4.4 Creating Correlation Rules

The procedure to create various types of Correlation rules is the same for all rule types, except for a few steps that are specific to each rule type.

NOTE:Events are evaluated by rules in the specified order until a match is made, so you should order subrules accordingly. More narrowly defined subrules and more important subrules should be placed at the beginning of the list.

4.4.1 Creating a Simple Rule

A simple rule has just one subrule. You can specify additional criteria if you want the rule to fire when all or any of the specified criteria are met. You can also specify the number of times the event should occur for the rule to fire.

  1. Launch the Correlation Rule Builder.

    For more information, see Section 4.2, Accessing the Correlation User Interface.

  2. Click Create.

  3. In the Subrule window, click Create a new expression.

    The Expression Builder is displayed. For more information, see Expression Builder.

  4. Select the criteria for the rule, then click OK.

    The specified criteria are displayed in the subrule window.

  5. (Conditional) Specify additional expressions as necessary:

    1. Repeat Step 3 and Step 4.

    2. Select either of the following conditions:

      • AND: Use this condition if you want the subrule to fire when the conditions in all of the expressions are met.

      • OR: Use this condition if you want the subrule to fire when the condition in either of the expressions is met.

    3. In the Count field, specify the number of times the expressions must meet the specified for the rule to fire. If the Count is greater than 1, the Hr, Min, and Sec fields are enabled.

    4. Specify the time frame within which the subrule should fire.

    5. (Conditional) Group the events according to specific event field by selecting the event field from the Group by drop-down list. You can select one or more event fields.

  6. (Optional) To associate one or more actions to the rule, click in the Actions panel.

    For more information on associating actions, see Section 4.5, Associating Actions to a Rule.

  7. (Optional) To test whether the rule is works as expected, click Test Rule.

    For more information on testing the rule, see Section 4.6, Testing a Correlation Rule.

  8. Click Save As.

  9. Specify a name for the rule and an optional description, then click OK.

  10. Deploy the rule in the Correlation Engine so that events can be processed according to the rule.

    For more information, see Section 4.8, Deploying Rules in the Correlation Engine.

4.4.2 Creating a Sequence Rule

A sequence rule has two or more subrules that fire in sequence. You can use a sequence rule when you want the rule to fire if its subrules meet the specified criteria in the specified sequence within the defined time frame.

  1. Launch the Correlation Rule Builder.

    For more information, see Section 4.2, Accessing the Correlation User Interface.

  2. Click Create.

  3. In the Subrule window, click Create a new expression.

    The Expression Builder is displayed. For more information, see Expression Builder.

  4. Select the criteria for the rule, then click OK.

    The specified criteria are displayed in the subrule window.

  5. (Conditional) Specify additional expressions as necessary:

    1. Select either of the following conditions:

      • AND: Use this condition if you want the subrule to fire when the conditions in all of the expressions are met.

      • OR: Use this condition if you want the subrule to fire when the condition in either of the expressions is met.

    2. In the Count field, specify the number of times the expressions must meet the specified criteria for the rule to fire. If the Count is greater than 1, the Hr, Min, and Sec fields are enabled.

    3. Specify the time frame within which the subrule should fire.

    4. (Conditional) Group the events according to specific event fields by selecting the event field from the Group by drop-down list. You can select one or more event fields.

  6. To add additional subrules, click Subrule, then repeat Step 3 through Step 5 to specify the subrule criteria.

  7. In the Rule Type drop-down list, select Sequence rule.

  8. Specify the time frame within which the rule should fire.

  9. (Optional) To associate one or more actions to the rule, click in the Actions panel.

    For more information on associating actions, see Section 4.5, Associating Actions to a Rule.

  10. (Optional) To test whether the rule is works as expected, click Test Rule.

    For more information on testing the rule, see Section 4.6, Testing a Correlation Rule.

  11. Click Save As.

  12. Specify a name for the rule and an optional description, then click Save.

  13. Deploy the rule in the Correlation Engine so that events can be processed according to the rule.

    For more information, see Section 4.8, Deploying Rules in the Correlation Engine.

4.4.3 Creating a Composite Rule

A composite rule has two or more subrules that fire according to the criteria you define.

  1. Launch the Correlation Rule Builder.

    For more information, see Section 4.2, Accessing the Correlation User Interface.

  2. Click Create.

  3. In the Subrule window, click Create a new expression.

    The Expression Builder is displayed. For more information, see Expression Builder.

  4. Select the criteria for the rule, then click OK.

    The specified criteria are displayed in the subrule window.

  5. (Conditional) Specify additional expressions as necessary:

    1. Select either of the following conditions:

      • AND: Use this condition if you want the subrule to fire when the conditions in all of the expressions are met.

      • OR: Use this condition if you want the subrule to fire when the condition in either of the expressions is met.

    2. In the Count field, specify the number of times the expressions must meet the specified criteria for the rule to fire. If the Count is greater than 1, the Hr, Min, and Sec fields are enabled.

    3. Specify the time frame within which the subrule should fire.

    4. (Conditional) Group the events according to specific event fields by selecting the event field from the Group by drop-down list. You can select one or more event fields.

  6. Complete Step 1 through Step 5 in Section 4.4.1, Creating a Simple Rule.

  7. To add additional subrules, click Subrule, then repeat Step 3 through Step 5 to specify the subrule criteria.

  8. In the Rule Type drop-down list, select Composite rule.

  9. Select one of the following:

    • Composite Rule (AND): The rule fires if all the subrules meet the specified criteria within the defined time frame.

    • Composite Rule (OR): The rule fires if any of the subrules meets the specified criteria within the defined time frame.

  10. (Conditional) If you selected Composite Rule (OR), use the Count field to specify the number of subrules that should meet the specified criteria.

    The value in the Count field must be less than the number of subrules. For example, if there are 5 subrules and you specify the count as 3, the rule fires if one, two, or three subrules meet the specified criteria.

  11. Specify the time frame within which the rule should fire.

  12. (Optional) To associate one or more actions to the rule, in the Actions panel, click .

    For more information on associating actions, see Section 4.5, Associating Actions to a Rule.

  13. (Optional) To test whether the rule is works as expected, click Test Rule.

    For more information on testing the rule, see Section 4.6, Testing a Correlation Rule.

  14. Click Save As.

  15. Specify an intuitive name for the rule and an optional description, then click Save.

  16. Deploy the rule in the Correlation Engine so that events can be processed according to the rule.

    For more information, see Section 4.8, Deploying Rules in the Correlation Engine.

4.4.4 Creating a Free-Form Rule

If you are familiar with the rule expression syntax, you can create correlation rules by manually specifying the rule expression. You can use free-form rules to create complex rules by using additional operators such as Window, Intersection, and Union.

  1. Launch the Correlation Rule Builder.

    For more information, see Section 4.2, Accessing the Correlation User Interface.

  2. Click Create.

  3. In the subrule window, click to switch to the free-form view.

  4. Specify the criteria for the rule.

    As you type the rule expression, the Free-form editor validates the rule expression syntax and indicates errors if the syntax is wrong.

    For more information on the rule expression syntax, see Section B.0, Correlation Rule Expression Syntax.

  5. (Optional) Click to view the rule in a structured format.

    Free-form expressions that include the Window operator or a combination of AND and OR operators are not supported in the structured view.

  6. (Optional) To associate one or more actions to the rule, in the Actions panel, click .

    For more information on associating actions, see Section 4.5, Associating Actions to a Rule.

  7. (Optional) To test whether the rule is works as expected, click Test Rule.

    For more information on testing the rule, see Section 4.6, Testing a Correlation Rule.

  8. Click Save As.

  9. Specify an intuitive name for the rule and an optional description, then click Save.

  10. Deploy the rule in the Correlation Engine so that events can be processed according to the rule.

    For more information, see Section 4.8, Deploying Rules in the Correlation Engine.

4.4.5 Creating Correlation Rules From Search Results

  1. In the search results panel, select the events from which you want to create a Correlation rule.

  2. In the Events Operations drop-down list, select one of the following:

    • Add to correlation rule: Adds the selected events to an existing rule.

    • Create correlation rule: Creates a new rule with the selected events.

  3. (Conditional) If you selected create correlation rule, the Correlation Rule Builder is displayed. The events that you selected to build the rule are displayed below the rule builder. Skip to Step 5.

  4. (Conditional) If you selected add to correlation rule, the Add events to an existing rule window is displayed that lists the rules in the system.

    Select a rule, then click OK.

    The Correlation Rule Builder is displayed. The events that you selected to build the rule are displayed below the rule builder.

  5. From the event list, drag the attributes that you want to add to the rule to the Subrule window.

  6. (Optional) To associate one or more actions to the rule, in the Actions panel, click .

    For more information on associating actions, see Section 4.5, Associating Actions to a Rule.

  7. (Optional) To test whether the rule is works as expected, click Test Rule.

    For more information on testing the rule, see Section 4.6, Testing a Correlation Rule.

  8. Click Save As.

  9. Specify an intuitive name for the rule and an optional description, then click Save.

  10. Deploy the rule in the Correlation Engine so that events can be processed according to the rule.

    For more information, see Section 4.8, Deploying Rules in the Correlation Engine.