Use the Catch All with correlation ordering
When correlation ordering is enabled for the Correlation Engine, the Catch All option becomes available.
When enabled, the Catch All is always evaluated last. Every alert that reaches the Catch All for evaluation becomes an incident containing one alert.
Use the Catch All to prevent situations where some alerts do not match any of your correlation definitions. The Catch All ensures that no alerts are lost, which is useful when testing different correlation definition settings which are potentially too restrictive.
Note that when correlation definitions are set to exclude many alerts intentionally, the Catch All can create numerous irrelevant incidents. When this is the case, leave the Catch All set to Ignore Remaining.
Note
The Catch All option is only available when ordering is enabled for correlation definitions.
Navigate to Correlate & Automate > Correlation Engine.
Check that Use Ordering is selected under Correlation Definition Order.
In the Catch All section, click Catch All to enable the setting.
When the Catch All is enabled, all alerts become incidents, either through clustering by correlation or individually via the Catch All.