This topic describes the features for creating and managing correlation rules in the Services Config view > Correlation Rules tab.
The Correlation Rules tab enables you to manage correlation rules. Basic correlation rules are applied at the session level and alert the user to specific activities that may be occurring in their environment. Security Analytics applies correlation rules over a configurable sliding time window.
The toolbar on the Correlation Rules tab is common to all types of rules. Services Config View - Rules Tabs provides information on the common rules toolbar and actions.
To access the Correlation Rules tab:
- In the Security Analytics menu, select Administration > Services.
- Select a service and >View > Config.
The Config view for the selected service is displayed.
- Click the Correlation Rules tab.
The following figure shows the Correlation Rules tab.
The following figure shows the Rule Editor dialog for a correlation rule.
The following table describes the Correlation Rules tab columns.
|Pending||This column indicates whether a rule has pending changes. Rules that are currently active on the Decoder have no indicator. If the rule is new or has been modified, the column contains . Once the rules are applied, the pending indicator is removed.|
|Name||This is the descriptive name for the rule.|
|Condition||This is the definition of the condition that triggers an action when matched.|
In conditions, all string literals and time stamps must be quoted. Do not quote number values and IP addresses. Rule and Query Guidelines provides additional details.
|Instance Key||This is the target indicator to base the event upon. It can be a single primary key, such as ip.src or a compound primary key such as ip.src,ip.dst.|
|Threshold||This is the minimum number of occurrences required to trigger a correlation session and can include a associated key that identifies the meta type that were are counting to determine if the condition is satisfied. The correlation engine cannot use IPv4 or IPv6 as an associated meta type. Use one of these three arguments: |
|Time Window||This is the duration in hours, minutes, or seconds within which the threshold must be reached to trigger a correlation session.|
|Status||This column indicates whether the rule is enabled or disabled with a circle icon. If the circle is filled green, the rule is enabled. If the circle is empty, the rule is disabled.|
The Rule Editor dialog provides the fields and options needed to define a network rule. The fields correspond exactly to the grid columns.
|Reset||Resets the contents of the dialog to their values before editing; changes are discarded.|
|Cancel||Cancels any edits and closes the Rule Editor Dialog.|
|OK||Saves the new rule or edited rule, and adds it to the rules grid. The Rule Editor Dialog closes.|
|Save||(Rules with deprecated syntax only) Applies a corrected rule individually to the Decoder service. See Fix Rules with Deprecated Syntax.|