Network traffic based alert grouping

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Network traffic based alert grouping

    The Network traffic based alert grouping method enhances alert management by analyzing network traffic connections between processes across hosts. This system utilizes service candidates identified by ML Service Mapping to group alerts related to network traffic issues, providing a contextual view of incidents. Service candidates represent collections of processes based on their network interactions, facilitating better organization and troubleshooting of IT services.

    Show full answer Show less

    Key Features

    • Host Identification: Generates alerts from various sources related to network issues.
    • Network Context Identification: Utilizes horizontal discovery results and ML Service Mapping to determine relevant service candidates and network connections.
    • Alert Grouping: Groups alerts in real-time based on direct process-to-process connections within the same service candidate.

    Key Outcomes

    • Improved Accuracy: High accuracy in alert grouping reduces false positives by leveraging network traffic connections.
    • Enhanced Coverage: Groups alerts effectively, even in low CMDB maturity environments, widening the scope of issues addressed.
    • Streamlined Resolution: Facilitates bulk identification and resolution of related issues, improving operational efficiency for IT teams.

    Note: New customers can automatically enable this feature, while existing customers must manually enable the property for network traffic correlation.

    The Network traffic based alert grouping method groups alerts by analyzing network traffic connections between processes across hosts. It leverages service candidates identified by ML Service Mapping to group alerts related to network traffic issues. This ensures alerts from directly connected processes within the same service candidate are grouped together, offering a more contextual view of network incidents.

    Service candidates are potential collections of processes within your IT environment that are identified based on their network connections and interactions. They represent different services or functions that your IT systems provide, even if they are not fully detailed in your system’s configuration database. For example, service candidates might group together all the processes involved in email delivery, even if the configuration details are incomplete.

    ML Service Mapping uses machine learning to automatically discover and map out these service candidates. It identifies how different processes and components are connected and grouped together based on their network traffic and interactions. This helps in understanding and organizing the IT services and their components, making it easier to manage and troubleshoot issues. For example, ML Service Mapping might automatically identify and map the connections between email servers and mail clients based on their network interactions.

    Note:
    Network traffic based alert grouping is enabled for new customers starting with the Australia release. Existing customers need to enable the property Enable Network Traffic correlation (sa_analytics.agg.query_network_traffic_correlation_enabled) manually.

    How it works

    • Host identification: Alerts related to network issues are generated from various sources.
    • Network context identification: The correlation process uses horizontal discovery results and ML Service Mapping to identify the most relevant service candidates and network connections.

      This process uses the results of the scheduled job Event Management - Populate Service candidate process to process mapping - Daily, which runs once a day and is used to store process-to-process connections for Host CIs in the format required by the alert grouping algorithm.

    • Alert grouping: Alerts are grouped based on direct process-to-process connections within the context of the same service candidate. Grouping is updated in real-time as new alerts are received.

    Benefits

    • Improved accuracy: By leveraging network traffic connections and service candidates, this method provides high accuracy in grouping alerts, minimizing false positives.
    • Enhanced coverage: It effectively groups alerts even in environments with low CMDB maturity, covering a broader range of alerts and issues.
    • Streamlined resolution: IT teams can quickly identify and resolve related issues in bulk, reducing the volume of alerts to manage and improving operational efficiency.