Documentation

Group Alerts

In Digital Threat Monitoring (DTM), when the Group Alerts setting is on, similar Alerts are grouped. 

DTM Alerts dashboard showing two buckets of grouped Alerts

The following restrictions exist for Alert grouping:

ℹ️

  • Alerts are grouped per Alert Type, and grouping is only available for the following Alert Types:
    • Documents
    • Emails
    • Forum Posts
    • Messages
    • Pastes
    • Web Content
  • Alerts are grouped on a per-Monitor basis. Alert buckets are unique to a single monitor, and there are not any alert buckets that contain child Alerts from multiple monitors.
  • There is a fixed look-back time of 60 days. This means that if an alert bucket has not been updated in 60 days, a new bucket is created to group Alerts.

Similarity Score

Each Alert in DTM has a Similarity Score. Similarity Score is calculated by reviewing the document that generated the Alert and comparing the textual content to other alert documents. Therefore, similarity is a computation of how similar the content is between the documents that triggered Alerts. If a Similarity Score is 90% or higher in relation to another Alert, those Alerts are grouped together.

Alert buckets

When you select a bucket of grouped Alerts, you are presented with a table of Alerts that have been grouped together. This table includes a row for each Alert, along with a Similarity Score to let you know how closely related each Alert is to the title Alert of the bucket.

An alert bucket view showing a table with multiple Alerts

ℹ️

Alert buckets are limited to 10,000 Alerts. Once a bucket exceeds 10,000 Alerts, a new bucket is created for additional Alerts that are similar. Therefore, you could see more than one alert bucket for the same set of similar content.

Updated about 2 months ago