You can define correlation rules to go beyond basic correlation and gain a deeper understanding of a given type of situation.
Before you begin
What you should know
- The Correlation Service evaluates the premise of the rule. The premise of the rule is defined as a specific type of alert with certain characteristics (attribute-value conditions).
- If the rule premise found a match, then the body of the rule (the correlation hypothesis) is handed over to a Correlation Rules Engine for evaluation. The rule body is defined as a set of data sources matching a set of conditions.
- From the Config Tool home page, open the Plugins task.
From the plugin role list, select the Correlation Service role and click
In the Correlation alerts section, click .
A New rule is added to the list of correlation rules.
Double-click New rule and enter the name of the alert
that the system generates when the rule is a hit.
NOTE: Leave the two checkboxes for now, we'll come back to them later.
In the Rule premise section, configure the characteristics
of the alert you are looking for.
Click the On receiving a drop-down list and
select an alert type.
Click to add an alert
Each alert characteristic is configured as an <Attribute, Comparison, Value> triplet.
For string values, all comparisons are case-insensitive. The = operator requires an exact match. The like operator means the specified value must be contained in the attribute field.
Add as many alert characteristics as necessary.
Tip: All conditions are combined with the AND operator. If you need to combine them with an OR, you must define separate rules.
- Click the On receiving a drop-down list and select an alert type.
In the Rule body section, configure the correlation
The correlation hypothesis is made of one or many data sources, matching a set of conditions.
At the bottom of the pane, click the arrow beside the
Condition () button and select one of the following:
- Type condition
- For a single data source condition of the
Look for <data source> where <characteristic> AND <characteristic>…where each <characteristic> is a condition that the data source must match, and where all characteristics are combined with the AND operator.
The following example (based on simulated data) illustrates a type condition that says: At least one police unit is found within 1000 feet of the location of the alert.NOTE: This condition adds a workload of 1 to the correlation rule because only one data source is involved.
- Logical condition
- For a logical condition combining multiple data source
conditions with one of the following logical operator:
All, Any, or
The following example (based on simulated data) illustrates a logical condition that says: Either the boundary of a gang territory is found within 25 feet of the location of the alert or a gang member who has a driver's role is found.NOTE: This condition adds a workload of 2 to the correlation rule because two data sources (Gangs and Gang members) are involved.
- Click the Look for drop-down list and select a data source, then click where () to add a data source characteristic.
Define as many conditions as necessary.
Each Look for data source you add to the correlation rule counts as one towards the final workload of the rule. All conditions are combined with the AND operator. If you need to combine conditions with the OR operator, define multiple rules.Tip: To create multiple variations of the same rule, use the Copy () button and make the required changes.
- At the bottom of the pane, click the arrow beside the Condition () button and select one of the following:
- In the Correlation alerts section, select the rule you are working on.
- Select the Active option if you are ready to put the rule into production.
- If necessary, select the Expires option and set the expiration date and time of the rule.
A Security Center alarm is created to match the correlation rule.
- Open the Alarms task, and select the alarm () matching the name of the correlation rule.
Click the Properties tab and configure the
Recipients of the alarm.
The recipients of the alarm are the users who will get the correlation rule alert.