You can create aggregation rules with various criteria to automate the incident creation process. Alerts that meet the rule criteria are grouped together to form an incident. This is useful when you know a particular set of alerts can be grouped into an incident and you can set an aggregation rule that takes care of grouping the alerts instead of spending time in manually creating an incident and adding the alerts to that incident individually. To create incidents automatically you need to create an aggregation rule.
To create an aggregation rule:
- In the Security Analytics menu, select Incidents > Configure.
Select Aggregation Rules.
The Aggregation Rules view is displayed.
A list of 9 pre-defined rules is displayed. You can do one of the following:
- add a new rule
- edit an existing rule
- clone a rule
The New Rule tab is displayed.
The example below shows grouping alerts into an incident based on the risk score.
The rule is displayed in the Aggregations Rules view. The rule will be enabled and it starts creating incidents depending on the incoming alerts that are matched as per the criteria selected.