Understanding Advanced Alert Creator Configuration

6.2.1 Understanding Advanced Alert Creator Configuration

The Alert Creator algorithm can support grouping strategies that the Administration Tools do not support. To use these advanced strategies, you must enter Alert Creator rules directly into the database.

The executable retrieves new, unowned single matches generated from specified types of scenarios. It then groups them based on one of four implemented algorithms and a specified list of bindings for grouping. It requires parameter settings to designate the following:

Choice of grouping algorithm to use.
Scenario types associated with the set of matches to consider for grouping.
Bindings on which to base break group compatibility

Grouping Algorithms

When grouping algorithms, choose from the following:

BIND_MATCH: The Alert Creation module creates alerts based on matches with matching bindings/ values based on a provided list of bindings to use when determining groupability.
BIND_BEHAVIOR_SCENARIO_CLASS: The Alert Creation module creates alerts based on matches with matching scenario group code and with matching bindings/values based on a provided list of bindings to use when determining groupability.
BIND_BEHAVIOR_SCENARIO: The Alert Creation module creates alerts based on matches with matching scenario ID and with matching bindings/values based on a provided list of bindings to use when determining groupability.
BIND_BEHAVIOR_PATTERN: The Alert Creation module creates alerts based on matches with matching pattern ID and with matching bindings/values based on a provided list of bindings to use when determining groupability.
SINGLE_ALERT_MATCH: The Alert Creation module creates alerts for all remaining matches. A alert is created for each of the remaining matches, as long as they bind one of the centricity names in the bindings string. This is the catch all algorithm that ensures that all matches that have a bound centricity value and a corresponding alert is created.

For a BIND_MATCH grouping rule, the system compares bindings (KDD_BREAK_BINDING) values for matches to determine whether it can group matches together into an alert.

For example, the grouping algorithm interprets !TRADER ?ASSOC_SCRTY to create an alert; each break set to be grouped must have a TRADER binding in which the values for that binding must match and each must either have an ASSOC_SCRTY binding in which the values match OR each must be missing the ASSOC_SCRTY binding. Alerts that mentioned ASSOC_SCRTY could only be grouped with other alerts that mentioned ASSOC_SCRTY. Similarly, alerts that did not mention ASSOC_SCRTY could only be grouped with other alerts that did not mention ASSOC_SCRTY.

This list is order-dependent and at least one binding should be marked as required using an exclamation point (!) to prevent grouping of all miscellaneous matches into one big break. The order helps determine the centricity in the first binding name in the binding string. The centricity name is used to determine the alert’s centricity ID.