Configure alert correlation logic order

  • Release version: Australia
  • Updated June 16, 2026
  • 1 minute to read

    • Improve alert management by enabling users to customize correlation logic order. This feature empowers you to fine-tune correlation methods to their specific needs, enhancing alert prioritization and response efficiency.

    Before you begin

    Role required: admin

    Procedure

    1. Navigate to All > System Properties > All Properties.
    2. Search for the property sa_analytics.agg.query.group_logic_order.
      Default value is “MIXED,NETWORK_TRAFFIC,PATTERN,GENERALIZED_PATTERNS,TEXTBASE". This is a comma separated list of the grouping types in the order of their execution.
      Note:
      If one of the grouping types is not specified in the property, it needs to be added manually. Alert correlation rules are trigger-based and applied immediately when an alert is created or updated, before other grouping algorithms.
      • MIXED: Combination of 2 or more grouping criteria
      • NETWORK_TRAFFIC: Network traffic grouping
      • PATTERN: Automated CI-based patterns grouping
      • TEXTBASE: Text-based grouping
    3. Use the property sa_analytics.agg.query.group_logic_order to define or modify the order of correlation methods based on your preferences.