Correlation rules are written to match specific events or sequences of events by using field references, comparison and match operators on the field contents, and operations on sets of events.
The Correlation Engine loads the rule definition and uses the rules to evaluate, filter, and store events in memory that meet the criteria specified by the rule. Depending on the rule definition, a correlation rule might fire according to several different criteria:
The value of one field or multiple fields matches
The comparison of an incoming event to past events
The number of occurrences of similar events within the specified time period
One or more subrules firing
One or more subrules firing in a particular order
An event that matches the first subrule is not followed by an event that matches the second subrule within the specified time period
This section provides a basic overview of how to build Correlation rules and the various parameters required to build a rule.