- Get Started with Threat Center
- Group Detections
- Work on Cases
- Triage Alerts in Threat Center
- Edit and Collaborate in Threat Center
- Find Cases or Alerts
- Build a Search in Threat Center
- Enter a Search Using Exabeam Query Language in Threat Center
- Enter a Search Using Natural Language in Threat Center
- Run a Recent Search in Threat Center
- Create a New Saved Search in Threat Center
- Run a Saved Search in Threat Center
- Edit a Saved Search in Threat Center
- Delete a Saved Search in Threat Center
- Sort Cases or Alerts
- View Case and Alert Metrics
- Get Notified About Threat Center
Create a Detection Grouping Rule
Create a detection grouping rule to group related detections according to criteria you specify.
You can create up to 20 detection grouping rules.
In Threat Center, click Settings, then navigate to the Detection grouping rules tab.
Click + New Rule.
In New Detection Name, enter the rule name. You can't rename the rule after you save it.
Under Trigger, select Select trigger, then select is created.
Under Condition, define the conditions a detection must satisfy for the rule to apply to the detection. If you're grouping a detection by a certain field, one of the conditions must be that the field exists to ensure the detection contains the field and preserve the grouping logic; for example, if you're grouping detections by field Src Ip, one of the conditions must be Src Ip exists.
Click Select object, then select a field from the list.
Click Select condition, then select an operator from the list. Depending on the operator you select, you may need to enter a value.
(Optional) To add additional conditions, click
. All conditions must be satisfied for the rule to apply to the detection.
Under Action, define by which fields a detection is grouped. Click Select field, then select a field from the list. If not already defined, Threat Center adds the condition <field> exists. To group the detection by an additional field, click
.Click Save.