Configuring Correlation Policies

Learn more on how you setup correlation policy to generate ActOns from situations manually.

Use rules, services, signal responses, and remediation to build a Correlation policy. Domain and Organization users can import all rules that are defined previously for their respective tenants. Refer this documentation on how a correlation policy works.

User Permissions

• Global Administrators
• Account Owners
• Configuration Managers

To add a Correlation Policy,

1. Navigate to Configurations --> Correlation Policy.
2. Click Create New Policy on the top right corner of your screen.
3. Enter Correlation Name.
4. Enter Situation Title.
   • Check box to preserve the existing title for signals correlated using this policy

• • • Click Add Macro. A window appears on your screen.
    • Select an option from the dropdown list. Then, click Add Macro.
      • cited:
      • count:
      • to_list:
      • top:
      • unique:
      • unique_count:
    • Click Add Field. A window appears on your screen.
    • Select an option from the dropdown list. Then, click Add Field.
      • Asset Name:
      • Asset Sub_type:
      • Asset tag:
      • Asset type:
      • Category:
      • Class:
      • Component:
      • Metric:
      • Resource Type:
      • Security Event Names:
      • Security File Names:
      • Security Log Source Names:
      • Security Log Source Type Names:
      • Security Network Destination IP:
      • Security Network Source IP:
      • Security Principal Hosts:
      • Security Recipients:
      • Security Rule ID:
      • Security Senders:
      • Security Target Hosts:
      • Security Target URLs:
      • Security User Agents:
      • Security User Names:
      • Signal Source:
      • Signal Subject:
      • Signal Tag:
      • Site Name:
      • Sub Category:
      • Sub Class:

     5. Click +Add Condition or +Add Group to enable matching conditions.

• • • Select an Attribute, Operator, and Value from the respective dropdown menu.
    • Click X to remove the condition.
    • Enable Negate next to the condition to negate the condition.
    • Check Box next to the Match All to select all conditions that you have added.
      

    6. Click Add Fields to Correlate. A window appears on the screen.

          a. Select an option from the dropdown list. See this list. 

    7. Under Correlation Time Window, 

a. Select Window Type from the dropdown menu.

• • • Fixed: After a fixed time, correlation of signals stops.
    • Sliding: Time window moves with the addition of new signal or instance.
    • Open Signal: No time window is given

 b. Select Type from the dropdown menu.

• • • Days
    • Hours
    • Minutes

8. Enable Rule Isolation if you would like to isolate the rule that you have created.

9. Click Create Correlation.

Importing a Correlation Policy

Resolution Intelligence enables you to either create a new policy (set of rules) or import rules from Account Hierarchy or from a JSON file.

To import rules,

1. Navigate to Configurations --> Correlation Policy.
2. Hover over button and select appropriate option from dropdown list.
   • From Account Hierarchy
   • From JSON
3. If you select From Account Hierarchy, a window appears on screen.
4. Select existing rules from Organization or Domain.
5. Click Proceed to Summary and then click Submit. Your rules will be uploaded successfully.
6. If you select From JSON, a dialog box appears on screen.
7. Select your file and click Open. Your JSON file will be uploaded.

Once you have created a correlation policy, by default, it is listed under the Active Rules UI where you can Edit, Sort, Delete, Disable, and View the rules that are configured successfully.