Aggregation rules help you to combine repetitive events of other Kaspersky solutions into Open Single Management Platform alerts.
To create aggregation rules, you must have one of the following XDR roles: Main administrator, Tenant administrator, SOC administrator.
To create an aggregation rule:
The tenant list opens. The list contains only the tenants to which you have at least the Read access right.
The tenant's properties window opens.
The list of aggregation rules opens.
The Create aggregation rule window opens.
By default, the rule is disabled.
The rule name must be unique.
The value must be between 1 and 100. The default value is 100.
The maximum value is 1500 seconds. The default value is 30.
If necessary, you can copy the aggregation ID from another aggregation rule. To do that, click the Copy from another rule button.
By default, the following expression is specified: ([.Rules[]?.Name // empty] | sort | join(",")) + " " + (.SourceCreatedAt)
When creating a new alert, the name is generated from the values of the fields specified in the template.
If necessary, you can copy the jq expression for the Alert name section from another aggregation rule. To do that, click the Copy from another rule button.
If necessary, you can copy the jq expression for the Trigger section from another aggregation rule. To do that, click the Copy from another rule button.
The aggregation rule is created.
By default, the aggregation rule is created with the lowest priority. To change the aggregation rule priority, in the list of aggregation rules, drag and drop the rule by clicking its name. The higher the rule is in the list of aggregation rules, the higher its priority.
Page top