Respond Config: Aggregation Rules Tab

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Oct 6, 2017
Version 8Show Document
  • View in full screen mode
 

The Aggregation Rules tab enables you to create and manage aggregation rules for automating the incident creation process. NetWitness Suite provides 11 preconfigured rules. You can add to and adjust these rules for your own environment.

What do you want to do?

                       
RoleI want to ...Show me how
Analyst, Content Expert, SOC ManagerCreate an aggregation rule.Step 3. Create an Aggregation Rule for Alerts
Incident Responders, Analysts, Content Experts, SOC ManagerView the results of my aggregation rule (View Detected Threats).See "Responding to Incidents" in the NetWitness Respond User Guide.

Related Topics

Aggregation Rules

To access the Aggregation Rules tab, go to CONFIGURE > Incident Rules > Aggregation Rules tab.

Aggregation Rules Tab (for incident response alerts)

The Aggregation Rules tab consists of a list and toolbar.

Aggregation Rules List

The following table describes the columns in the Aggregation Rules list.

                                       
ColumnDescription
OrderShows the order in which the rule is placed. The rule order determines which rule takes effect if the criteria for multiple rules match the same alert.
NameDisplays the name of the rule.
EnabledShows whether the rule is enabled or not.
The Green enabled icon specifies the rule is enabled.
DescriptionDisplays the description of the rule.
Last MatchedDisplays the time when an alert was successfully matched with the rule. This value is reset once a week.
Matched AlertsDisplays the number of matched alerts. This value is reset once a week.
To change the setting, see Set Counter for Matched Alerts and Incidents.
IncidentsDisplays the number of incidents created by the rule. This value is reset once a week. To change the setting, see the Set Counter for Matched Alerts and Incidents.

Aggregation Rules Toolbar

The following table shows the operations that can be performed in the Aggregation Rules tab.

                           

Option

Description
Add icon Allows you to add a new rule.
Edit icon Allows you to edit a rule.
Delete rule icon Allows you to delete a rule.
Duplicate rule icon Allows you to duplicate a rule.
Previous Topic:Configure View
Next Topic:New Rules tab
You are here
Table of Contents > NetWitness Respond Configuration Reference > Aggregation Rules Tab

Attachments

    Outcomes