You can create aggregation rules with various criteria to automate the incident creation process. Alerts that meet the rule criteria are grouped together to form an incident. This is useful when you know a particular set of alerts can be grouped into an incident and you can set an aggregation rule that takes care of grouping the alerts instead of spending time in manually creating an incident and adding the alerts to that incident individually. To create incidents automatically you need to create an aggregation rule.
To create an aggregation rule:
- In the Security Analytics menu, select Incidents > Configure.
- Select Aggregation Rules.
The Aggregation Rules view is displayed.
A list of 9 pre-defined rules is displayed. You can do one of the following:
- add a new rule
- edit an existing rule
- clone a rule
- To add a new rule, select .
The New Rule tab is displayed.
- Provide the following information:
The example below shows grouping alerts into an incident based on the risk score.
For details about various parameters that can be set as criteria for an aggregation rule, see New Rule Tab
- Click Save.
The rule is displayed in the Aggregations Rules view. The rule will be enabled and it starts creating incidents depending on the incoming alerts that are matched as per the criteria selected.
For details on the parameter description and field description in the Aggregation Rules view, see Aggregation Rules Tab.