Improved Correlations and Search
Correlations help you detect security weaknesses or threats for further investigation and response from custom logic you create to meet the specific security needs of your company or the accounts you manage. The improved correlation experience allows you to create powerful custom rules with similar syntax structure as Search queries in the Get Started with Search page of the Alert Logic console. When you create a correlation rule, Alert Logic examines data as it is collected for matching patterns based on the correlation alert you created and will trigger an incident or an alert.
This document covers the improved correlations experience in the Search page released on June 3, 2021. If you need to refer to the documentation for the correlations experience from the Log Search page, see Correlations and Notifications.
When to create a correlation
Correlations are specific sets of custom rules that you can create to be notified or alerted when the data Alert Logic receives matches the pattern for the data you specified in the correlation. Correlations allows you to be notified or alerted for incidents or observations outside of what Alert Logic already generates in the Incidents page. The correlations features allows for an extra layer of protection that your organization can actively and internally monitor. For example, if your organization has a custom-built internal application or software, you can create a correlation rule to be notified when a new user logs into your application or when files are moved or deleted in your application. Other examples of correlations you can create are for user login failures that occur more than five times in ten minutes, deny logs that block certain requests, and installation of a new program on your domain controller.
You can configure the correlation rule to generate a IDS event notification, an observation notification, or an incident notification. Specific examples of the types of notifications and alerts you can create a correlation for are:
- Incident notification alerts about a correlation for an administrative user that logs into your production data center
- FIM notification alerts about a correlation for sensitive files that were moved or deleted by a user that is not authorized to access those files
- Observation notification about a correlation that provides valuable security information (a failed administrative user login, for example), but you do not consider it as severe as an incident.
Start creating a correlation
Alert Logic recommends creating the correlation from the Search page from a valid search query. After you develop and validate a query (see Get Started with Search), you can choose to create a correlation based on the query. Alert Logic then applies the query to the correlation for you.
You can also create a correlation from the Correlations page or the Create any type of notification page. Whichever method you choose, the process is similar after you open the Create a Correlation page.
To create a correlation from the Search page:
- Click Searchin the Alert Logic console, and then click the Search tab.
- Create a valid log search query to define the correlation conditions. For examples of correlation queries, see Examples of Search Correlation Queries.
- Click the SEARCH drop-down menu below the query, and then click Create Correlation.
- Complete the fields in the Create a Correlation page. Alert Logic adds the log search query to the correlation, which you can change.
To create a correlation from the Correlations page:
- Click Searchin the Alert Logic console, and then click the Search tab.
- Click the Correlations tab.
- On the Correlations page, click the add icon ().
- Select Search (Guided Mode).
- Complete the fields in the Create a Correlation page.
To complete the Create a Correlation page:
- Type a descriptive name for the correlation—for example, "Admin Failed Login."
- If you want the correlation to be active, leave Correlation Is Active turned on. If you want to save the definition but not activate the correlation yet, turn it off.
- If you did not already create a search query for the correlation, or if you want to adjust a displayed query, click EDIT IN SEARCH, and then create or edit the query. For examples of correlation queries, see Examples of Search Correlation Queries.
- (Optional) For a search query that includes the INTERVAL function, adjust the number of minutes or hours in the Time Frame window as needed. The minimum window is one minute and the maximum is 24 hours. Time frame settings do not appear if they are not applicable to your search query.
- Specify the generating option for messages that meet the correlation conditions:
- Observation—If you want Alert Logic to inform you about the correlation but not generate an incident, click Observation.
- Incident—If you want Alert Logic to generate an incident, click Incident.
- Select one of the following Suppression options to reduce repeated triggers:
- Limit generation to once per hour
- Limit generation to once per 6 hours
- Limit generation to once per 24 hours
- Limit generation to once per week
- Add details about the observation or incident that the correlation will generate. See the relevant procedures below:
Suppression occurs if the same unique combination of values in the SELECT statement of the correlation query triggers an observation or incident within the specified time. Alert Logic generates at most 300 incidents or observations per rule in any consecutive 24-hour period.
Finish setting up an observation for a correlation
To finish setting up the observation that results from the correlation, add details about the correlation to help analysts quickly understand the problem, and then save your correlation.
- Add details about the observation:
- Observation Summary—Type descriptive text to summarize the observation.
- Attacker—(Optional) Select the query field that identifies the suspected attacker.
- Target—(Optional) Select the query field that identifies the target of the attack.
- Description—To describe the observation, type descriptive text, insert one or more fields from the query (type the % character to see a list), or both. Field names must be enclosed with % characters. You can use Markdown syntax to format the text.
- Click SAVE AND CONTINUE. A page for creating the notification opens with the correlation already added as a filter. For information about setting up the notification, see Observation Notifications.
Finish setting up an incident for a correlation
To finish setting up the incident that results from the correlation, add details about the correlation to help analysts quickly understand the problem. Then you need to choose whether to set up an incident notification and save your correlation.
- Add details about the incident:
- Incident Summary—Type descriptive text to summarize the incident.
- Attacker—(Optional) Select the query field that identifies the suspected attacker.
- Target—(Optional) Select the query field that identifies the target of the attack.
- Investigation Report——Add information to help with incident investigation. You can type descriptive text, insert one or more fields from the query, or both. Enclose field names with % characters. You can use Markdown syntax to format the text.
- Recommendations—(Optional) Add a recommended response to the incident. You can type descriptive text, insert one or more fields from the query, or both. Enclose field names with % characters. You can use Markdown syntax to format the text.
- Specify whether to send a notification when the correlation conditions generate an incident:
- To send a notification, turn on Create Incident Notification in Next Step, and then click SAVE AND CONTINUE. A page for creating the notification opens with the correlation already added as a filter. For more information about setting up the notification, see Create an incident notification.
- To generate the incident but not send a notification, leave Create Incident Notification in Next Step turned off, and then click SAVE.
Alert Logic Markdown
When you click a field that supports Markdown syntax for text formatting, a Markdown icon () appears. Alert Logic supports the following syntax:
Element | Syntax |
---|---|
Paragraph | To start a new line of text (equivalent of a <br> in HTML), type three space characters at the end of the line. |
Heading |
Type one or more # characters before the heading, with each # representing a heading level. # Heading text (an <h1> in HTML) ## Heading text (an <h2> in HTML) |
Block quotation |
Type a > character before the block quotation (equivalent of a <blockquote> in HTML). > First paragraph in the quotation > > Second paragraph in the quotation |
Bold and italic text |
Enclose the text with two * characters for bold (**bold**) or one * character for italic (*italic*). You can use * and _ characters to combine bold and italic. **You _must_ notify the on-call team.** Gives you this: You must notify the on-call team. |
Code |
Enclose the text with a single backtick character (`) to apply a monospace font to preformatted text. To create a block of code, enclose the block with three backticks (```). ``` |
Unordered list |
Before each item in the list, type a *, a -, or a + character followed by a space. The characters are interchangeable. * Item + Item - Item |
Ordered list |
Before each item in the ordered list, type a number. 1. Step 1 2. Step 2 3. Step 3 |
View and manage correlations
The Correlations page lists your existing correlations. You can create, preview, and manage correlations from this page.
To narrow the set of correlations listed, you can use the filters in the left navigation. You can also group and sort the correlations with tools available toward the top of the page.
To access the Correlations page, from the Search page, click the Correlations tab.
You can click Preview next to a specific correlation to see its details and manage the correlation.
Filter the correlations list
The Correlations page displays all active correlations created from the customer account and its managed accounts. You can also display inactive correlations and apply additional filters to narrow the list to a specific set of correlations.
To filter the correlations list:
- In the left navigation, click the correlation status of interest:
- Active
- Inactive (correlation is saved but not turned on)
- To further narrow the list to show only incident or observation correlation types, click Incidents or Observations.
- To clear filters and start over, delete any text you typed in Search filters or select CLEAR ALL FILTERS.
Organize the correlations list
You can organize the correlations list by grouping and sorting the correlations. Alert Logic groups your correlations by correlation type and sorts them by date last triggered within each grouping. You can group and sort the notifications by other criteria to suit your needs.
To organize your correlations:
- To change the grouping, click Group by, and then click the option you want. Available options match the filters listed in the left panel.
- To change the way the list is sorted within each grouping, click Sort by, and then click the option you want. Available options include:
- Last Triggered
- Alphabetically
- Creation Date
- Last Modified Date
Search the correlations list
You can use the search bar to filter the list to include only correlations that contain specific words in important fields, like name.
View and manage correlations from the detail view
You can view the details about a specific correlation. The detail view indicates the last time the correlation was triggered, the date the correlation was created and last modified, the log search query, and other details about the correlation that can help you understand the correlation and respond to it quickly.
For an incident correlation type, the view includes the number of open incidents generated by the correlation and a RESPOND link, which accesses the Incident List filtered to show incidents generated by the correlation.
From the detail view, you can also view the list of notifications that will be sent when correlation conditions are met, add a notification, edit the correlation, or delete it.
To view details about a correlation:
- From the Search page, click the Correlations tab.
- To the right of the correlation you want to view, click Preview.
- When you are finished viewing correlation details, click Hide.
To add a notification to a correlation:
- From the Search page, click the Correlations tab.
- To the right of the correlation for which you want to set up a notification, click Preview.
- Toward the bottom of the detail view, click +ADD. A page for creating the notification opens with the correlation already added as a filter. For information about setting up the notification, see the relevant information:
To delete a correlation:
- From the Search page, click the Correlations tab.
- To the right of the correlation you want to delete, click Preview.
- Toward the bottom of the detail view, click the DELETE icon.
To edit a correlation:
- From the Search page, click the Correlations tab.
- To the right of the correlation you want to edit, click Preview.
- Toward the bottom of the detail view, click the EDIT icon.
- In the Edit a Correlation page, change any of the settings. You can:
- Make the correlation active or inactive
- Change the correlation search query
- Change the correlation type
- Change the suppression option
- Edit the details that explain the problem (summary, attacker, and so on)
- Add a notification
To open a list of incidents generated by the correlation:
- From the Search page, click the Correlations tab.
- To the right of the notification, click Preview.
- Toward the top of the detail view, click RESPOND >. For more information about incidents and responding to them, see Incidents.