Rule Aggregation

When creating a new rule, you have the option to select aggregations, which group alerts by a defined term. Aggregate fields define the uniqueness of the alert.

For example, if you built a host rule and set it to aggregate on "src_ip", and then run 11 commands from your local machine, you see one alert in the F5 Distributed Cloud App Infrastructure Protection (AIP) platform.

You can also define a time window for when the aggregation should occur. For additional information about alerts and aggregate fields, see Life Cycle of an Alert.

Aggregate fields are available in Distributed Cloud AIP for the following rule types:

Linux Host Rule
Aggregate Fields
account_id
auid
auser
arguments
availability_zone
cloud_provider
command
dst_ip
dst_user
exe
filename
hostname
ip
port
session
src_ip
src_user
user
CloudTrail Rule
Aggregate Fields
user
eventName
eventSource
ip
accountId
File Rule
Aggregate Fields
account_id
arguments
availability_zone
cloud_provider
command
dst_user
exe
filename
hostname
session
src_user
user
Threat Intelligence Rule
Aggregate Fields
account_id
availability_zone
cloud_provider
hostname
ip
threatintel_source
threatintel_reason
threatintel_type
Kubernetes Audit Rule
Aggregate Fields
action
node_name
namespace
resource
name
type
Kubernetes Configuration Rule
Aggregate Fields
name
namespace
type
role_name
role_type
verbs
Windows Rule
Aggregate Fields
command
correlation
domain
dns_host
dst_host
dst_ip
dst_ipv6
dst_port
exe
guid
reg_event
sam_account
sid
src_ip
src_ipv6
src_addr
src_port
src_host
target_domain
target_exe
target_file
target_reg_key
target_user
user
Was this article helpful?
0 out of 0 found this helpful