The procedure to create various types of Correlation rules is the same for all rule types, except for a few steps that are specific to each rule type.
NOTE:Events are evaluated by rules in the specified order until a match is made, so you should order subrules accordingly. More narrowly defined subrules and more important subrules should be placed at the beginning of the list.
A simple rule has just one subrule. You can specify additional criteria if you want the rule to fire when all or any of the specified criteria are met. You can also specify the number of times the event should occur for the rule to fire.
Launch the Correlation Rule Builder.
For more information, see Section 4.2, Accessing the Correlation User Interface.
Click
.In the Subrule window, click
.The Expression Builder is displayed. For more information, see Expression Builder.
Select the criteria for the rule, then click
.The specified criteria are displayed in the subrule window.
(Conditional) Specify additional expressions as necessary:
Select either of the following conditions:
AND: Use this condition if you want the subrule to fire when the conditions in all of the expressions are met.
OR: Use this condition if you want the subrule to fire when the condition in either of the expressions is met.
In the
field, specify the number of times the expressions must meet the specified for the rule to fire. If the Count is greater than 1, the , , and fields are enabled.Specify the time frame within which the subrule should fire.
(Conditional) Group the events according to specific event field by selecting the event field from the
drop-down list. You can select one or more event fields.(Optional) To associate one or more actions to the rule, click in the Actions panel.
For more information on associating actions, see Section 4.5, Associating Actions to a Rule.
(Optional) To test whether the rule is works as expected, click
.For more information on testing the rule, see Section 4.6, Testing a Correlation Rule.
Click
.Specify a name for the rule and an optional description, then click
.Deploy the rule in the Correlation Engine so that events can be processed according to the rule.
For more information, see Section 4.8, Deploying Rules in the Correlation Engine.
A sequence rule has two or more subrules that fire in sequence. You can use a sequence rule when you want the rule to fire if its subrules meet the specified criteria in the specified sequence within the defined time frame.
Launch the Correlation Rule Builder.
For more information, see Section 4.2, Accessing the Correlation User Interface.
Click
.In the Subrule window, click
.The Expression Builder is displayed. For more information, see Expression Builder.
Select the criteria for the rule, then click
.The specified criteria are displayed in the subrule window.
(Conditional) Specify additional expressions as necessary:
Select either of the following conditions:
AND: Use this condition if you want the subrule to fire when the conditions in all of the expressions are met.
OR: Use this condition if you want the subrule to fire when the condition in either of the expressions is met.
In the
field, specify the number of times the expressions must meet the specified criteria for the rule to fire. If the Count is greater than 1, the , , and fields are enabled.Specify the time frame within which the subrule should fire.
(Conditional) Group the events according to specific event fields by selecting the event field from the
drop-down list. You can select one or more event fields.To add additional subrules, click Step 3 through Step 5 to specify the subrule criteria.
, then repeatIn the Rule Type drop-down list, select
.Specify the time frame within which the rule should fire.
(Optional) To associate one or more actions to the rule, click in the Actions panel.
For more information on associating actions, see Section 4.5, Associating Actions to a Rule.
(Optional) To test whether the rule is works as expected, click
.For more information on testing the rule, see Section 4.6, Testing a Correlation Rule.
Click
.Specify a name for the rule and an optional description, then click
.Deploy the rule in the Correlation Engine so that events can be processed according to the rule.
For more information, see Section 4.8, Deploying Rules in the Correlation Engine.
A composite rule has two or more subrules that fire according to the criteria you define.
Launch the Correlation Rule Builder.
For more information, see Section 4.2, Accessing the Correlation User Interface.
Click
.In the Subrule window, click
.The Expression Builder is displayed. For more information, see Expression Builder.
Select the criteria for the rule, then click
.The specified criteria are displayed in the subrule window.
(Conditional) Specify additional expressions as necessary:
Select either of the following conditions:
AND: Use this condition if you want the subrule to fire when the conditions in all of the expressions are met.
OR: Use this condition if you want the subrule to fire when the condition in either of the expressions is met.
In the
field, specify the number of times the expressions must meet the specified criteria for the rule to fire. If the Count is greater than 1, the , , and fields are enabled.Specify the time frame within which the subrule should fire.
(Conditional) Group the events according to specific event fields by selecting the event field from the
drop-down list. You can select one or more event fields.Complete Step 1 through Step 5 in Section 4.4.1, Creating a Simple Rule.
To add additional subrules, click Step 3 through Step 5 to specify the subrule criteria.
, then repeatIn the Rule Type drop-down list, select
.Select one of the following:
Composite Rule (AND): The rule fires if all the subrules meet the specified criteria within the defined time frame.
Composite Rule (OR): The rule fires if any of the subrules meets the specified criteria within the defined time frame.
(Conditional) If you selected Composite Rule (OR), use the
field to specify the number of subrules that should meet the specified criteria.The value in the
field must be less than the number of subrules. For example, if there are 5 subrules and you specify the count as 3, the rule fires if one, two, or three subrules meet the specified criteria.Specify the time frame within which the rule should fire.
(Optional) To associate one or more actions to the rule, in the Actions panel, click .
For more information on associating actions, see Section 4.5, Associating Actions to a Rule.
(Optional) To test whether the rule is works as expected, click
.For more information on testing the rule, see Section 4.6, Testing a Correlation Rule.
Click
.Specify an intuitive name for the rule and an optional description, then click
.Deploy the rule in the Correlation Engine so that events can be processed according to the rule.
For more information, see Section 4.8, Deploying Rules in the Correlation Engine.
If you are familiar with the rule expression syntax, you can create correlation rules by manually specifying the rule expression. You can use free-form rules to create complex rules by using additional operators such as Window, Intersection, and Union.
Launch the Correlation Rule Builder.
For more information, see Section 4.2, Accessing the Correlation User Interface.
Click
.In the subrule window, click to switch to the free-form view.
Specify the criteria for the rule.
As you type the rule expression, the Free-form editor validates the rule expression syntax and indicates errors if the syntax is wrong.
For more information on the rule expression syntax, see Section B.0, Correlation Rule Expression Syntax.
(Optional) Click to view the rule in a structured format.
Free-form expressions that include the Window operator or a combination of AND and OR operators are not supported in the structured view.
(Optional) To associate one or more actions to the rule, in the Actions panel, click .
For more information on associating actions, see Section 4.5, Associating Actions to a Rule.
(Optional) To test whether the rule is works as expected, click
.For more information on testing the rule, see Section 4.6, Testing a Correlation Rule.
Click
.Specify an intuitive name for the rule and an optional description, then click
.Deploy the rule in the Correlation Engine so that events can be processed according to the rule.
For more information, see Section 4.8, Deploying Rules in the Correlation Engine.
In the search results panel, select the events from which you want to create a Correlation rule.
In the
drop-down list, select one of the following:Add to correlation rule: Adds the selected events to an existing rule.
Create correlation rule: Creates a new rule with the selected events.
(Conditional) If you selected Step 5.
, the Correlation Rule Builder is displayed. The events that you selected to build the rule are displayed below the rule builder. Skip to(Conditional) If you selected
, the Add events to an existing rule window is displayed that lists the rules in the system.Select a rule, then click
.The Correlation Rule Builder is displayed. The events that you selected to build the rule are displayed below the rule builder.
From the event list, drag the attributes that you want to add to the rule to the Subrule window.
(Optional) To associate one or more actions to the rule, in the Actions panel, click .
For more information on associating actions, see Section 4.5, Associating Actions to a Rule.
(Optional) To test whether the rule is works as expected, click
.For more information on testing the rule, see Section 4.6, Testing a Correlation Rule.
Click
.Specify an intuitive name for the rule and an optional description, then click
.Deploy the rule in the Correlation Engine so that events can be processed according to the rule.
For more information, see Section 4.8, Deploying Rules in the Correlation Engine.