summarize_alert_events
Group and analyze alert event data by time windows to identify patterns, common entities, and potential incident scope. Supports time frames from 1-60 minutes and returns chronological results for efficient investigation.
Instructions
Analyze patterns and relationships across multiple alerts by aggregating their event data into time-based groups.
For each time window (configurable from 1-60 minutes), the tool collects unique entities (IPs, emails, usernames, trace IDs) and alert metadata (IDs, rules, severities) to help identify related activities.
Results are ordered chronologically with the most recent first, helping analysts identify temporal patterns, common entities, and potential incident scope.
Returns: Dict containing: - success: Boolean indicating if the query was successful - status: Status of the query (e.g., "succeeded", "failed", "cancelled") - message: Error message if unsuccessful - results: List of query result rows - column_info: Dict containing column names and types - stats: Dict containing stats about the query - has_next_page: Boolean indicating if there are more results available - end_cursor: Cursor for fetching the next page of results, or null if no more pages
Permissions:{'all_of': ['Query Data Lake']}
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| alert_ids | Yes | List of alert IDs to analyze | |
| end_date | No | Optional end date in ISO-8601 format. Defaults to end of today UTC. | |
| start_date | No | Optional start date in ISO-8601 format. Defaults to start of today UTC. | |
| time_window | No | The time window in minutes to group distinct events by |