Correlation

Page Layout

Correlation rules, bucket signals, and action rules can be configured from this page. In addition, lambdas can be written to perform actions on a signal.

The first section of this page contains all currently configured correlation rules.

The second section of this page contains all currently configured bucket signals.

Bucket signals are defined during event bucket configuration. They define the type of signal and value that should be displayed when the signal is triggered.

Once signals are defined, they can be used in correlation rule configuration. The window size can be defined in minutes, hours, or days. Included and excluded signals can be defined in the appropriate fields. When the defined rule is fulfilled, the rule will trigger alerts for the defined signals. These alerts can be viewed on the Correlation Hits and Alarms pages.

Adding a Correlation Rule

A new correlation rule can be defined by clicking the "+ RULE" button in the top right corner of the Correlation Rules table.

This reveals a dropdown menu with options for different types of rules: signal set, metric aggregation, first occurrence, last occurrence, and anomaly detection. Signal set allows you to

This redirects you to the Signal Set Rule creation page. We're going to walk through the creation of a signal set rule to create a case alert for failed and successful logins.

Start by giving the rule a name and description. In this case, the name is loginMix and the description is "see both OK and FAILED action in 10 minute." The 10 minute references the next two fields: window size and window unit. These two fields allow you to adjust the window of time that this rule searches within. The default is 10 minutes.

Next, select which signals should be included for this rule. Signals are attached to Event Buckets and can be defined during Event Bucket creation, or by clicking the "+ ADD" button in the Bucket Signals section of the Correlation page, which redirects the user to the Event Bucket creation page.

In this case, we select OFFICE_USER_LOGIN_FAILED and OFFICE_USER_LOGIN_OK in order to make sure the alert information includes data on both successful and failed logins. Signals can also be excluded from the rule.

Next, define the key field for the signal. This field will be displayed on the correlation page so it should be the most useful field in relation to the signal for analysis purposes. In this case, we are using @fields.UserId. This will allow us to see the user associated with the login.

Next, define the Emit Signal. This is the signal name that will show up on the Alarms page if the case button is checked. We want this signal to create a case when triggered, so check the case box.

Tags can also be added to the signal to label alerts.

Once you are finished filling out the fields, click the "SAVE" button to add the signal.

Adding a Bucket Signal

A new bucket signal can be defined by clicking the "+ ADD" button in the top right corner of the Bucket Signals table.

Bucket signals can be defined during Event Bucket creation.

In the "Signals" section click the "ADD" button to open the pop-up window for signal creation.

To start, select the type of signal. There are four options: hit, count, sum, and cardinality.

Select hit.

Adding an Action Rule

A new action rule can be defined by clicking the "+ NEW ACTION RULE" button in the top right corner of the Action Rules table.

Writing a Lambda

A new lambda can be written by clicking the "+ NEW LAMBDA" button in the top right corner of the Lambdas table.