Decoder: Correlation Rules Tab

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Oct 11, 2017
Version 6Show Document
  • View in full screen mode
 

The Correlation Rules tab (ADMIN > Services > select a service and click The actions drop-down menu > View > Config > Correlation Rules tab) enables you to manage correlation rules. Basic correlation rules are applied at the session level and alert the user to specific activities that may be occurring in their environment. NetWitness Suite applies correlation rules over a configurable sliding time window. 

What do you want to do?

                  
User RoleI want to...Documentation
Administratoradd or edit a correlation ruleConfigure Correlation Rules

Related Topics

Quick Look

The following figure shows the Correlation Rules tab.

The following figure shows the Rule Editor dialog for a correlation rule.

This is the Rule Editor dialog.

The following table describes the Correlation Rules tab columns.

                                       
ColumnDescription
Pending This column indicates whether a rule has pending changes. Rules that are currently active on the Decoder have no indicator. If the rule is new or has been modified, the column contains The pending icon. Once the rules are applied, the pending indicator is removed.
Name This is the descriptive name for the rule.
Condition This is the definition of the condition that triggers an action when matched.

In conditions, all string literals and time stamps must be quoted. Do not quote number values and IP addresses. Configure Decoder Rules provides additional details.
Instance Key This is the target indicator to base the event upon. It can be a single primary key, such as ip.src or a compound primary key such as ip.src,ip.dst.
Threshold This is the minimum number of occurrences required to trigger a correlation session and can include a associated key that identifies the meta type that were are counting to determine if the condition is satisfied. The correlation engine cannot use IPv4 or IPv6 as  an associated meta type. Use one of these three arguments:
  • u_count(associated_key) = the count of unique values of the specified key. A key is required.
  • sum(associated_key) = the values of the specified key. a key is required.
  • count() = number of sessions, no associated key used. If included, it is ignored.
Time Window This is the duration in hours, minutes, or seconds within which the threshold must be reached to trigger a correlation session.
Status This column indicates whether the rule is enabled or disabled with a circle icon. If the circle is filled green, the rule is enabled. If the circle is empty, the rule is disabled.

The Rule Editor dialog provides the fields and options needed to define a network rule. The fields correspond exactly to the grid columns.

                           
ActionDescription
Reset Resets the contents of the dialog to their values before editing; changes are discarded.
Cancel Cancels any edits and closes the Rule Editor Dialog.
OK Saves the new rule or edited rule, and adds it to the rules grid. The Rule Editor Dialog closes.
Save (Rules with deprecated syntax only) Applies a corrected rule individually to the Decoder service. See Fix Rules with Invalid Syntax.
You are here
Table of Contents > Decoder and Log Decoder References > Services Config View - Correlation Rules Tab

Attachments

    Outcomes