6.3.2.1 Advanced Rules

The executable retrieves new, unowned single matches generated from specified types of scenarios. It then groups them based on one of four implemented algorithms and a specified list of bindings for grouping. It requires parameter settings to designate:
  • Choice of grouping algorithm to use.
  • Scenario types associated with the set of matches to consider for grouping.
  • Bindings on which to base break group compatibility.

Grouping Algorithms

When grouping algorithms, choose from the following:
  • BIND_MATCH: The Alert Creation module creates events based on matches with matching bindings/values based on a provided list of bindings to use when determining groupability.
  • BIND_BEHAVIOR_SCENARIO_CLASS: The Alert Creation module creates events based on matches with matching scenario group code and with matching bindings/values based on a provided list of bindings to use when determining groupability.
  • BIND_BEHAVIOR_SCENARIO: The Alert Creation module creates events based on matches with matching scenario ID and with matching bindings/values based on a provided list of bindings to use when determining groupability
  • BIND_BEHAVIOR_PATTERN: The Alert Creation module creates events based on matches with matching pattern ID and with matching bindings/values based on a provided list of bindings to use when determining groupability.
  • SINGLE_ALERT_MATCH: The Alert Creation module creates events for all remaining matches. A event is created for each of the remaining matches, as long as they bind one of the centricity names in the bindings string. This is the catch all algorithm that ensures that all matches that have a bound centricity value and a corresponding event is created.

For a BIND_MATCH grouping rule, the system compares bindings (KDD_BREAK_BINDING) values for matches to determine whether it can group matches together into an FCC TBAML event.

For example, the grouping algorithm interprets !TRADER ?ASSOC_SCRTY to create an FCC TBAML event; each break set to be grouped must have a TRADER binding in which the values for that binding must match and each must either have an ASSOC_SCRTY binding in which the values match OR each must be missing the ASSOC_SCRTY binding. Events that mentioned ASSOC_SCRTY could only be grouped with other events that mentioned ASSOC_SCRTY. Similarly, events that did not mention ASSOC_SCRTY could only be grouped with other events that did not mention ASSOC_SCRTY.

This list is order-dependent and at least one binding should be marked as required using an exclamation point (!) to prevent grouping of all miscellaneous matches into one big break. The order helps determine the centricity in the first binding name in the binding string. The centricity name is used to determine the event’s centricity ID.