Segmentation rules allow you to automatically split related alerts into different incidents based on specified conditions.
Use segmentation rules to create different incidents based on related alerts. For example, you can combine several alerts with an important distinguishing feature into a separate incident.
Alerts can only be linked to an incident that belongs to the same tenant.
When you write a jq expression while creating a segmentation rule, an error about invalid expression may appear though the expression is valid. This error does not block the creation of the segmentation rule. This is a known issue.
To create a segmentation rule:
A Segmentation rule window appears.
Enable or disable the rule.
A unique name for the rule. Must contain 1 to 255 Unicode characters.
Maximum number of alerts in a single incident. If the number of alerts exceeds the specified value, another incident is created.
Minimum number of alerts in a single incident. If the number of alerts does not reach the specified value, an incident is not created.
A jq expression that defines the template for naming the incidents created according to this segmentation rule.
Example: "Malware Detected with MD5 \(.Observables[] | select(.Type == "md5") | .Value)"
A time interval from which to select alerts and incidents.
Optional. Rule description.
A jq expression that defines the condition for including alerts in the incident.
Example: .Rules[].Name | . == "R077_02_KSC. Malware detected"
A jq expression that defines the array of rules by which to assign alerts to incidents.
Example: [.Observables[] | select(.Type == "md5") | .Value ]