You can define correlation rules to go beyond basic correlation and gain a deeper understanding of a given type of situation.
Before you begin
- Create the Correlation Service role.
- Register all data sources used by your system for correlation purposes.
What you should know
A correlation
rule is matched against two sets of conditions:
- The Correlation Service evaluates the premise of the rule. The premise of the rule is defined as a specific type of alert with certain characteristics (attribute-value conditions).
- If the rule premise found a match, then the body of the rule (the correlation hypothesis) is handed over to a Correlation Rules Engine for evaluation. The rule body is defined as a set of data sources matching a set of conditions.
NOTE: The screenshots in this topic illustrate sample use cases. The
data sources you have on your system might look different. Their meaning,
attributes, and values depend on what plugin roles you have created for data
integration.