Segmentation rules
Segmentation rules allow you to automatically split related alerts into different incidents based on specified conditions.
Use segmentation rules to create different incidents based on related alerts. For example, you can combine several alerts with an important distinguishing feature into a separate incident.
Alerts can only be linked to an incident that belongs to the same tenant.
When you write a jq expression while creating a segmentation rule, an error about invalid expression may appear though the expression is valid. This error does not block the creation of the segmentation rule. This is a known issue.
To create a segmentation rule:
- In the main menu, go to Settings → Tenants.
- Click the tenant for which you want to create a segmentation rule.
- In the Settings tab, select Segmentation rules.
- Click Create.
A Segmentation rule window appears.
- Specify the segmentation rule settings:
- Status
Enable or disable the rule.
- Rule name
A unique name for the rule. Must contain 1 to 255 Unicode characters.
- Max alerts in incident
Maximum number of alerts in a single incident. If the number of alerts exceeds the specified value, another incident is created.
- Min alerts in incident
Minimum number of alerts in a single incident. If the number of alerts does not reach the specified value, an incident is not created.
- Incident name (template)
A jq expression that defines the template for naming the incidents created according to this segmentation rule.
Example:
"Malware Detected with MD5 \(.Observables[] | select(.Type == "md5") | .Value)" - Search interval
A time interval from which to select alerts and incidents.
- Description
Optional. Rule description.
- Trigger
A jq expression that defines the condition for including alerts in the incident.
Example:
.Rules[].Name | . == "R077_02_KSC. Malware detected" - Groups
A jq expression that defines the array of rules by which to assign alerts to incidents.
Example:
[.Observables[] | select(.Type == "md5") | .Value ]
- Status
