Skip to content

Types of Correlation

The user can configure multiple types of alerts:

  • Single Event (rule) Alert, Such as administrator logons during non business hours.

  • Correlated Events: multiple rules tied together by different fields, which are performed in sequence during a speciffied time frame.

For Correlated Events option, there can be different methods of Alerts and/or Actions that the user can trigger:

  • Single event trigger, which will trigger on first event (that matches) correlated with previous event or chain of events.

  • Multiple events trigger which will trigger if multiple events match the correlation rules with regards to the following settings: Rule Trigger type, Min. Treshold, Max Treshold, TTL (time to live in seconds) and Pivot Field.

The Rule trigger types are:

  • Trigger based on count until Max treshold is achieved before TTL expires OR the TTL expires and Min treshold is reached.

  • Trigger based on Sum of a numeric value offered by Pivot field setting, if it is greater or equal to Max Treshold value before TTL expires OR is greater or equal to Min Treshold value when TTL expires.

  • Trigger based on Average value of a numeric value offered by Pivot field setting if it is greater or equal to Min Treshold value when TTL expires.

Data Correlation Rules are defined as:

  • Field conditions that compare a field value with a chosen value;

  • Report conditions that compare the event with a predefined report the user can choose from;

  • Correlation condition, where the user can compare a value from current event with a value from the events triggered in the chain of events.

For more details about alerts, please access the link.

Data Transformation Service (DTS) Module: based on complex filters, the event can match a data acquisition rule (DA Rule), which can apply a data transformation script enabling the user to customize the event even further (interacting directly with the event), and/or select the long-term storage. The user can also send alerts, emails, temporarily store/retrieve information (to cross-correlate with future events), or search for historical events in the short-term storage (Elasticsearch), or event dropping.

To create a DTS Alert, please open the following page for more details.