Correlation Rule Edit Enhancements Feature Request

Discussion created by securitysavy on Jun 24, 2011

Community - please note your interest in this feature with a note if you like it.


ESE-485 - If you wish to request this as well from RSA support.



Due to the complexity of correlation rules we have setup for our customers and the significant duplication of effort that happens for each one, we would like a feature to simplify modifying a correlation rule to accommodate a new customer.


We have numerous customers within the same correlation rule, due to enVision application limitations.


  So we’d like:

1)     The ability to support more levels within a correlation rule.  Currently limited to 3 levels (one of which is a limited filter), we’d like to see 5 levels.


2)     The ability to include the names of each “level” to ALL output action types that enVision supports, including SNMP and SMTP.  This currently means the Correlation rule name, the Circuit name and the Statement name .


3)     The ability to perform complex logic within a Statement Filter.  Such as nested SQL with AND/OR’s to group as the customer sees fit.  The current logic prevents a Statement Filter like this:




Customer name: Customer1

Ignore these event matches (per line):

    Var1 = "value3"

    Destination IP = and Var1 = "value1"

    Destination IP = and Var1 = "value2"

    Destination IP = and Source IP = and Var1 = "value2"



SQL logic we appear to need to implement those changes (in general):


Where customer = "Customer1"  AND


    NOT (Var1 = "value3") OR

    NOT (Destination IP = and Var1 = "value1") OR

    NOT (Destination IP = and Source IP = and Var1 = "value2") OR

    NOT (Var1 = "value1")






We feel these features would enable other customers to improve ROI by providing additional capabilities that your customers can take advantage of.  They are also logical additions to your product as customers’ usages grow.  This design shown provides customer flexibility so that any customer may implement the feature as they require.