Respond Config: Step 3. Create an Aggregation Rule for Alerts

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Oct 6, 2017
Version 9Show Document
  • View in full screen mode

You can create aggregation rules with various criteria to automate the incident creation process. Alerts that meet the rule criteria are grouped together to form an incident. This is useful when you know a particular set of alerts can be grouped into an incident and you can set an aggregation rule that takes care of grouping the alerts instead of spending time in manually creating an incident and adding the alerts to that incident individually. To create incidents automatically you need to create an aggregation rule.

To create an aggregation rule:

  1. Go to CONFIGURE > Incident Rules.

    The Aggregation Rules tab is displayed.

    Aggregation Rules Tab

    A list of 11 predefined rules is displayed. You can do one of the following:

    • add a new rule 
    • edit an existing rule
    • clone a rule
  2. To add a new rule, select Add icon.

    The New Rule tab is displayed.

    The example below shows grouping alerts into an incident based on the risk score.

    New Rules tab

  3. Click Save.

    The rule is displayed in the Aggregations Rules tab. The rule will be enabled and it starts creating incidents depending on the incoming alerts that are matched as per the criteria selected.

See Also:

  • For details about various parameters that can be set as criteria for an aggregation rule, see New Rule Tab.
  • For details on the parameter and field descriptions in the Aggregation Rules tab, see Aggregation Rules Tab.
You are here
Table of Contents > Configuring NetWitness Respond > Step 3. Create an Aggregation Rule for Alerts