Skip to main content

Responses are generated using AI and may contain mistakes.

Threat CenterThreat Center Guide

Pre-Built Detection Grouping Rules

To ensure alerts and cases always contain meaningful information, pre-built detection grouping rules group detections without you having to create or customize your own rules.

Pre-built detection grouping rules are detection grouping rules that are already configured. If you don't want to use these pre-built detection grouping rules, create your own rules from scratch or clone a pre-built detection grouping rule to use as a starting point for a new rule.

Rule is always enabled and the last rule in the sequence. You can't disable or reorder it. You can disable and reorder all other pre-built detection grouping rules. You can't delete any pre-built detection grouping rule.

The pre-built detection grouping rules available to you differ based on your license:

Pre-Built Detection Grouping Rules in the New-Scale SIEM License

If you have the New-Scale SIEM license, there are eight pre-built detection grouping rules. By default, seven of them are enabled by default in the following order:

  1. Correlation rule – If the detection is a correlation rule detection, the correlation rule uses the Group by Field functionality, and the correlation rule outcome is designated to create a case, the detection is grouped into a case by the correlation rule name and correlation rule group by field. This detection grouping rule creates a standalone case for a correlation rule detection only if it is ordered at the top of the list of detection grouping rules.

    This detection grouping rule is available by default only if you became a customer on or after September 15, 2025. If you became a customer before September 15, 2025, you must manually create the detection grouping rule.

  2. User – If the detection is associated with one unique user, it's grouped by user.

  3. Src Host – If the detection src_host attribute has a value, the detection is grouped by source host.

  4. Dest Host – If the detection dest_host attribute has a value, the detection is grouped by destination host.

  5. Src Ip – If the detection src_ip attribute has a value, the detection is grouped by source IP address.

  6. Dest Ip – If the detection dest_ip attribute has a value, the detection is grouped by destination IP address.

  7. Rule – If the detection rulename attribute has a value, the detection is grouped by rule name.

Pre-Built Phishing Detection Grouping Rule

Unlike the other pre-built detection grouping rules, the pre-built Phishing Rule detection grouping rule is disabled by default. To activate it, you must enable it, then order it at the top of the list of detection grouping rules.

If the detection is a phishing rule detection and an email subject exists, phishing rule detections are grouped into a case by email subject.

After the 24-hour detection grouping period, cases where phishing rule detections have the same email subject are merged in a 14-day period using the pre-built Merge Phishing Detection Engine Cases playbook, if enabled.

Pre-Built Detection Grouping Rules in the New-Scale Fusion and New-Scale Analytics License

If you have the New-Scale Fusion license or New-Scale Analytics license, there are eight pre-built detection grouping rules that are, by default, in the following order:

  1. Correlation rule – If the detection is a correlation rule detection, the correlation rule uses the Group by Field functionality, and the correlation rule outcome is designated to create a case, the detection is grouped into a case by the correlation rule name and correlation rule group by field. This detection grouping rule creates a standalone case for a correlation rule detection only if it is ordered at the top of the list of detection grouping rules.

    This detection grouping rule is available by default only if you became a customer on or after September 15, 2025. If you became a customer before September 15, 2025, you must manually create the detection grouping rule.

  2. Source User Entity – If the detection is associated with a source user entity, the detection is grouped by source user entity.

  3. Destination User Entity – If the detection is associated with a destination user entity, the detection is grouped by destination user entity.

  4. Source Device Entity – If the detection is associated with a source device entity, the detection is grouped by source device entity.

  5. Destination Device Entity – If the detection is associated with a destination device entity, the detection is grouped by destination device entity.

  6. Src Ip – If the detection src_ip attribute has a value, the detection is grouped by source IP address.

  7. Dest Ip – If the detection dest_ip attribute has a value, the detection is grouped by destination IP address.

  8. Rule – If the detection rulename attribute has a value, the detection is grouped by rule name.

Pre-Built Detection Grouping Rules in the Exabeam Security Operations Licenses and Fusion Licenses

If you have an Exabeam Security Operations or Fusion license, there are six pre-built detection grouping rules that are, by default, in the following order:

  1. User – If the detection is associated with one unique user, it's grouped by user.

  2. Src Host – If the detection src_host attribute has a value, the detection is grouped by source host.

  3. Dest Host – If the detection dest_host attribute has a value, the detection is grouped by destination host.

  4. Src Ip – If the detection src_ip attribute has a value, the detection is grouped by source IP address.

  5. Dest Ip – If the detection dest_ip attribute has a value, the detection is grouped by destination IP address.

  6. Rule – If the detection rulename attribute has a value, the detection is grouped by rule name.