This article provides how to import, export, and set up correlation policies to convert similar signals into Situations.
Use rules, signal responses, and remediation to build a correlation policy. Users can create correlation policies at domain, organization, or tenant levels. Refer to this article to learn about the order of execution of correlation policies at different levels of account heirarchy. Refer to this documentation on how a correlation policy works.
Note: The correlation policies do not include OpsRamp's correlated signals.
User Permissions
- Global Administrators
- Account Owners
- Configuration Managers
To add a Correlation Policy,
- Click the gear icon at the top (or) hover over icon at the top left corner.
- In the bottom of the left menu, click Configurations.
- In the left menu, under Signal Management, click Correlation Policies.
You will be navigated to the Correlation Policies page. - Click Create New Policy in the top-right corner of your screen.
- Enter Correlation Name.
-
(Optional) Search and enter a label.
Labels are the keywords that provide additional context, easy search, filter, and categorize the correlation policies in the listing page. You can enter one or more labels. - Under Situation Title,
- Check box left to preserve the existing Situation title for signals correlated using this policy or it will be overridden: This option allows you to use the existing Situation title instead of creating a new one for the incoming signals. (Or)
- Use the following options, if you would prefer to create a new title:
- In the Situation Title field, enter a suitable title.
- Click Add Macro.
A window opens on your screen. -
Select an option from the drop-down list.
When multiple signals are associated with a Situation, assigning single signal attribute becomes impossible. Macros play a vital role in incorporating several attributes from all correlated signals into a Situation subject
- "cited" - This macro counts the occurrence of each unique value in the selected field and returns the N most frequently occurring values, sorting the values by occurrence count in descending order.
- "count" - displays the count of the selected attribute in the subject.
- "to_list" - The selected field value will be appended to the subject.
- "top" - adds the top most cited field value to the subject.
- "unique" - includes the unique values of the selected field in the subject.
- "unique_count" - adds the count of unique values in the selected field to the subject.
- Click Add Field.
A window appears on your screen. - Select an option from the drop-down list. Then, click Add Macro.
7. Click +Add Condition or +Add Group to enable matching conditions.
-
- Construct the condition expression for the correlation policy. Select a field and operator from the drop-down lists. For the value, select a value from the drop-down list or enter it manually, depending on the field type. The condition is used to determine the records to which the rule will apply.
- A condition expression can consist of several phrases, joined by an And or Or. For each phrase, select a field, operator, and value. Click the button to add an additional row. Use the parentheses and And/Or options to join the phrases together to form a condition expression.
8. Click Add Fields to Correlate.
A window opens on the screen.
a. Select an appropriate field from the drop-down list to which you want to apply correlation.
b. In Key field, enter a key (for example, Tag)
Note: Key field is applicable for Asset tag only
c. Check the radio buttons left to any one of the below options appropriately
-
-
- Should exactly match with a signal in open ticket: Correlation happens when a given keyword matches with the existing signals in the open ticket.
-
Should ______ : Correlation happens when any one of the below options match with given values.
- Start with
- Not start with
- Match
- Not match
- End with
- Not end with
- Contain word(s)
- Not contain word(s)
-
For example, Key "sample tag" starts with "test1".
Note: The Add Fields to Correlate supports AND operation only.
9. Under Correlation Time Window,
a. Select Window Type from the drop-down menu.
-
- Fixed: After a fixed time, the correlation of signals stops.
- Sliding: The time window moves with the addition of a new signal or instance.
- Open Signal: No time window is given
b. Select Type from the drop-down menu.
-
- Days
- Hours
- Minutes
10. Enable Rule Isolation, if you would like to isolate the rule that you have created.
When rule isolation is enabled, an ActOn or Situation will exclusively consider signals correlated by these rules alone. Rule isolation refers to a configuration or setting that restricts the correlation of signals within a specific rule or set of rules.
11. Click Create Correlation.
Importing Correlation Policies
Resolution Intelligence Cloud enables you to import external correlation policies via an interactive user interface in the following ways:
From Account Hierarchy:
1. From the correlation policies listing page, hover over the button and click any one of the following from the drop-down:
2. Select the rules that you would prefer to import.
Note: The account hierarchy is defined as follows:
- If you are in a tenant account, you can import any rule from the domain, organization, or platform levels.
- If you are in an organization account, you can import rules from domain or platform levels.
- If you are in a domain account, you can import rules from platform levels.
3. Click Next.
4. Click Proceed to Summary once you have added your required rules.
5. Select the following:
- Append: adds the rule(s) to the existing list without overriding.
- Overwrite: replaces the previous rules.
6. Click Submit.
From JSON:
1. From the correlation policies listing page, hover over the button and click any one of the following from the drop-down:
2. Select the JSON file that contains the correlation policies to import into the platform. The Import Rules dialog appears.
3. Select the check boxes corresponding to the correlation policies you want to import.
4. Click Proceed to Summary.
5. Select the following:
- Append: adds the correlation policies to the existing list without overriding.
- Overwrite: replaces the existing correlation policies in your account.
6. Click Submit.
Exporting Correlation Policies
You can export one or more policies that you define in the Resolution Intelligence Cloud and share them with others in your organization or tenants.
To export correlation policies,
- From the correlation polices listing page, hover over the button and click any of the following from the drop-down.
- All: exports all policies that are available in the Resolution Intelligence Cloud.
- Selectively: enables you to select the policies that you wish to export.
- Rules are downloaded in JSON format and saved to your local drive.
Once you have created a correlation policy, by default, it is listed under the Active Rules UI, where you can Edit, Sort, Delete, Disable, and View the rules that are configured successfully.
Comments
0 comments
Please sign in to leave a comment.