5.9 Viewing Correlated Events

Correlated events contain detailed information about the trigger events. To view correlated events, perform the following:

  1. Launch the Correlation interface.

    For more information, see Section 5.2, Accessing the Correlation User Interface.

  2. In the Correlation panel, select any rule, then click .

    The events that match the rule criteria are displayed in the search results panel. The correlated events are displayed with the icon.

  3. (Optional) Click to see the correlated event fields and their values. For more information, see Table 5-3.

    You can use the event field IDs to create search queries to find specific correlated events. For example, if you want to search for the correlated events that were generated because of the correlation rule LoginUser, specify the following query in the Search field:

    st:C AND rt2:LoginUser

    For more information about searching for events, see Section 3.1, Running an Event Search.

  4. (Optional) Click View triggers to view the events that generated the correlated event.