- Get Started with Correlation Rules
- Create Correlation Rules
- Manage Correlation Rules
- Find Correlation Rules
- Share Correlation Rules
- View Correlation Rules Metrics
Correlation Rule Sequences
Sequences are the building blocks for rule logic that define the events and conditions that trigger a correlation rule.
A sequence is the component of a correlation rule that defines which events trigger the rule and the condition the events must satisfy for the rule to trigger. The first step in building a correlation rule is creating a sequence.
To create a sequence, first search for events on which your rule triggers. Searching for events is similar to Search. You can choose to build a search or type one out, you use the same syntax when typing a search, and you can select recent and saved searches. After you define events of interest, you define the conditions that the events must meet.
If the rule triggers on a set of related events, define multiple sequences. The condition of all sequences must be satisfied for the rule to trigger. For example, to detect a brute force attempt, define the first sequence as a certain number of failed log-on events from an external IP address within five seconds and the second sequence as a successful log-on event from the same external IP address within 30 minutes. Sequences can be ordered, so sequences and their conditions must be satisfied in a specific order for the rule to trigger; or unordered, so all sequences and their conditions can be satisfied in any order for the rule to trigger.
To prevent a rule from over-triggering, Correlation Rules automatically disables a rule if If events satisfy the conditions of any sequence more than 500 times in five minutes. Correlation Rules also automatically disables a rule if the rule triggers more than 50 times in five minutes.
By default, you can enable up to 200 sequences.