Defining correlation rules - Genetec Citigraf™ 2.0

Genetec Citigraf™ Command User Guide 2.0

series
Genetec Citigraf™ 2.0
revised_modified
2018-11-07
category_custom
Guides
Guides > User guides
prodname_custom
City applications > Citigraf
vrm_version
2.0

You can define correlation rules to go beyond basic correlation and gain a deeper understanding of a given type of situation.

Before you begin

What you should know

A correlation rule is a set of user-defined data queries based on a correlation hypothesis. When alerts are received in Genetec Citigraf™, the correlation rules are automatically matched against the available data sources to validate the hypothesis. When a match is found (called a hit), a new alert is generated.
A correlation rule is matched against two sets of conditions:
  • The Correlation Service evaluates the premise of the rule. The premise of the rule is defined as a specific type of alert with certain characteristics (attribute-value conditions).
  • If the rule premise found a match, then the body of the rule (the correlation hypothesis) is handed over to a Correlation Rules Engine for evaluation. The rule body is defined as a set of data sources matching a set of conditions.
If the rule body found a match, we have a hit, and a new alert named after the rule is generated. All correlation alerts have a priority of 1 (the highest).
NOTE: The screenshots in this topic illustrate sample use cases. The data sources you have on your system might look different. Their meaning, attributes, and values depend on what plugin roles you have created for data integration.

Procedure

  1. From the Config Tool home page, open the Plugins task.
  2. From the plugin role list, select the Correlation Service role and click Advanced correlation.

  3. In the Correlation alerts section, click .
    A New rule is added to the list of correlation rules.
  4. Double-click New rule and enter the name of the alert that the system generates when the rule is a hit.

    NOTE: Leave the two checkboxes for now, we'll come back to them later.
  5. In the Rule premise section, configure the characteristics of the alert you are looking for.
    1. Click the On receiving a drop-down list and select an alert type.

    2. Click to add an alert characteristic.
      Each alert characteristic is configured as an <Attribute, Comparison, Value> triplet.

      For string values, all comparisons are case-insensitive. The = operator requires an exact match. The like operator means the specified value must be contained in the attribute field.

    3. Add as many alert characteristics as necessary.
      Tip: All conditions are combined with the AND operator. If you need to combine them with an OR, you must define separate rules.
  6. In the Rule body section, configure the correlation hypothesis.
    The correlation hypothesis is made of one or many data sources, matching a set of conditions.
    1. At the bottom of the pane, click the arrow beside the Condition () button and select one of the following:
      Type condition
      For a single data source condition of the form:
      Look for <data source> where <characteristic> AND <characteristic>…
      where each <characteristic> is a condition that the data source must match, and where all characteristics are combined with the AND operator.

      The following example (based on simulated data) illustrates a type condition that says: At least one police unit is found within 1000 feet of the location of the alert.

      NOTE: This condition adds a workload of 1 to the correlation rule because only one data source is involved.
      Logical condition
      For a logical condition combining multiple data source conditions with one of the following logical operator: All, Any, or None.

      The following example (based on simulated data) illustrates a logical condition that says: Either the boundary of a gang territory is found within 25 feet of the location of the alert or a gang member who has a driver's role is found.

      NOTE: This condition adds a workload of 2 to the correlation rule because two data sources (Gangs and Gang members) are involved.
    2. Click the Look for drop-down list and select a data source, then click where () to add a data source characteristic.
    3. Define as many conditions as necessary.
      Each Look for data source you add to the correlation rule counts as one towards the final workload of the rule. All conditions are combined with the AND operator. If you need to combine conditions with the OR operator, define multiple rules.
      Tip: To create multiple variations of the same rule, use the Copy () button and make the required changes.
  7. In the Correlation alerts section, select the rule you are working on.
  8. Select the Active option if you are ready to put the rule into production.
  9. If necessary, select the Expires option and set the expiration date and time of the rule.
  10. Click Apply.
    A Security Center alarm is created to match the correlation rule.
  11. Open the Alarms task, and select the alarm () matching the name of the correlation rule.
  12. Click the Properties tab and configure the Recipients of the alarm.
    The recipients of the alarm are the users who will get the correlation rule alert.