Managing correlation rules
Manage Rules page provides the option to modify, delete, enable, disable, set up alert profile, hide and show the rules. Navigate to this page by clicking on the Manage Rules button on the bottom left corner of the Correlation tab page.
Creating a Correlation rule
Log360 Cloud comes with a Custom Correlation Rule Builder which allows you to create custom rules using a drag and drop interface. While creating the rules, you can specify the threshold limit, filters, and more.
- Click on the Create Correlation rule button placed at the the top right corner of the Manage Rules page.
- Select the individual actions from the predefined list specified on the left pane and in the required sequential order. You can also search for actions using the search bar on the top.
- Check the Threshold limit check box and enter the number of occurrences and time interval.
- Select the next action and specify the time interval (seconds or minutes) within which it has to be followed by the previous action, under the Followed by within label.
- Click Create.
Note: It will take up to fifteen minutes for Log360 Cloud to start correlating the logs after the rules are set. Newly set correlation rules do not take historic logs into account.
Activating and deactivating rules:
- From the Manage Rules page, select the rule which you want to activate.
- Click on the Manage dropdown list and select Activate ( ).
- To disable a rule, click on Deactivate ( ) from the list.
- Select the rule you want to edit.
- Click on the Update rule ( ) icon to open the correlation rule builder. Modify the rules on this page.
Select the rule you want to delete, and click on the Delete rule ( ) icon.
Correlation Alert Profile
You can enable correlation alert profile to configure email notifications to receive triggered correlation reports.
View and manage correlation alerts under the Alerts tab of the product:
- View correlation alerts, assign owners and track their status under Correlation Alert Profiles.
- Update notification settings for each correlation alert profile on the Manage Alert Profile page.
Also, You can add/map a triggered correlation alert as an incident, assign a security technician to respond to the incident, and track its status by following the same steps used for adding normal alert to incident.