When dismissing Alerts with Group Alerts enabled or turned on, the dismissal is by threat_id as can be seen in the Audit Log. Is there a way to determine the underlying criteria used for this grouping in order to ensure dismissal does not include unexpected or undesired Alerts in the future?

• Carbon Black Cloud Console: All Versions
  • Endpoint Standard (was CB Defense)

Alert dismissal with Group Alerts enabled dismisses based on threat_id, which is currently visible either 1) in the Console via Developer Tools/Web inspector on the Alerts page or in the URL of the Alert Triage and Investigate pages, or 2) via API when pulling Alert data. Alerts are grouped under the same threat_id based on threat_cause_actor_sha256 and reason_code (both of which are most easily seen via DevTools on the Alerts page), and dismissal will therefore impact additional Alerts which are determined to fit under the same threat_id (based on threat_cause_actor_sha256 and reason_code). There are a few edge cases where the threat_id will be based on the target hash or the peer host, but those are much less frequent.