Respond Config: Aggregation Rules Tab

Document created by RSA Information Design and Development Employee on Sep 13, 2017Last modified by RSA Information Design and Development Employee on Apr 23, 2020
Version 17Show Document
  • View in full screen mode

The Aggregation Rules tab enables you to create and manage aggregation rules for automating the incident creation process. NetWitness Platform provides 11 preconfigured rules. You can add to and adjust these rules for your own environment.

Note: This topic applies to NetWitness Platform version 11.0 and earlier.

What do you want to do?

RoleI want to ...Show me how
Analyst, Content Expert, SOC ManagerCreate an aggregation rule.Step 3. Enable and Create Incident Rules for Alerts
Incident Responders, Analysts, Content Experts, SOC ManagerView the results of my aggregation rule (View Detected Threats).See "Responding to Incidents" in the NetWitness Respond User Guide.

Related Topics

Quick Look

To access the Aggregation Rules tab, go to Configure > Incident Rules > Aggregation Rules tab.

Aggregation Rules Tab (for incident response alerts)

The Aggregation Rules tab consists of a list and toolbar.

Aggregation Rules List

The following table describes the columns in the Aggregation Rules list.



Enables you to select a rule in order to take an action, such as Clone or Delete.

OrderShows the order in which the rule is placed. The rule order determines which rule takes effect if the criteria for multiple rules match the same alert. If two rules match an alert, only the rule with the highest priority is evaluated.
NameDisplays the name of the rule.
EnabledShows whether the rule is enabled or not.
The Green enabled icon specifies the rule is enabled.
DescriptionDisplays the description of the rule.
Last MatchedDisplays the time when an alert was successfully matched with the rule. This value is reset once a week.
Matched AlertsDisplays the number of matched alerts. This value is reset once a week.
To change the setting, see Set a Counter for Matched Alerts and Incidents.
IncidentsDisplays the number of incidents created by the rule. This value is reset once a week. To change the setting, see the Set a Counter for Matched Alerts and Incidents.

Aggregation Rules Toolbar

The following table shows the operations that can be performed in the Aggregation Rules tab.



Add icon Allows you to add a new rule.
Edit icon Allows you to edit a rule.
Delete rule icon Allows you to delete a rule.
Duplicate rule icon Allows you to duplicate a rule.

You are here
Table of Contents > NetWitness Respond Configuration Reference > Aggregation Rules Tab (11.0 and earlier)