Help Document

Understanding correlation

Correlation is the process of analyzing different events that happen in a sequence and identifying the relationship between them. Correlating the events happening in your network can provide a better context of the incident which would've been missed out while looking at an individual level.

For example, a single password failure is a normal event. But a hundred failures followed by a successful login within a minute can indicate a potential breach.

Correlation rules in Log360 Cloud

Correlation rules in Log360 Cloud is an expression that allows users to define the sequences of events which could indicate an anomaly or a security loophole.

The following image illustrates the parameters in a correlation rule:

Understanding correlation

Action - Any event that happens in the network. For example, a failed logon.

Time window between the actions - Indicates the time gap between the different events specified in the logical sequence.

Threshold - The minimum number of times the action must occur within the specified time window.

Filters - Allows users to specify the conditions for each action. For example, you can include the range of IP addresses you need to monitor in the network

Recommendations for optimized correlation rule configuration

  • Since correlation is a memory intensive process, be sure to create/enable rules only for the most important use cases.
  • If a rule is creating a lot of false positives, adjust the rule parameters to reduce or avoid them altogether.
Note: A single rule can contain up to 3 actions (or criteria) that can each be evaluated 10000 times per hour. Log360 Cloud can handle up to 10 active rules in total. . Each rule can be triggered up to 5000 times per day.