UTMStack icon indicating copy to clipboard operation
UTMStack copied to clipboard
verified publisher icon utmstack

Automatically assign asset group to alerts

Open mjabascal10 opened this issue 1 month ago • 0 comments

Describe the feature

Organizations often categorize assets into logical groups to represent sets of assets that share common characteristics such as purpose, criticality, or operational environment (e.g., Production Servers, Critical Infrastructure, User Endpoints).

Currently, when an alert is generated, it references only the originating asset by name or ID. It does not inherit the group context of that asset, which limits visibility and contextual awareness during incident triage.

This feature introduces logic in the alert processing pipeline to automatically assign the asset’s group to the alert upon creation, ensuring that each alert carries contextual information about the affected group.

Use Case

Organizations manage large numbers of monitored assets that are logically organized into groups, each representing a defined set of assets with shared characteristics such as criticality, function, or environment.

When an alert is generated, it currently references only the specific asset and lacks information about the group it belongs to. This forces analysts to manually identify the group context of each alert, slowing down triage and making it harder to prioritize incidents affecting critical systems.

By automatically inheriting the group from the associated asset, alerts gain immediate contextual relevance. Analysts can quickly identify which operational group is impacted, apply group-based filters in dashboards, and streamline response workflows.

Proposed Solution

Processing Flow 1. Receive new alert. The backend receives an alert event associated with a specific asset (assetId). 2. Lookup asset group. Query the asset repository to determine whether the asset belongs to a group. 3. Assign group to alert. If a group is found, automatically assign it to the alert before persistence. 4. Continue normal processing.Proceed with existing alert classification, correlation, and enrichment workflows.

Other Information

No response

Acknowledgements

  • [ ] I may be able to implement this feature request
  • [ ] This feature might incur a breaking change

mjabascal10 avatar Nov 03 '25 15:11 mjabascal10