- Get Started with Threat Detection Management
- Analytics Rules
- Analytics Rule Classifications
- Create an Analytics Rule
- 1. Define the analytics rule
- 2. Import the analytics rule
- 3. Enable the analytics rule
- 4. Apply the analytics rule to your environment
- factFeature Analytics Rule JSON Configuration
- profiledFeature Analytics Rule JSON Configurationh
- contextFeature Analytics Rule JSON Configuration
- numericCountProfiledFeature Analytics Rule JSON Configuration
- numericDistinctCountProfiledFeature Analytics Rule JSON Configuration
- numericSumProfiledFeature Analytics Rule JSON Configuration
- Manage Analytics Rules
- Tune Analytics Rules
- Share Analytics Rules
- Troubleshoot Analytics Rules
- Analytics Rules Syntax
- Advanced Analytics Rule Syntax vs. Analytics Rule Syntax
- Logical Expressions in Analytics Rule Syntax
- String Operations Using Analytics Rule Syntax
- Integer Operations Using Analytics Rule Syntax
- Time Operations Using Analytics Rule Syntax
- Network Operations Using Analytics Rule Syntax
- Context Operations Using Analytics Rule Syntax
- Entity Operations Using Analytics Rule Syntax
- Correlation Rule Operations Using Analytics Rule Syntax
- Monitor the Analytics Engine
- Correlation Rules
- Threat Scoring
When you create a correlation rule, you can toggle Group by Field on for a sequence. The Group by Field functionality groups the query results by the fields you select and creates subsets of events. The rule evaluates its conditions against each subset, and you can also suppress the rule based on a subset of events.
Each subset represents a unique combination of the fields you select. For example, let's say you select src_ip and email_address as the fields you're using for the Group by Field functionality, and the rule is evaluating the following events:
Event | src_ip | email_address |
|---|---|---|
Event 1 | 1.1.1.1 | |
Event 2 | 1.1.1.1 | |
Event 3 | 1.1.1.1 | |
Event 4 | 2.2.2.2 | |
Event 5 | 2.2.2.2 | |
Event 6 | 2.2.2.2 | |
Event 7 | 3.3.3.3 | |
Event 8 | 3.3.3.3 | |
Event 9 | 3.3.3.3 |
Using the Group by Field functionality with the src_ip and emaiL_address fields, the rule groups the events into the following subsets:
Subset | src_ip | email_address | Number of Events |
|---|---|---|---|
Subset 1 | 1.1.1.1 | 3 | |
Subset 2 | 2.2.2.2 | 3 | |
Subset 3 | 3.3.3.3 | 3 |