Group by arbitrary meta in Incident Management>

Question asked by Craig Cameron-Weir on Jan 30, 2018
I have a custom parser that generates some custom metadata, and an ESA rule that triggers based on events from the custom parser. What I want is to be able to group alerts into incidents in Incident Management by the custom meta. Is this possible, and if so, how do I do it?