Skip to main content
Aggregations and Correlations are the mechanisms that allow incoming alerts to relate to one another. Aggregations help de-duplicate incoming alerts, by grouping incoming Security Events into a single alert. This is useful when you have multiple alerts for the same event, and you want to group future security events into a single alert. Correlations help you relate incoming alerts to one another, by grouping alerts that are related to one another. This is useful when you have multiple alerts for different events, but they are related to the same security incident.

Query Language

Both Aggregations and Correlations are written as a custom language we call AggQL. This language is designed to be simple to use, and easy to understand. When we want new incoming Security Events to “aggregate” onto an already open Alert, we can create an aggregation rule to do this. 
sameField('field_name')     

Aggregates SecurityEvents with the same `field_name` onto the same alert

Aggregations

Correlations