Using correlation to derive useful intelligence - Security Center 5.10

Security Center User Guide 5.10

Product
Security Center
Content type
Guides > User guides
Version
5.10
Language
English
Last updated
2023-05-02

You can use records imported from external sources to derive new information in Security Center using the Records investigation task.

Before you begin

Make sure that your system administrator has granted you the necessary privileges to use the record types you need.

What you should know

The Records task in an investigation task that you can use to query the record providers registered in Security Center and find relevant information based on known or suspected correlations.

Correlation refers to the relationship that exists between two types of events, A and B. A correlation exists between A and B if whenever event A occurs, event B is expected. For example, if whenever there is a large gathering of people, the number of new cases of COVID-19 increases in the following days, we can say that there is a correlation between large gatherings and the increase of the number of new cases of COVID-19.

Procedure

  1. On the Security Desk home page, open the Records task.
  2. Click Record types and select the record types you want to analyze.
    Assuming your record types correspond to types of event, such as arrests or thefts, you can test whether a correlation exists between two record types by filtering them on a common property.
    NOTE: By default, the timestamp and the location properties are always available for correlation. The timestamp and location properties are the fields that your system administrator assigned the Timestamp and Location (or Latitude and Longitude) functions to. The actual field names might be different.
  3. To correlate your record types by timestamp, click the Event timestamp filter and specify a range of dates or times.
    Use this option to filter the fields assigned to the Timestamp function in the record type. If you have other timestamp fields in your record type that are not assigned to the Timestamp function, you must specify them in the Conditions filter.
  4. To correlate your record types by location, click the Location filter and draw the regions where the data must be found or excluded from.
    1. Click Edit.
      A map window opens.
    2. Click Draw polygon () to start drawing.
      Click once for each endpoint, and click the first endpoint to close the polygon.
      Records report - Drawing a region
    3. If necessary, click and drag a point to adjust the shape of the polygon.
    4. If necessary, draw more regions.
    5. Click OK to save your changes.
    6. Click Switch to map mode to change the canvas to the map display.
      The regions added as location filter are displayed in green. Only records found within these regions are returned as results.
    7. To exclude the records found within these regions from the results, select the Exclude regions option.
      The color of the regions changes to red.
    Records report - Location filter
  5. To add conditions on fields other than timestamp and location, click the Conditions filter.
    If two record types each have a field with the same name and data type, conditions applied to one field are also applied to the other. If you add a condition for a field that doesn't exist in some record types, those records are not filtered based on that condition.
    1. Click Add an item () under the Conditions filter.
      The Condition dialog box opens.
    2. Click the record type and the field you want to filter.
      Records report - Add a condition
    3. Select a comparison operator and a value, and then click Add.
      NOTE: Enter string values without using double quotes.

      For the In and Not in operators, enter a list of comma-separated values without adding a space after the comma, unless the space is part of the value you want to match.

      For the pattern matching operator, enter the value as a regular expression.
      • Click Pattern matching options > General for a list of the most commonly used metacharacters.
      • Click Pattern matching options > ALPR to transform a license plate number you entered into a regular expression for matching OCR-equivalent characters, such as '8' and 'B', '1' and 'I', and '0' and 'O' and 'D'.
      The condition is added to the Conditions filter.
    4. Add more conditions on the same or different fields as needed.
  6. Select the columns you want to see in your report.
    Six columns are included by default:
    ID
    Corresponds to the fields assigned to the ID function.
    Record type
    Name of the record type the record belongs to.
    Timestamp
    Corresponds to the fields assigned to the Timestamp function and used for the Event timestamp filter.
    Latitude, Longitude
    These two columns correspond to the fields assigned to the Location (or Latitude and Longitude) functions and are used for the Location filter.
    Role
    Name of the role that manages the record type.
    Some field names are unavailable because they could each have a different name in their respective record type. You can add or remove columns from the report as needed.
    NOTE: Fields with the same name and type are considered to be identical in all record types and can only be included once in the report.
  7. Click Generate report.
    The query results are displayed in the report pane.
  8. Double-click a row to display it in a tile in the canvas.
    Records report - Results displayed in tiles
  9. If the record types are georeferenced, click Switch to map mode to display the results on the map.
  10. Click a map object of a record type to open the information bubble with the details of the record.