Rule Aggregation

Follow

In each rule creation window you are offered an opportunity to set up aggregations. 

 

The idea behind aggregation is to group alerts in the event's UI by a defined term. 

For example, if I built a Host rule and set it to aggregate on src_ip, and then run 11 commands from my local machine, I will see 1 alert in the UI.

You also define a time window for which the aggregation should happen.

Aggregate options are:     

  Host Rule File Integrity Rule CloudTrail Rule Threat Intelligence Rule
user X  X  X  
exe X  X    
arguments  X    
ip    X  X
port      
command      
session  X    
src_ip      
dst_ip      
src_user  X    
dst_user  X    
filename      
rule_name        
eventName      X  
eventSource      X  
threatintel_source       X
threatintel_reason       X
threatintel_type       X

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.