Correlation Rules Tab

Document created by RSA Information Design and Development on Jul 27, 2016Last modified by RSA Information Design and Development on Sep 28, 2016
Version 4Show Document
  • View in full screen mode

This topic introduces the Security Analytics user interface and arguments for correlation rules.

The main Rules Tab section describes the toolbar common to all types of rules. This section introduces the user interface and arguments for basic correlation rules.

You can access this view by doing the following:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a service and  Actions menu cropped >View > Config.
    The Config view for the selected service is displayed.
  3. Click the Correlation Rules tab.

This is an example of the Correlation Rules tab.


This is an example of the Rule Editor dialog for a correlation rule.



The following table describes the Correlation rules and options. 

PendingThis column indicates whether a rule has pending changes. Rules that are currently active on the Decoder have no indicator. If the rule is new or has been modified, the column contains Icon-PendingPlus.png. Once the rules are applied, the pending indicator is removed.
NameThis is the descriptive name for the rule.
ConditionThis is the definition of the condition that triggers an action when matched.
Instance KeyThis is the target indicator to base the event upon. It can be a single primary key, such as ip.src or a compound primary key such as ip.src,ip.dst.
ThresholdThis is the minimum number of occurrences required to trigger a correlation session and can include a associated key that identifies the meta type that were are counting to determine if the condition is satisfied. The correlation engine cannot use IPv4 or IPv6 as  an associated meta type. Use one of these three arguments:
  • u_count(associated_key) = the count of unique values of the specified key. A key is required.
  • sum(associated_key) = the values of the specified key. a key is required.
  • count() = number of sessions, no associated key used. If included, it is ignored.
Time WindowThis is the duration in hours, minutes, or seconds within which the threshold must be reached to trigger a correlation session.
StatusThis column indicates whether the rule is enabled or disabled with a circle icon. If the circle is filled green, the rule is enabled. If the circle is empty, the rule is disabled.

The Rule Editor dialog provides the fields and options needed to define a network rule. The fields correspond exactly to the grid columns.

ResetResets the contents of the dialog to their values before editing; changes are discarded.
ValidateValidates that the rule syntax is correct.
CancelCancels any edits and closes the Rule Editor Dialog.
OKSaves the new rule or edited rule, and adds it to the rules grid. The Rule Editor Dialog closes.
You are here: References > Services Config View - Rules Tabs > Correlation Rules Tab