- Get Started with Threat Center
- Group Detections
- Work on Cases
- Triage Alerts in Threat Center
- Edit and Collaborate in Threat Center
- Find Cases or Alerts
- Build a Search in Threat Center
- Enter a Search Using Exabeam Query Language in Threat Center
- Enter a Search Using Natural Language in Threat Center
- Run a Recent Search in Threat Center
- Create a New Saved Search in Threat Center
- Run a Saved Search in Threat Center
- Edit a Saved Search in Threat Center
- Delete a Saved Search in Threat Center
- Sort Cases or Alerts
- View Case and Alert Metrics
- Get Notified About Threat Center
Pre-Built Detection Grouping Rules
To ensure alerts and cases always contain meaningful contextual information, pre-built detection grouping rules group detections without you having to create or customize your own rules.
Pre-built detection grouping rules are detection grouping rules that are already configured and enabled by default. There are six pre-built detection grouping rules that are, by default, in the following order:
User – If the detection is associated with one unique user, it's grouped by user.
Src Host – If the detection
src_hostattribute has a value, the detection is grouped by source host.Dest Host – If the detection
dest_hostattribute has a value, the detection is grouped by destination host.Src IP – If the detection
src_ipattribute has a value, the detection is grouped by source IP address.Dest IP – If the detection
dest_ipattribute has a value, the detection is grouped by destination IP address.Rule – If the detection
rulenameattribute has a value, the detection is grouped by rule name.
Rule is always enabled and the last rule in the sequence. You can't disable or reorder it.
You can disable and reorder all other pre-built detection grouping rules. You can't delete any pre-built detection grouping rule.
If you don't want to use these pre-built detection grouping rules, create your own rules from scratch or clone a pre-built detection grouping rule to use as a starting point for a new rule.