- Get Started with Threat Center
- Threat Center
- Threat Center Permissions
- Threat Center Alerts: Read
- Threat Center Alerts: Read, Write, and Delete
- Threat Center Cases: Read
- Threat Center Cases: Read, Write, and Delete
- Threat Center Detection Grouping Rules: Read
- Threat Center Detection Grouping Rules: Read, Write, and Delete
- Threat Center Watchlist: Read
- Threat Center Watchlist: Read, Write, and Delete
- Threat Center Cases
- Threat Center Alerts
- Threat Center Detections
- Threat Center Risk Score
- Monitor Entities of Interest in Threat Center
- Group Detections
- Work on Cases
- Work on Alerts
- Edit and Collaborate in Threat Center
- Use Automation Tools in Threat Center
- Find Cases and Alerts
- Sort Cases or Alerts
- Filter Cases or Alerts
- Search for Cases or Alerts in Threat Center
- Build a Search in Threat Center
- Enter a Search Using Exabeam Query Language in Threat Center
- Enter a Search Using Natural Language in Threat Center
- Run a Recent Search in Threat Center
- Create a New Saved Search in Threat Center
- Run a Saved Search in Threat Center
- Edit a Saved Search in Threat Center
- Delete a Saved Search in Threat Center
- View Case and Alert Metrics
- Get Notified About Threat Center
- Threat Center APIs
Create Standalone Cases from Correlation Rules Using a Detection Grouping Rule
To identify Threat Center cases created as the outcome of a correlation rule, create a detection grouping rule that groups a correlation rule detection into a standalone case.
For a standalone case to be created, the detection grouping rule must be first in the list of detection grouping rules.
In Threat Center, click Settings, then navigate to the Detection grouping rules tab.
Click + New Rule.
In New Detection Name, enter the rule name. You can't rename the rule after you save it.
Under Trigger, select Select trigger, then select is created.
Under Condition, you define the conditions a detection must satisfy for the rule to apply to the detection. All conditions must be satisfied for the rule to apply to the detection. To define multiple conditions, click
.To create standalone cases from correlation rules, define the following conditions:
Rule Source is equals to Correlation Rule:
Click Select object, then select Rule Source.
Click Select condition, then select is equals to.
Click Enter value, then enter
Correlation Rule.
Rule Name exists:
Click Select object, then select Rule Name.
Click Select condition, then select exists.
GroupBy field exists:
Click Select object, then select GroupBy field.
Click Select condition, then select exists.
Create Case is equals to true:
Click Select object, then select Create Case.
Click Select condition, then select is equals to.
Click Enter value, then enter
true.
Under Action, you define the fields by which a detection is grouped. To define multiple actions, click
.To create standalone cases from correlation rules, define actions that group detections by rule name and group by field:
To group detections by rule name, click + Field, then select Rule Name.
To group detections by group by field, click + Field, then select GroupBy field.
Click Save. Ensure that the detection grouping rule is ordered first in the list.