Identify and Manage Findings Using Rules (UAI)
In ETM, security findings for an asset are collected from multiple sources. Since the same issue can appear multiple times across tools, finding rules help you uniquely identify, de‑duplicate, merge, and clean up findings so you see a single, accurate view of risk.
These Identification rules are applicable for UAI enabled account.
What Are Finding Rules?
Finding rules define how findings are identified, combined, and maintained in the system. They ensure:
- Duplicate findings are detected and removed
- Related findings are consolidated into one record
- Outdated or irrelevant findings are automatically cleaned up
You can view and manage these rules from the Findings tab.
Types of Finding Rules
There are these three types of finding rules namely Identification, Merge, and Purge rules.
Identification Rules
Identify and de‑duplicate findings coming from different sources.
These rules are beneficial as they
- Prevent redundant findings
- Create a clean and normalized dataset before merging
Working
- Uses key attributes such as CVE ID, port, protocol, title, and other identifiers
- Detects duplicate findings across scanners and connectors
- Ensures each finding is uniquely recognized
Merge Rules
Combine identified duplicate findings into a single, unified record. With help of merge rules, you get one comprehensive and accurate finding record
Working
- Applies defined rules to merge attributes from duplicate findings
- Resolves conflicts by selecting the most accurate or trusted data
Examples: most recent value, highest severity, or most trusted source
Types of Merge Rules
- Source Trust–Based Merge
- Aggregates findings based on source trust ranking
- Use the Reorder to define which sources are more trustworthy
- Higher‑ranked sources take precedence during conflict resolution
- Custom Attribute–Based Merge
- Aggregates findings using predefined Common Data Model attributes
- Available attributes include: First Found, Last Found, Status. Status is taken from the record with the latest Last Found or Source Trust Ranking (STR)
- Add Attributes
Use the Add Attributes to select Status attribute to be used during aggregation and merging
Purge Rules
Removes outdated or irrelevant findings from the system.
Working
Define conditions to automatically purge findings based on: Source, Connector ID, Finding name, First detected or last detected date.
These rules are beneficial as they
- Keep findings current and relevant
- Help maintain an accurate security posture
We provide 60 predefined rules covering all asset types such as Compute, Storage, Network, Container, Software, Identity, Application, Database, and Resource. Each rule defines a validated attribute combination that safely identifies the same finding across multiple sources and merges it into a single, consolidated record.