Views:

Add custom correlation rules to accommodate detection requirements in your environment.

Procedure

  1. On the Correlation Rules tab, click Add Rule.
  2. Specify a name for the rule and optionally provide a description in the Basic Properties area. The name can help clearly identify what anomaly you want to detect.
  3. Define one or multiple statements that comprise the rule.
    A statement combines detection signals and the AND operator.
    1. Select a detection signal type from the drop-down list to filter out the available signals, and then select a desired signal from the next drop-down list.
    2. If you need one more signal to comprise the statement, click Add Signal.
    3. Repeat the previous step to add more signals to the statement.
      Click the recipient-group-dele.png icon to remove a signal if it is not needed.
    4. When the statement definition is completed, click Add Statement to Rule.
  4. Define more statements as needed and add them to the Rule Definition area by repeating Step 3.
  5. View and confirm that the rule definition meets your requirement.
    A rule combines statements and the OR operator to tag and detect the required anomalies in your environment. The rule is matched when any of its statements is met.
  6. Click Save.