As an example, you may want to aggregate all containers with matching sourceAddress CEF fields from your "email" label into your "events" label.

To create the example aggregation rule:

1. From the Home menu, select Administration.
2. Select Product Settings > Aggregation.
3. From the Aggregation page, click + Aggregation Rule.
4. Specify sourceAddress - Email to Events as the name of the rule.
5. Select email from the drop-down list in the Source Label field.
6. Select events from the drop-down list in the Destination Label field.
7. Select Exact from the Match field to aggregate on the exact contents of the CEF field. You can click on the plus (+) icon to add additional match rules.
8. Select sourceaddress in the CEF field. You can start typing the field name to search through the list of available field names.
9. Click Save.

After completing the previous example, perform the following steps to edit an existing aggregation rule in Splunk SOAR (Cloud).

1. Click on any existing rule. In this example, click email to view a summary of the aggregation rule.
2. Click Edit to make changes to the rule.
3. Click the trash can icon to remove the rule.

Click + Aggregation Rule to create a new rule. If you create a new rule from the email label rule page, the new rule will automatically populate the Source Label field with email.

An aggregation rule can have multiple match lines, such as a match on both sourceaddress and destinationaddress.

For this example, both the sourceaddress and destinationaddress must match for it to be aggregated into the same container.

If you treat sourceaddress as the attacker's IP address, and destinationaddress as the target's IP address, then this means you have artifacts being aggregated in the same destination container for only the exact same attacker and victim. So with a target IP address of 1.1.1.1, there is one destination container for attacker IP address 2.2.2.2 and target IP address 1.1.1.1, and a different container for attacker IP address 3.3.3.3 and target IP address 1.1.1.1.