Correlated Incident Detections

Configure the following event notification to notify administrators when correlated incidents have been detected.

  1. Go to Detections > Notifications > Event Notifications.

    The Event Notifications screen appears.

  2. Click Advanced Threat Activity.

    A list of events appears.

  3. In the Event column, click Correlated incident detections.

    The Correlated Incident Detections screen appears.

  4. Specify the following notification settings.



    Attach logs in CSV format

    Select to send event notification recipients a *.csv file containing log data about the detections.

  5. Select recipients for the notification.
    1. From the Available Users and Groups list, select contact groups or user accounts.
    2. Click >.

      The selected contact groups or user accounts appear in the Selected Users and Groups list.

  6. Enable one or more of the following notification methods.



    Email message

    To customize the email notification template, use supported token variables or modify the text in the Subject and Message fields.

    For more information, see Advanced Threat Activity Token Variables.


    The %hostIP% and %group% token variables are not applicable in email notifications because data is aggregated from multiple hosts.

  7. To test if recipients can receive the event notification, click Test.
  8. Click Save.