- Get Started with Threat Center
- Threat Center
- Threat Center Permissions
- Threat Center Alerts: Read
- Threat Center Alerts: Read, Write, and Delete
- Threat Center Cases: Read
- Threat Center Cases: Read, Write, and Delete
- Threat Center Detection Grouping Rules: Read
- Threat Center Detection Grouping Rules: Read, Write, and Delete
- Threat Center Watchlist: Read
- Threat Center Watchlist: Read, Write, and Delete
- Threat Center Cases
- Threat Center Alerts
- Threat Center Detections
- Threat Center Risk Score
- Monitor Entities of Interest in Threat Center
- Group Detections
- Work on Cases
- Work on Alerts
- Edit and Collaborate in Threat Center
- Use Automation Tools in Threat Center
- Find Cases and Alerts
- Sort Cases or Alerts
- Filter Cases or Alerts
- Search for Cases or Alerts in Threat Center
- Build a Search in Threat Center
- Enter a Search Using Exabeam Query Language in Threat Center
- Enter a Search Using Natural Language in Threat Center
- Run a Recent Search in Threat Center
- Create a New Saved Search in Threat Center
- Run a Saved Search in Threat Center
- Edit a Saved Search in Threat Center
- Delete a Saved Search in Threat Center
- View Case and Alert Metrics
- Get Notified About Threat Center
- Threat Center APIs
Create Standalone Cases from Correlation Rules Using a Detection Grouping Rule
To identify Threat Center cases created as the outcome of a correlation rule, create a detection grouping rule that groups a correlation rule detection into a standalone case.
There are two approaches to grouping correlation rule detections into standalone cases. You can:
For a standalone case to be created, the detection grouping rule must be first in the list of detection grouping rules.
Group Correlation Rule Detections by Group By Field
Group detections from the same correlation rule and group by field into a single case.
In Threat Center, click Settings, then navigate to the Detection grouping rules tab.
Click + New Rule.
In New Detection Name, enter the rule name. You can't rename the rule after you save it.
Under Trigger, select Select trigger, then select is created.
Under Condition, you define the conditions a detection must satisfy for the rule to apply to the detection. All conditions must be satisfied for the rule to apply to the detection. To define multiple conditions, click
.To create standalone cases from correlation rules, define the following conditions:
Rule Source is equals to Correlation Rule:
Click Select object, then select Rule Source.
Click Select condition, then select is equals to.
Click Enter value, then enter
Correlation Rule.
Rule Name exists:
Click Select object, then select Rule Name.
Click Select condition, then select exists.
GroupBy field exists:
Click Select object, then select GroupBy field.
Click Select condition, then select exists.
Create Case is equals to true:
Click Select object, then select Create Case.
Click Select condition, then select is equals to.
Click Enter value, then enter
true.
Under Action, you define the fields by which a detection is grouped. To define multiple actions, click
.Define actions that group detections by rule name and group by field:
To group detections by rule name, click + Field, then select Rule Name.
To group detections by group by field, click + Field, then select GroupBy field.
Click Save. Ensure that the detection grouping rule is ordered first in the list.
Group Correlation Rule Detections by Correlation Rule Detection ID
Create a unique case for each individual correlation rule detection.
In Threat Center, click Settings, then navigate to the Detection grouping rules tab.
Click + New Rule.
In New Detection Name, enter the rule name. You can't rename the rule after you save it.
Under Trigger, select Select trigger, then select is created.
Under Condition, you define the conditions a detection must satisfy for the rule to apply to the detection. All conditions must be satisfied for the rule to apply to the detection. To define multiple conditions, click
.To create standalone cases from correlation rules, define the following conditions:
Rule Source is equals to Correlation Rule:
Click Select object, then select Rule Source.
Click Select condition, then select is equals to.
Click Enter value, then enter
Correlation Rule.
Rule Name exists:
Click Select object, then select Rule Name.
Click Select condition, then select exists.
Detection Id exists:
Click Select object, then select Detection Id.
Click Select condition, then select exists.
Create Case is equals to true:
Click Select object, then select Create Case.
Click Select condition, then select is equals to.
Click Enter value, then enter
true.
Under Action, you define the fields by which a detection is grouped. To define multiple actions, click
.To create a unique case for each individual detection, define actions that group detections by rule name and detection ID:
To group detections by rule name, click + Field, then select Rule Name.
To group detections by detection ID, click + Field, then select Detection Id.
Click Save. Ensure that the detection grouping rule is ordered first in the list.