- Get Started with Threat Center
- Threat Center
- Threat Center Permissions
- Threat Center Alerts: Read
- Threat Center Alerts: Read, Write, and Delete
- Threat Center Cases: Read
- Threat Center Cases: Read, Write, and Delete
- Threat Center Detection Grouping Rules: Read
- Threat Center Detection Grouping Rules: Read, Write, and Delete
- Threat Center Watchlist: Read
- Threat Center Watchlist: Read, Write, and Delete
- Threat Center Cases
- Threat Center Alerts
- Threat Center Detections
- Threat Center Risk Score
- Monitor Entities of Interest in Threat Center
- Group Detections
- Work on Cases
- Work on Alerts
- Edit and Collaborate in Threat Center
- Use Automation Tools in Threat Center
- Find Cases and Alerts
- Sort Cases or Alerts
- Filter Cases or Alerts
- Search for Cases or Alerts in Threat Center
- Build a Search in Threat Center
- Enter a Search Using Exabeam Query Language in Threat Center
- Enter a Search Using Natural Language in Threat Center
- Run a Recent Search in Threat Center
- Create a New Saved Search in Threat Center
- Run a Saved Search in Threat Center
- Edit a Saved Search in Threat Center
- Delete a Saved Search in Threat Center
- View Case and Alert Metrics
- Get Notified About Threat Center
- Threat Center APIs
Pre-Built Detection Grouping Rules
To ensure alerts and cases always contain meaningful information, pre-built detection grouping rules group detections without you having to create or customize your own rules.
Pre-built detection grouping rules are detection grouping rules that are already configured and enabled by default. If you don't want to use these pre-built detection grouping rules, create your own rules from scratch or clone a pre-built detection grouping rule to use as a starting point for a new rule.
Rule is always enabled and the last rule in the sequence. You can't disable or reorder it. You can disable and reorder all other pre-built detection grouping rules. You can't delete any pre-built detection grouping rule.
The pre-built detection grouping rules available to you differ based on your license:
Pre-Built Detection Grouping Rules in the New-Scale SIEM License
If you have the New-Scale SIEM license, there are seven pre-built detection grouping rules that are, by default, in the following order:
Correlation rule – If the detection is a correlation rule detection, the correlation rule uses the Group by Field functionality, and the correlation rule outcome is designated to create a case, the detection is grouped into a case by the correlation rule name and correlation rule group by field. This detection grouping rule creates a standalone case for a correlation rule detection only if it is ordered first in the list of detection grouping rules.
This detection grouping rule is available by default only if you became a customer on or after September 15, 2025. If you became a customer before September 15, 2025, you must manually create the detection grouping rule.
User – If the detection is associated with one unique user, it's grouped by user.
Src Host – If the detection
src_hostattribute has a value, the detection is grouped by source host.Dest Host – If the detection
dest_hostattribute has a value, the detection is grouped by destination host.Src Ip – If the detection
src_ipattribute has a value, the detection is grouped by source IP address.Dest Ip – If the detection
dest_ipattribute has a value, the detection is grouped by destination IP address.Rule – If the detection
rulenameattribute has a value, the detection is grouped by rule name.
Pre-Built Detection Grouping Rules in the New-Scale Fusion and New-Scale Analytics License
If you have the New-Scale Fusion license or New-Scale Analytics license, there are eight pre-built detection grouping rules that are, by default, in the following order:
Correlation rule – If the detection is a correlation rule detection, the correlation rule uses the Group by Field functionality, and the correlation rule outcome is designated to create a case, the detection is grouped into a case by the correlation rule name and correlation rule group by field. This detection grouping rule creates a standalone case for a correlation rule detection only if it is ordered first in the list of detection grouping rules.
This detection grouping rule is available by default only if you became a customer on or after September 15, 2025. If you became a customer before September 15, 2025, you must manually create the detection grouping rule.
Source User Entity – If the detection is associated with a source user entity, the detection is grouped by source user entity.
Destination User Entity – If the detection is associated with a destination user entity, the detection is grouped by destination user entity.
Source Device Entity – If the detection is associated with a source device entity, the detection is grouped by source device entity.
Destination Device Entity – If the detection is associated with a destination device entity, the detection is grouped by destination device entity.
Src Ip – If the detection
src_ipattribute has a value, the detection is grouped by source IP address.Dest Ip – If the detection
dest_ipattribute has a value, the detection is grouped by destination IP address.Rule – If the detection
rulenameattribute has a value, the detection is grouped by rule name.
Pre-Built Detection Grouping Rules in the Exabeam Security Operations Licenses and Fusion Licenses
If you have an Exabeam Security Operations or Fusion license, there are six pre-built detection grouping rules that are, by default, in the following order:
User – If the detection is associated with one unique user, it's grouped by user.
Src Host – If the detection
src_hostattribute has a value, the detection is grouped by source host.Dest Host – If the detection
dest_hostattribute has a value, the detection is grouped by destination host.Src Ip – If the detection
src_ipattribute has a value, the detection is grouped by source IP address.Dest Ip – If the detection
dest_ipattribute has a value, the detection is grouped by destination IP address.Rule – If the detection
rulenameattribute has a value, the detection is grouped by rule name.