Highlighted
manojs Super Contributor.
Super Contributor.
360 views

How to further correlate correlation alerts using rule?

All,

I am trying to correlate alters which are triggered from Correlation rule. I have created a filter to extract desired data from Correlation alerts and it works fine, but when I create a rule for the same I am not seeing any triggers ?

Is there anything I'm doing wrong ? Or is there a different approach to further correlate correlation alerts ??

Please suggest.

Regards

Manoj S.

Manoj S.
0 Likes
6 Replies
tkachouba Trusted Contributor.
Trusted Contributor.

Re: How to further correlate correlation alerts using rule?

Are you trying to make a chain rule by creating a correlation event from another correlation event?

0 Likes
thomas.neumann Absent Member.
Absent Member.

Re: How to further correlate correlation alerts using rule?

Hello Manoj,

a correlated event is merely an event -- nothing special about it.

So if the conditions/aggregation of your second rule match the correlated event generated by your first rule, the second rule fires.

If it does not, probably your conditions won't match.

Try to find your correlated events from first rule in an Active Channel and double check the conditions / filter of rule 2.

Kind regards,

Thomas

0 Likes
manojs Super Contributor.
Super Contributor.

Re: How to further correlate correlation alerts using rule?

Yes ........exactly thats what I am trying to achieve. Can you help me with this ?

Manoj S.
0 Likes
manojs Super Contributor.
Super Contributor.

Re: How to further correlate correlation alerts using rule?

Thanks Thomas. But there is difference in Correlated and Correlation event. Usually we correlate base/aggregated events using real time rules which triggers correlation event and this is the event I'm trying to further correlate in real time.

Manoj S.

Manoj S.
0 Likes
thomas.neumann Absent Member.
Absent Member.

Re: How to further correlate correlation alerts using rule?

Manoj,

I'm not sure if I understand correctly what you want to achieve.

Real-time rules act on any events coming in, no matter if base, aggregated, or correlated events.

Just make the conditions of your second rule match so it catches the (previously) correlated event generated by first rule.

If you want to detect whenever a rule fires, you may want to have a look at Audit Events with Device Event Class ID "rule:XXX"

(see Console User Guide for details).

Kind regards,

Thomas

0 Likes
tkachouba Trusted Contributor.
Trusted Contributor.

Re: How to further correlate correlation alerts using rule?

You can test this:

When your conditions are met to cause Rule 1 to fire you can set the conditions of Rule 2 to look the attributes of Rule 1.  When the conditions of Rule 2 are met it will cause Rule 2 will fire.

Base Event > Rule 1 > Rule 2 fires off of the conditions you set for attributes in event Rule 1.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.