Rule Aggregation
When creating a new rule, you have the option to select aggregations, which group alerts by a defined term. Aggregate fields define the uniqueness of the alert.
For example, if you built a host rule and set it to aggregate on "src_ip", and then run 11 commands from your local machine, you see one alert in the F5 Distributed Cloud App Infrastructure Protection (AIP) platform.
You can also define a time window for when the aggregation should occur. For additional information about alerts and aggregate fields, see Life Cycle of an Alert.
Aggregate fields are available in Distributed Cloud AIP for the following rule types:
Linux Host Rule
| Aggregate Fields |
|---|
| account_id |
| auid |
| auser |
| arguments |
| availability_zone |
| cloud_provider |
| command |
| dst_ip |
| dst_user |
| exe |
| filename |
| hostname |
| ip |
| port |
| session |
| src_ip |
| src_user |
| user |
File Integrity Rule
| Aggregate Fields |
|---|
| account_id |
| arguments |
| availability_zone |
| cloud_provider |
| command |
| dst_user |
| exe |
| filename |
| hostname |
| session |
| src_user |
| user |
CloudTrail Rule
| Aggregate Fields |
|---|
| user |
| eventName |
| eventSource |
| ip |
| accountId |
Threat Intelligence Rule
| Aggregate Fields |
|---|
| account_id |
| availability_zone |
| cloud_provider |
| hostname |
| ip |
| threatintel_source |
| threatintel_reason |
| threatintel_type |
Windows Host Rule
| Aggregate Fields |
|---|
| command |
| correlation |
| domain |
| dns_host |
| dst_host |
| dst_ip |
| dst_ipv6 |
| dst_port |
| exe |
| guid |
| reg_event |
| sam_account |
| sid |
| src_ip |
| src_ipv6 |
| src_addr |
| src_port |
| src_host |
| target_domain |
| target_exe |
| target_file |
| target_reg_key |
| target_user |
| user |
Kubernetes Audit Rule
| Aggregate Fields |
|---|
| action |
| node_name |
| namespace |
| resource |
| name |
| type |
Kubernetes Configuration Rule
| Aggregate Fields |
|---|
| name |
| namespace |
| type |
| role_name |
| role_type |
| verbs |