5.11 Managing the Correlation Engine

5.11.1 Using the Correlation Engine Dashboard

The Correlation Engine dashboard provides an overall picture of the health of the engine and the various rules deployed to it. The dashboard provides information on the activity of an engine and provides insights about which rules are behaving as expected and which rules might need additional tuning.

To view the Correlation Engine dashboard, select the desired Correlation Engine in the Correlation panel.

The dashboard displays a simple view of all the rules deployed to that engine and a list of rules available to deploy. You can also see some general information about the engine, such as its current state and how long the engine has been in that state. There is also a summary that shows how many events the engine has processed, and an indication of current utilization of the engine (EPS utilization). In general, you can think of this number as something analogous to CPU utilization, but this metric indicates how much of the capacity of the engine is currently utilized. As the number of rules and the complexity of rules increase along with the current EPS (events per second) rate of the system, you can expect this number to grow larger. The Deployed rules comparison tab provides a more granular view of engine activity. The various tabs represent various statistics, and you can select a given tab to sort the rules (ascending or descending) by these statistics to get a clear picture of how various rules are behaving and consuming resources.

The Correlation Engine dashboard also allows you to manage the engine and the rules in your system:

Managing the Correlation Engine

The following options are available to manage the Correlation Engine:

  • Stop: Stops an active Correlation Engine. When the engine stopped, it does not monitor the events against the deployed rules.

  • Undeploy all: Undeploys all the deployed rules from the engine.

  • Rename: Allows you to rename the engine.

Managing Deployed Rules

This section lists the number of rules and the rules deployed in the engine.

The following options are displayed when you mouse over a rule:

  • View: Opens the Rule dashboard to provides overall information on the rule. For more information, see Viewing the Rule Dashboard.

  • Disable: Allows you to disable the rule. When a rule is disabled, it does not process the events.

  • Undeploy: Undeploys the rule from the Correlation Engine.

Comparing Deployed Rules

This section helps you compare the rules based on parameters such as fire count, EPS capacity, and memory utilization. You can sort the rules as desired by using the up-arrow and down-arrow icons.

  • Fire count: The number of times the rule has fired since it was deployed or enabled. You can use this information to discover a rule that fires more than expected and that might need to be tuned, or to discover a rule that does not fire as often as you would expect. In either case, this tab guides you to the rules that are the most and least active.

  • Last fired: The last time the rule fired since it was deployed. This statistic is useful for determining the rules that are currently active and inactive in the system. A rule might have fired frequently, but it has not fired recently. Or, a rule might fire infrequently, but it fired recently. This tab gives you a real-time picture of what is active in the engine at any given time.

  • Fire rate: The number of times the rules have fired relative to the events processed by the engine. This statistic is similar to fire count in that it gives an indication of how active a rule is. However, instead of giving a raw count, the fire rate gives a percentage that is relative to the number of events a rule has processed. This normalizes the metric, and rules that were recently deployed can be compared with rules that were deployed at an earlier time.

  • EPS utilization: The events processing time the rule consumes relative to the capacity of the engine. This statistic provides an estimate of the amount of engine capacity a given correlation rule is currently consuming. Rules that are more complex, have time-consuming actions, or fire frequently consume more capacity. You can use this statistic to identify rules that need to be tuned or perhaps moved to another correlation engine for scalability reasons.

  • Memory utilization: The estimated memory utilization of the rule. In addition to EPS utilization, which provides a good picture of how much time a rule consumes relative to the total available processing time of the engine, the memory utilization gives a snapshot of roughly how much memory a rule is consuming. Rules consume memory when they have discriminators specified for fields with multiple values (through the Group by list), and when rules hold events in memory for operations like the advanced “window” operation. Rules that consume a lot of memory are a potential liability to a healthy system and should be carefully reviewed to ensure they are properly written or possibly moved to another engine for scalability reasons.

Viewing Engine Details

This section lists the Correlation Engine details and so you can monitor the performance of the Correlation Engine.

  • Engine ID: The Correlation Engine ID.

  • Engine Name: The name of the Correlation Engine.

  • Host IP: The IP address of the host machine where the Correlation Engine is installed.

  • Hostname: The hostname of the machine where the Correlation Engine is installed

  • State: Whether the status of the Correlation Engine is running or stopped.

  • Events Processed: The number of events processed by the deployed rules since they were deployed.

  • Last changed state: The time the Correlation Engine status was last changed.

  • EPS utilization: The processing time the Correlation Engine consumes relative to the capacity of the engine.

Distributing Events Across Correlation Engines

In a scalable storage setup where the EPS rate is usually high, Correlation Engines could be loaded with a large number of events to process. By default, all events are sent to all Correlation Engines. To avoid event overload, you can check the EPS utilization on the Correlation Engine and then distribute the event load evenly across multiple Correlation Engines as necessary. Distributing events across Correlation Engines not only helps you in balancing the event load, it also helps you segregate events tenant-wise to specific Correlation Engines. For example, in a multi-tenant environment, you can set up designated Correlation Engines for each tenant so that the Correlation Engine processes events specific to each tenant. The option to distribute events across Correlation Engines is available only in Sentinel with scalable storage.

By default, Correlation Engines process all events with severity 0 to 5. You can modify the event criteria as required in the Events Routed to This Engine section. By default, the Correlation Engine processes events from the security.events.normalized Kafka topic. When you modify the default event criteria, Sentinel creates a new dedicated Kafka topic for the Correlation Engine in the security.events.normalized.analytics.<correlation_engine_ID> format so that the Correlation Engine can process only the specific events from this dedicated topic. Sentinel creates a new topic dedicated to each Correlation Engine only the first time you modify the default event criteria. For any subsequent updates to the event criteria, Sentinel updates the dedicated Kafka topic accordingly.

After you modify the event criteria, you must restart data processing in CDH for the changes to take effect. For more information, see Processing Data in the Sentinel Administration Guide.

When you uninstall and delete the Correlation Engine, you must restart data processing and then delete the associated Kafka topics.

Viewing Available Rules

This section lists the available rules in the system that are not deployed in the Correlation Engine. It also allows you to select rules and deploy them in the Correlation Engine.

5.11.2 Stopping or Starting a Correlation Engine

The Correlation Engine is in the Start mode by default and keeps processing events for the rules deployed in the engine. You can determine when the Correlation Engine should process the events and start or stop the Correlation Engine accordingly.