When Qevlar receives multiple identical alerts for the same entity and alert type within a 12 hour window, it automatically groups them together as repeated alerts. This reduces noise in your investigations queue while preserving full visibility of every alert.
How it works
Qevlar identifies alerts as repeated when they share the same observables (for example, the same user, device, or email) and the same alert type, and arrive within 12 hours of the first alert in the group. The first alert becomes the parent alert and is fully investigated. All subsequent matching alerts within the window are grouped under it.
After the 12 hour window closes, any new matching alert will start a fresh group.
What you'll see in the UI
Investigations table
Grouped alerts appear as a single row in the investigations table. A tag next to the investigation title shows how many repeated alerts are included (for example, "+1"). Hovering over the tag displays a tooltip confirming the number of repeated alerts.
Investigation report
When you open a parent alert, you'll find a Repeated Alerts tab alongside Summary, Observables, Remediation & Handoff, and AI Audit. This tab shows the full list of grouped alerts with their individual IDs, verdicts, and timestamps, along with the first seen and last seen dates for the group.
Accessing alert data
Each alert's original JSON is preserved. You can access individual alert data through the View Alert option on any repeated alert in the group, or download all grouped alert JSONs together.
API behaviour
New response format for repeated alerts
When a repeated alert is submitted via the API, Qevlar returns a 200 response with the following structure:
{
"status": "Grouped",
"group_reason": "Identical observables except timestamp",
"message": "This alert matches an existing incident: <parent_alert_id>",
...
}
The response includes the full alert details, investigation data, and a reference to the parent alert. This is a non-breaking change, meaning your existing integrations will continue to work without modification.
Visit our dedicated API Docs for more information.
Existing clone alert behaviour
Clone alerts (exact duplicates of an already ingested alert) continue to return a 409 response as before, with a message referencing the original alert.