Simple correlation rules are used to define simple sequences of events.
The correlation rule resource window contains the following configuration tabs:
General tab
If correlation rules employing complex logic for pattern detection are not triggered, this may be due to the specific method used to count rule triggers in KUMA. In this case, try to increase the value of Rate limit to 1000000
, for example.
Low
.Selectors tab
A simple resource can have only one selector with a Filter settings block:
Actions tab
There can be only one trigger in the simple resource kind: On every event. It is activated every time the selector triggers.
Available parameters of the trigger:
If both check boxes are selected, the correlation rule will be sent for post-processing first and then to the current correlation rule selectors.
Available settings:
The active list entry key depends on the available fields and does not depend on the order in which they are displayed in the KUMA web interface.
The left field is used to specify the Active list field. The middle drop-down list is used to select event fields. The right field can be used to assign a constant to the Active list field is the Set operation was selected.
Available types of enrichment: