Rollup framework cannot handle updates to the existing linked records. In such cases, on demand atomic rollup should happen for linked records, which can be achieved via business rules.

To capture updates to the linked records, business rules must be created on the source table.

These business rules work on insert, update, and delete operations. When you perform insert or update, you need to add or update rolled up information to MSI. If you delete then the rolled up information will be removed from MSI.

For example, once a security incident is linked to MSI, the related information will be rolled up automatically MSI. But later, if you add a new observable to an MSI, then the newly added observable also will be rolled up to MSI. Here, Sync rolled up observable business rule captures the update and rollup the updated record to MSI. Similarly, the same business rule also handles the removal of the existing rolled up observables, if it gets removed from the security incident.

表 : 1. Predefined business rulesFollowing are a few predefined business rules that helps you understand on how to handle atomic rollups

Rule	Description
Sync rolled up indicator (sn_ti_m2m_task_indicator)	Use this business rule to handle the rollup and removal of indicator of compromise from Security Incident, Security Case, and Remediation task.
Sync rolled up observable (sn_ti_m2m_task_observable)	Use this business rule handles the rollup and removal of linked observables from Security Incident, Security Case, and Remediation task.
Sync rolled up affected user (sn_si_m2m_task_affected_user)	Use this business rule handles the rollup and removal of linked affected users from Security Incident, Security Case and Remediation task.
Sync rolled up affected CI (task_ci)	Use this business rule handles the rollup and removal of associated configuration items from Security Incident, Security Case and Remediation task.