Skip to content

Types of Correlation

The system supports two primary correlation approaches for alert configuration:

  • Single Event Alert - These alerts trigger based on individual events matching specific criteria.
    Example: Administrator logons detected outside business hours.

  • Correlated Events - Multiple rules connected through shared fields, executed sequentially within a defined time window. This approach enables complex alert logic through event chains.

Alert/Action methods for Correlated events

  • Single Event Trigger: Activates when the first matching event correlates with previous events in the chain.
  • Multiple Events Trigger: Requires configurable conditions:
  • Rule Trigger Type: Single Event Trigger, Count-based, Sum-based, Average-based, Distinct Count-based
  • Min. Threshold: Minimum value to trigger after time window expires
  • Max. Threshold: Maximum value to trigger before time window expires
  • TTL (Time to Live): Duration in seconds for correlation window
  • Pivot Field: Numeric field used for threshold calculations

Rule Trigger Types

  • Count-Based Trigger: Activated when the number of matching events reaches the maximum threshold before the TTL (Time to Live) expires, or when the minimum threshold is met upon TTL expiration.

  • Sum-Based Trigger: Activated when the sum of a numeric field (defined in the Pivot Field setting) is greater than or equal to the maximum threshold before TTL expires, or greater than or equal to the minimum threshold at TTL expiration.

  • Average-Based Trigger: Activated when the average of a numeric field (defined in the Pivot Field setting) is greater than or equal to the minimum threshold at TTL expiration.
  • Distinct Count-Based Trigger: Distinct Count-Based Trigger: Activated when the number of unique values from a specified field reaches the maximum threshold before the TTL (Time to Live) expires, or when it reaches the minimum threshold upon TTL expiration.

Three condition types enable precise event matching:

  • FIELD CONDITION - Compare event fields with static values.

  • REPORT CONDITIONS - Allows comparison between the current event and a predefined report selected by the user.

  • CORRELATION CONDITION - Enables comparison between a value in the current event and a value from previous events within the correlation chain.

For additional information on alerts, refer to the following link: Alerts Module

Data Transformation Service (DTS) Module - Using advanced filters, events can be matched to a Data Acquisition Rule (DA Rule), which applies a transformation script to allow further customization. This enables direct interaction with the event data and the ability to define long-term storage options. Additionally, the module supports actions such as sending alerts or emails, temporarily storing or retrieving data for future correlation, querying historical events in short-term storage (Online DataStorage), or dropping events as needed.

For additional information on DTS, refer to the following link: How to create a DTS Alert