification identifies and labels the underlying detection type to provide structured alert content that can better describe the alert detected by a given service. Each service will define a specific set of classifications and sub-classifications to clarify the nature of the alert.

Classification and sub-classification data are used to identify and group similar alerts.

The factors that determine the classification and sub-classification of an alert vary by service:


Service	Factors
Aurora Protect Desktop	For threat alerts, the classification and sub-classification correspond to the file classifications for Aurora Protect Desktop threat alerts. For memory protection alerts, the classification and sub-classification correspond to the memory protection violation types.
Aurora Focus	Detection rules contain MITRE tactics, techniques, and sub-techniques to define the classification and sub-classification of an alert.

Description

The description of an alert is a characteristic that provides a short segment of information about the alert. Alerts with matching descriptions are more likely to be grouped together.

Key indicators

Key indicators are the detection content that are common across every individual alert in an alert group. The aggregation process compares the key indicators of alerts to determine whether they should be grouped together. For example, if a file contains a key indicator SHA256 hash, the hash value is identical within each alert inside an alert group.

The key indicators of an alert vary by service:


Service	Factors
Aurora Protect Desktop	For threat alerts, the key indicator is the SHA256 hash. For memory protection alerts, the key indicators are the unique characteristics of the event (for example, file data such as the SHA256 hash and the risk score).
Aurora Focus	Key indicators are the uniquely identifying facets of the artifacts that are associated with an alert. For example, for process artifacts, the key indicators are the following facets: SHA256 hash, file path, and command line argument. These facets establish a unique signature for the process artifact type that can be compared to other alerts. The key indicator facets for an alert group are common across the individual alerts in the group.

Response

For services that execute mitigation actions, this is the action that you configured the service to execute in response to the detection. For example, for Aurora Protect Desktop threat alerts, a response may be one of the following: waived, quarantined, unsafe, or abnormal.

For services that don't execute mitigation actions, this captures relevant information from the integrated service. Alerts with matching responses are more likely to be grouped together.

Time

The time that an alert occurs relative to other alerts is factored into how alerts are grouped. An alert is added to an existing group if the priority, classification, sub-classification, description, key indicators, and response of the alert match that group, the alert occurs within 24 hours of the most recent alert in that group, and the alert occurs within 7 days (168 hours) of the oldest alert in that group. If the alert matches the above criteria but occurs outside of the 24 hour window from the most recent alert in the group, or outside of the 7 day window from the oldest alert in the group, it is added to a new group.

The 7 day window ensures that alert groups have a fixed period and do not grow indefinitely.