- Get Started with Threat Center
- Group Detections
- Work on Cases
- Triage Alerts in Threat Center
- Edit and Collaborate in Threat Center
- Find Cases or Alerts
- Build a Search in Threat Center
- Enter a Search Using Exabeam Query Language in Threat Center
- Enter a Search Using Natural Language in Threat Center
- Run a Recent Search in Threat Center
- Create a New Saved Search in Threat Center
- Run a Saved Search in Threat Center
- Edit a Saved Search in Threat Center
- Delete a Saved Search in Threat Center
- Sort Cases or Alerts
- View Case and Alert Metrics
- Get Notified About Threat Center
Group Detections
Automatically group related detections with detection grouping rules.
To ensure cases and alerts contain all relevant evidence, detection grouping rules automatically group related detections into the same alert or case.
By default, detections are grouped according to 13 pre-built detection grouping rules. You can also create your own detection grouping rules. To create a detection grouping rule, you define what conditions the detections must meet for the rule to apply to the detection and how the rule groups the detection. After you create a rule, you can edit, clone, disable, or delete them and track its changes.
Detection grouping rules group detections by their attributes; for example, if a detection grouping rule groups detections by the User attribute, all detections with the same user are grouped in one alert. If a detection grouping rule groups detections by multiple attributes, each group is a unique combination of the selected attributes. For example, let's say the rule groups detections by the User and Src Ip attributes, and the rule evaluates the following detections:
Detection | User | Src Ip |
|---|---|---|
Detection 1 | Barbara Salazar | 1.1.1.1 |
Detection 2 | Barbara Salazar | 1.1.1.1 |
Detection 3 | Barbara Salazar | 1.1.1.1 |
Detection 4 | Tu Peterson | 2.2.2.2 |
Detection 5 | Tu Peterson | 2.2.2.2 |
Detection 6 | Tu Peterson | 2.2.2.2 |
Detection 7 | Barbara Salazar | 3.3.3.3 |
Detection 8 | Barbara Salazar | 3.3.3.3 |
Detection 9 | Barbara Salazar | 3.3.3.3 |
The rule groups the events into the following alerts:
Alert | User | Src Ip | Number of Detections |
|---|---|---|---|
Alert 1 | Barbara Salazar | 1.1.1.1 | 3 |
Alert 2 | Tu Peterson | 2.2.2.2 | 3 |
Alert 3 | Barbara Salazar | 3.3.3.3 | 3 |
When a detection is created, it's evaluated against detection grouping rules in an order you specify. If a detection satisfies the conditions of a rule, it is grouped according to that rule and isn't evaluated against the remaining rules. If the detection doesn't satisfy any rule, it's grouped by the pre-built Rule rule, which groups detections by rule name.
When a detection grouping rule groups a detection, it adds the detection to an existing or new alert. If related detections are already grouped in an existing alert, the detection is added to the same alert; if the detection is the first instance of a unique group, an alert is created and the detection is added to the new alert. If the alert has an associated open case, the detection is also added to the case.
Detections are grouped in a 24-hour period that starts when a detection is first added to a new alert. In that 24-hour period, all related detections are added to the same existing alert. After 24 hours, the cycle repeats: the first detection in the new 24-hour period is considered the first instance of a unique group and is added to a new alert, and all subsequent related detections are added to that alert.
When a detection grouping rule adds detections to an alert or case, it's noted in the alert or case history.