In one embodiment, a device receives a plurality of network alerts over a time frame. A sliding transaction window is used across the time frame to associate each network alert occurring within the transaction window with one or more transactions. A pruning test is applied to subsets of the plurality of network alerts, with the network alerts in a given subset being associated with the same transaction. The pruning test is based in part on the number of co-occurrences of network alerts in a given subset for different transaction windows. The subsets of network alerts are assigned to network alert clusters based on the applied pruning test. The network alerts are then joined within a network alert cluster to identify the largest grouping of network alerts that pass the pruning test. A notification that the identified grouping of network alerts is associated with the same transaction is also provided.