Incident Management: Create an Aggregation Rule

Document created by RSA Information Design and Development Employee on Oct 24, 2017Last modified by RSA Information Design and Development Employee on Jan 29, 2018
Version 2Show Document
  • View in full screen mode

You can create aggregation rules with various criteria to automate the incident creation process. Alerts that meet the rule criteria are grouped together to form an incident. This is useful when you know a particular set of alerts can be grouped into an incident and you can set an aggregation rule that takes care of grouping the alerts instead of spending time in manually creating an incident and adding the alerts to that incident individually. To create incidents automatically you need to create an aggregation rule.

To create an aggregation rule:

  1. In the Security Analytics menu, select Incidents > Configure.
  2. Select Aggregation Rules.

    The Aggregation Rules view is displayed.

    A list of 9 pre-defined rules is displayed. You can do one of the following:

    • add a new rule 
    • edit an existing rule
    • clone a rule
  3. To add a new rule, select .

    The New Rule tab is displayed.

    The example below shows grouping alerts into an incident based on the risk score.


  4. Click Save.

    The rule is displayed in the Aggregations Rules view. The rule will be enabled and it starts creating incidents depending on the incoming alerts that are matched as per the criteria selected.

See Also:

  • For details about various parameters that can be set as criteria for an aggregation rule, see New Rule Tab.
  • For details on the parameter description and field description in the Aggregation Rules view, see Aggregation Rules Tab.
You are here
Table of Contents > Automate the Incident Management Process > Create an Aggregation Rule