Platform
Solution
Industry
Role
There is no result.

Edwin AI Models

Last updated - 19 August, 2025

Edwin AI identifies hidden patterns within the text features of alert data and dynamically manages their correlation. Edwin AI models use correlations to define how alerts are evaluated, grouped, and turned into actionable insights.

By tailoring models to reflect specific business scenarios, you can reduce alert noise, improve signal clarity, and make insights meaningful.

The correlation logic of an Edwin AI model includes the following elements:

  • Dataset filter—Controls which alerts are analyzed by the model. For example, “Only alerts relating to Cisco Meraki Wireless Access Points.”
  • Fields—Computes similarity. You can select from any core or enriched alert field. 

    Note: Field names change depending on the type of correlation selected.

  • Correlation method—For example, string-based or list-based comparison.
  • Sensitivity level—For example, 100% for exact match or 80% for partial match.

    Note: Sensitivity level applies only for string based correlations.

  • Minimum cluster density—Defines how many alerts with similar features are required to form a cluster (the minimum is 2).

Edwin uses these models to detect clusters of related alerts and create insights to reduce noise and improve incident response visibility.

Edwin AI Models Page

When Alerts are Evaluated for Models

Models only process alerts when those alerts qualify for evaluation. Edwin AI continuously monitors changes to alerts, and will re-run applicable models whenever an alert’s key status attributes change. This ensures that clustering reflects the most current state of the environment.

The Edwin AI processor reevaluates alerts for correlation when there is a change in any of the following alert attributes:

  • New alert is received
  • State changes
  • Escalation changes
  • Severity changes
  • Timeout expiration
  • Timestamp updates caused by status changes

How Edwin AI Models Selects the Best Cluster

When multiple models match the same alert, Edwin AI must determine which model (and which resulting cluster) is the most appropriate. This evaluation process is critical to avoid duplicating clusters or generating conflicting insight.

If an alert matches multiple clusters or models, Edwin selects the best-fit cluster using the following criteria:

  1. Number of alerts in the potential cluster
  2. Highest average similarity across the cluster
  3. Whether a cluster already exists
  4. Number of correlation fields defined across models
  5. Total number of models matched

Correlation Types for Models

Edwin AI supports multiple correlation methods, enabling flexibility in how alert similarity is evaluated and clusters are formed. 

String-based Correlation

String-based correlation compares textual fields between alerts, such as CI or description. Each field has a configurable similarity threshold ranging from 0% to 100%. 

See the following configuration example: 

  • A threshold of 100% means alerts must match exactly.
  • A lower threshold (80%) enables partial matching based on token similarity.

This method is ideal for grouping alerts based on structured text values, such as device names, instance IDs, or collector IDs.

List-based Correlation

List-based correlation compares alert fields that contain multiple values (for example, services, locations, or tags). You configure a minimum overlap count to determine how many shared items must exist between two alerts to group them. For more information, see Edwin AI List-based Correlations.

Note: You can configure a model with both string and list-based fields. Edwin evaluates all fields using AND logic, meaning an alert must satisfy all correlation criteria to be clustered. For more information, see Combining Correlation Types.

Grouping Strategies for Models

You can use different correlation strengths for different fields within the same model. For example you can use the following correlations:

Correlation byExample
ResourceMatch on CI with 100% similarity
DescriptionMatch on description with 80% similarity

This enables you to assemble related processes and alerts into clusters that reflect real-world business and technical dependencies.

Combining Correlation Types

Edwin AI models can combine list-based and string-based correlation logic. The following explains what happens when both types are used:

  • Each correlation type evaluates its fields independently.
  • The dataset filter applies globally across the model.
  • Alerts must meet all defined correlation conditions to be grouped.

See the following example:

To group alerts that share the same Name and at least two overlapping Business Services:

  • Define a string-based correlation on the Name field.
  • Define a list-based correlation on the Business Services field.
  • Set the minimum overlap count to 2.

Only alerts meeting both conditions will be clustered.