Creating Matching or Join Conditions

This topic applies to standard rules only. It provides examples for creating matching or join conditions and suggestions for optimizing the use of resources to process such rules.

About:

A matching or join condition is a condition statement that joins two data fields with the Matching or Join condition logic operator on the Conditions tab. Creating matching or join conditions using data fields provides the flexibility of creating conditions without knowing the specific data field's values. You can create the following join data field conditions:

You can reduce the correlation engine's memory consumption by as much as 50% in some cases through some techniques. When authoring a rule, you order conditions on the events to be correlated (or joined) by placing the most restrictive conditions first; for example, adding join conditions like event1's Source Address = event2's Source Address or event2's Detect Time = event1's Detect Time.

If your condition specifies more than one event alias, you can set any or all of them with the Consume After Match flag. This means that if a matching event is found and the rule is triggered, the rule will not correlate the event any further. Without the Consume After Match flag, the event is kept in working memory even after a matching event is found and the rule has been triggered. The event alias continues to be combined with events matching other aliases until the event itself expires.

If enabled, the Consume flag appears next to the event alias on the Conditions tab:

EventOne (Consume after match)

Note: Lightweight and pre-persistence rules have only one event, therefore, the Consume After Match option is not available.

To create a rule with matches or joins (with two or more events):

  1. In the Rules resource tree, right-click a rule and choose Edit Rule.

  2. In the Rules Editor, select the Conditions tab.

  3. Select the Matching Event branch and:

    1. Select New Logical Operator.

    2. Select And, Or, or Not.

    3. Add the second event that is tied to the first event.

    When adding join conditions, you need to decide how the new condition ties to the existing events in the rule. If you use And, the new join condition must occur, in addition to the existing events, to trigger the rule. If you use Or, the new join condition or the existing events must occur. If you use Not, all but the new join condition must occur. The logical operator appears as a branch under Joins.

  4. Click the (Join Condition) button or right-click the logical operator and select New Join Condition.

    A condition statement appears, displaying event, data field, and logic operator text fields. These fields are combined to create <event> <data field> <logic operator> <event> <data field> condition statements. For example, if monitoring for the same Source Address data field in EventOne and EventTwo, the condition statement would be EventOne Source Address = EventTwo Source Address.

  5. Select one of the following join data field conditions to use in the following steps:

    • When monitoring for the same data fields for two events use EventOne <data field A><logic operator> EventTwo <data field A>.

    • When monitoring for different data fields for two events use EventOne <data field A> <logic operator> EventTwo <data field B>.

  6. In the text fields, select an event and data field from the drop-down menus.

    Select data fields that you want to monitor but for which you do not have values. For more information, see Data Fields.

  7. Select a logic operator from the drop-down menu.

  8. Select an event and data field from the drop-down menus.

  9. Optionally right-click and select Consume After Match on one, some, or all of the event aliases.

    Doing so reduces the number of rule firings by using the matching event in only one join.

  10. Click OK.

    The join data field condition appears as a branch under the Matching Event logical operator.

  11. On the Conditions tab, click OK.

See also Logical Operators, Condition Tree Command Buttons, Condition Tree Context Menu Commands, Common Conditions Editor (CCE), and Adding Conditions.