New Rule Tab (11.0 and earlier)

The New Rules tab enables you to create custom aggregation rules for automating the incident creation process. This topic describes the information required when creating a new rule.

Note: This topic applies to NetWitness version 11.0 and earlier.

What do you want to do?

Role I want to ... Show me how
Analyst, Content Expert, SOC Manager Create an aggregation rule. Step 3. Enable and Create Incident Rules for Alerts
Incident Responders, Analysts, Content Experts, SOC Manager View the results of my aggregation rule (View Detected Threats). See "Responding to Incidents" in the NetWitness Respond User Guide.

Related Topics

Quick Look

To access the New Rule tab view:

  1. Go to Configure > Incident Rules > Aggregation Rules tab.

  2. Click netwitness_icon_add.png.

    The New Rule tab is displayed.


The following table describes the options available when creating customized aggregation rules.

Field Description
Enabled Select to enable the rule.
Name* Name of the rule. *This is a required field.
Description A description for the rule to give an idea about what alerts get aggregated.
Match Conditions*

Query Builder - Select if you want to build a query with various conditions that can be grouped. You can also have nested groups of conditions.

Match Conditions - You can set the value to All of these, Any of these, or None of these. Depending on what you select, the criteria types specified in the Conditions and Group of conditions are matched to group the alerts.

For example, if you set the match condition to All of these, alerts that match the criteria mentioned in the Conditions and Group Conditions are grouped into one incident.

  • Add a Condition to be matched by clicking netwitness_add_icon.png Add Condition.
  • Add a Group of Conditions by clicking netwitness_add_icon.png Add Group and adding conditions by clicking netwitness_add_icon.png Add Condition.

You can include multiple Conditions and Groups of Conditions that can be matched as per criteria set and group the incoming alerts into incidents.

Advanced - Select if you want to add an advanced query builder. You can add a specific condition that needs to be matched as per the matching option selected.

For example: you can type the criteria builder format {"$and": [{"alert.severity" : {"$gt":4}}]} to group alerts that have severity greater than 4.

For advanced syntax, refer to or


Group into an Incident - If enabled, the alerts that match the criteria set are grouped into an alert.

Suppress the Alert - If enabled, the alerts that match the criteria are suppressed.

Grouping Options*

Group By: The criteria to group the alerts as per the specified category.​ You can use a maximum of two attributes to group the alerts. You can group the alerts with one or two attributes. You can no longer group alerts with attributes that do not have values (empty attributes).
Grouping on an attribute means that all matching Alerts containing the same value for that attribute are grouped together in the same incident.

Time Window: The time range specified to group alerts.
For example if the time window is set to 1 hour, all alerts that match the criteria set in Group By field and that arrive within an hour of each other are grouped into an incident.

Incident Options

Title - (Optional) Title of the incident. You can provide placeholders based on the attributes you grouped. Placeholders are optional. If you do not use placeholders, all Incidents created by the rule will have the same title.

For example, if you grouped them according to the source, you can name the resulting Incident as Alerts for ${groupByValue1}, and the incident for all alerts from NetWitness Endpoint would be named Alerts for NetWitness Endpoint.

Summary - (Optional) Summary of the incident.
Category - (Optional) Category of the incident created. An incident can be classified using more than one category.
Assignee - (Optional) Name of the assignee to whom the incident is assigned to.

Average of Risk Score across all of the Alerts - Takes the average of the risk scores across all the alerts to set the priority of the incident created.

Highest Risk Score available across all of the Alerts - Takes the highest score available across all the alerts to set the priority of the incident created.

Number of Alerts in the time window - Takes the count of the number of alerts in the time window selected to set the priority of the incident created.

Critical, High, Medium, and Low - Specify the incident priority threshold of the matched incidents. The defaults are:

  • Critical: 90
  • High: 50
  • Medium: 20
  • Low: 1

For example, with the Critical priority set to 90, incidents with a risk score of 90 or higher will be assigned a Critical priority for this rule.

You can change these defaults by manually changing the priorities or by moving the slider under Move slider to adjust scale.