Managing aggregation rules

This section contains general information about aggregation rules and gives instructions on how to create, edit, duplicate, copy to another tenant, and delete aggregation rules.

To manage aggregation rules, you must have one of the following XDR roles: Main administrator, Tenant administrator, SOC administrator.

Aggregation rules allow you to combine repetitive events of other Kaspersky solutions into Open Single Management Platform alerts. The alerts are either linked to the existing incidents, or form new incidents.

You can create and manage aggregation rules in the Aggregation rules section of tenant properties. The aggregation rules are displayed in a list. The higher the rule is in the list of aggregation rules, the higher its priority. If you want to change the aggregation rule priority, you have to drag and drop the rule by clicking the drag () icon.

Also, the list contains the predefined aggregation rule created by Kaspersky experts. This rule combines the events for which the same correlation rule was triggered during the default aggregation interval (30 seconds).

You cannot delete the predefined aggregation rule, but you can edit it. By default, the rule is enabled and always displayed in the aggregation rules table, with the Kaspersky Lab value in the Created by column.

The aggregation rules are processed sequentially according to the specified priority. When the condition set in the Trigger section is met, the aggregation rule is triggered, and the search for other suitable aggregation rules continues. The search stops only when all the rules in the list are processed.

Page top