.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Aggregation Rules Tab (11.0 and earlier)Aggregation Rules Tab (11.0 and earlier)
The Aggregation Rules tab enables you to create and manage aggregation rules for automating the incident creation process. NetWitness provides 11 preconfigured rules. You can add to and adjust these rules for your own environment.
Note: This topic applies to NetWitness version 11.0 and earlier.
What do you want to do?What do you want to do?
- Role: Analyst, Content Expert, SOC Manager
- I want to ...: Create an aggregation rule.
- Show me how: Step 3. Enable and Create Incident Rules for Alerts
- Role: Incident Responders, Analysts, Content Experts, SOC Manager
- I want to ...: View the results of my aggregation rule (View Detected Threats).
- Show me how: See "Responding to Incidents" in the NetWitness Respond User Guide.
Related TopicsRelated Topics
Quick LookQuick Look
To access the Aggregation Rules tab, go to Configure > Incident Rules > Aggregation Rules tab.
The Aggregation Rules tab consists of a list and toolbar.
Aggregation Rules ListAggregation Rules List
The following table describes the columns in the Aggregation Rules list.
- Column:
Select
- Description:
Enables you to select a rule in order to take an action, such as Clone or Delete.
- Column: Order
- Description: Shows the order in which the rule is placed. The rule order determines which rule takes effect if the criteria for multiple rules match the same alert. If two rules match an alert, only the rule with the highest priority is evaluated.
- Column: Name
- Description: Displays the name of the rule.
- Column: Enabled
- Description: Shows whether the rule is enabled or not.
The
specifies the rule is enabled.
- Column: Description
- Description: Displays the description of the rule.
- Column: Last Matched
- Description: Displays the time when an alert was successfully matched with the rule. This value is reset once a week.
- Column: Matched Alerts
- Description: Displays the number of matched alerts. This value is reset once a week.
To change the setting, see Set a Counter for Matched Alerts and Incidents.
- Column: Incidents
- Description: Displays the number of incidents created by the rule. This value is reset once a week. To change the setting, see the Set a Counter for Matched Alerts and Incidents.
Aggregation Rules ToolbarAggregation Rules Toolbar
The following table shows the operations that can be performed in the Aggregation Rules tab.
- Option:
- Description: Allows you to add a new rule.
- Option:
- Description: Allows you to edit a rule.
- Option:
- Description: Allows you to delete a rule.
- Option:
- Description: Allows you to duplicate a rule.