Decoder: Correlation Rules Tab

Document created by RSA Information Design and Development on Jun 25, 2017Last modified by RSA Information Design and Development on Sep 25, 2017
Version 2Show Document
  • View in full screen mode
  

This topic describes the features for creating and managing correlation rules in the Services Config view > Correlation Rules tab.

The Correlation Rules tab enables you to manage correlation rules. Basic correlation rules are applied at the session level and alert the user to specific activities that may be occurring in their environment. Security Analytics applies correlation rules over a configurable sliding time window. 

Step 4. Configure Decoder Rules provides additional information and Configure Correlation Rules provides instructions for creating correlation rules.

The toolbar on the Correlation Rules tab is common to all types of rules. Services Config View - Rules Tabs provides information on the common rules toolbar and actions.

To access the Correlation Rules tab:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a service and  ic-actns.png >View > Config.
    The Config view for the selected service is displayed.
  3. Click the Correlation Rules tab.

The following figure shows the Correlation Rules tab.

The following figure shows the Rule Editor dialog for a correlation rule.

104CorrRuleEditor.png

The following table describes the Correlation Rules tab columns.

                                       
ColumnDescription
Pending This column indicates whether a rule has pending changes. Rules that are currently active on the Decoder have no indicator. If the rule is new or has been modified, the column contains ic-pending2.png. Once the rules are applied, the pending indicator is removed.
Name This is the descriptive name for the rule.
Condition This is the definition of the condition that triggers an action when matched.

In conditions, all string literals and time stamps must be quoted. Do not quote number values and IP addresses. Rule and Query Guidelines provides additional details.
Instance Key This is the target indicator to base the event upon. It can be a single primary key, such as ip.src or a compound primary key such as ip.src,ip.dst.
Threshold This is the minimum number of occurrences required to trigger a correlation session and can include a associated key that identifies the meta type that were are counting to determine if the condition is satisfied. The correlation engine cannot use IPv4 or IPv6 as  an associated meta type. Use one of these three arguments:
  • u_count(associated_key) = the count of unique values of the specified key. A key is required.
  • sum(associated_key) = the values of the specified key. a key is required.
  • count() = number of sessions, no associated key used. If included, it is ignored.
Time Window This is the duration in hours, minutes, or seconds within which the threshold must be reached to trigger a correlation session.
Status This column indicates whether the rule is enabled or disabled with a circle icon. If the circle is filled green, the rule is enabled. If the circle is empty, the rule is disabled.

The Rule Editor dialog provides the fields and options needed to define a network rule. The fields correspond exactly to the grid columns.

                           
ActionDescription
Reset Resets the contents of the dialog to their values before editing; changes are discarded.
Cancel Cancels any edits and closes the Rule Editor Dialog.
OK Saves the new rule or edited rule, and adds it to the rules grid. The Rule Editor Dialog closes.
Save (Rules with deprecated syntax only) Applies a corrected rule individually to the Decoder service. See Fix Rules with Deprecated Syntax.
Previous Topic:App Rules Tab
You are here
Table of Contents > References > Services Config View - Rules Tab > Correlation Rules Tab

Attachments

    Outcomes