The Aggregation Rules tab enables you to create and manage aggregation rules for automating the incident creation process. NetWitness Platform provides 11 preconfigured rules. You can add to and adjust these rules for your own environment.
What do you want to do?
|Role||I want to ...||Show me how|
|Analyst, Content Expert, SOC Manager||Create an aggregation rule.||Step 3. Enable and Create Incident Rules for Alerts|
|Incident Responders, Analysts, Content Experts, SOC Manager||View the results of my aggregation rule (View Detected Threats).||See "Responding to Incidents" in the NetWitness Respond User Guide.|
To access the Aggregation Rules tab, go to Configure > Incident Rules > Aggregation Rules tab.
The Aggregation Rules tab consists of a list and toolbar.
Aggregation Rules List
The following table describes the columns in the Aggregation Rules list.
Enables you to select a rule in order to take an action, such as Clone or Delete.
|Order||Shows the order in which the rule is placed. The rule order determines which rule takes effect if the criteria for multiple rules match the same alert. If two rules match an alert, only the rule with the highest priority is evaluated.|
|Name||Displays the name of the rule.|
|Enabled||Shows whether the rule is enabled or not.|
The specifies the rule is enabled.
|Description||Displays the description of the rule.|
|Last Matched||Displays the time when an alert was successfully matched with the rule. This value is reset once a week.|
|Matched Alerts||Displays the number of matched alerts. This value is reset once a week.|
To change the setting, see Set a Counter for Matched Alerts and Incidents.
|Incidents||Displays the number of incidents created by the rule. This value is reset once a week. To change the setting, see the Set a Counter for Matched Alerts and Incidents.|
Aggregation Rules Toolbar
The following table shows the operations that can be performed in the Aggregation Rules tab.