Learn more on how you setup correlation policy to generate ActOns from situations manually.
Use rules, services, signal responses, and remediation to build a Correlation policy. Domain and Organization users can import all rules that are defined previously for their respective tenants. Refer this documentation on how a correlation policy works.
User Permissions
- Global Administrators
- Account Owners
- Configuration Managers
To add a Correlation Policy,
- Navigate to Configurations --> Correlation Policy.
- Click Create New Policy on the top right corner of your screen.
- Enter Correlation Name.
- Enter Situation Title.
- Check box to preserve the existing title for signals correlated using this policy
-
-
- Click Add Macro. A window appears on your screen.
- Select an option from the dropdown list. Then, click Add Macro.
- cited:
- count:
- to_list:
- top:
- unique:
- unique_count:
- Click Add Field. A window appears on your screen.
- Select an option from the dropdown list. Then, click Add Field.
- Asset Name:
- Asset Sub_type:
- Asset tag:
- Asset type:
- Category:
- Class:
- Component:
- Metric:
- Resource Type:
- Security Event Names:
- Security File Names:
- Security Log Source Names:
- Security Log Source Type Names:
- Security Network Destination IP:
- Security Network Source IP:
- Security Principal Hosts:
- Security Recipients:
- Security Rule ID:
- Security Senders:
- Security Target Hosts:
- Security Target URLs:
- Security User Agents:
- Security User Names:
- Signal Source:
- Signal Subject:
- Signal Tag:
- Site Name:
- Sub Category:
- Sub Class:
-
5. Click +Add Condition or +Add Group to enable matching conditions.
-
-
- Select an Attribute, Operator, and Value from the respective dropdown menu.
- Click X to remove the condition.
- Enable Negate next to the condition to negate the condition.
- Check Box next to the Match All to select all conditions that you have added.
-
6. Click Add Fields to Correlate. A window appears on the screen.
a. Select an option from the dropdown list. See this list.
7. Under Correlation Time Window,
a. Select Window Type from the dropdown menu.
-
-
- Fixed: After a fixed time, correlation of signals stops.
- Sliding: Time window moves with the addition of new signal or instance.
- Open Signal: No time window is given
-
b. Select Type from the dropdown menu.
-
-
- Days
- Hours
- Minutes
-
8. Enable Rule Isolation if you would like to isolate the rule that you have created.
9. Click Create Correlation.
Importing a Correlation Policy
Resolution Intelligence enables you to either create a new policy (set of rules) or import rules from Account Hierarchy or from a JSON file.
To import rules,
- Navigate to Configurations --> Correlation Policy.
- Hover over
button and select appropriate option from dropdown list.
- From Account Hierarchy
- From JSON
- If you select From Account Hierarchy, a window appears on screen.
- Select existing rules from Organization or Domain.
- Click Proceed to Summary and then click Submit. Your rules will be uploaded successfully.
- If you select From JSON, a dialog box appears on screen.
- Select your file and click Open. Your JSON file will be uploaded.
Once you have created a correlation policy, by default, it is listed under the Active Rules UI where you can Edit, Sort, Delete, Disable, and View the rules that are configured successfully.
Comments
0 comments
Please sign in to leave a comment.