.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Incident Rule Details ViewIncident Rule Details View
The Incident Rule Details view enables you to create and edit incident rules for creating incidents from alerts. This topic describes the information required when creating or editing a new rule.
Note: The information in this topic applies to NetWitness Version 11.1 and later.
What do you want to do?What do you want to do?
Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.
Related TopicsRelated Topics
Quick LookQuick Look
To access the Incident Rule Details view, do one of the following:
-
To create a rule, go to
(Configure) > Incident Rules and click Create Rule. -
To edit a rule, go to
(Configure) > Incident Rules and click the link in the Name column for the rule that you want to update.The Incident Rule Details view is displayed. The following figure shows the Incident Rule Details view in Rule Builder query mode.
In the Match Conditions section, if you select Advanced query mode, a field to enter advanced queries is available as shown in the following figure.
The following table describes the options available when creating or editing incident rules.
Group By Meta Key MappingsGroup By Meta Key Mappings
When alerts are grouped on an alert field, all matching alerts containing the same meta key value for that field are grouped together in the same incident. For example, if you select the Group By field value Destination Host, it uses the mapped meta key alert.groupby_host_dst. All alerts with the same meta key value for alert.groupby_host_dst are grouped together in the same incident.
The following table shows the mapped meta keys for the Group By field selections.