- Get Started with Threat Detection Management
- Analytics Rules
- Analytics Rule Classifications
- Create an Analytics Rule
- 1. Define the analytics rule
- 2. Import the analytics rule
- 3. Enable the analytics rule
- 4. Apply the analytics rule to your environment
- factFeature Analytics Rule JSON Configuration
- profiledFeature Analytics Rule JSON Configurationh
- contextFeature Analytics Rule JSON Configuration
- numericCountProfiledFeature Analytics Rule JSON Configuration
- numericDistinctCountProfiledFeature Analytics Rule JSON Configuration
- numericSumProfiledFeature Analytics Rule JSON Configuration
- Manage Analytics Rules
- Tune Analytics Rules
- Share Analytics Rules
- Troubleshoot Analytics Rules
- Analytics Rules Syntax
- Advanced Analytics Rule Syntax vs. Analytics Rule Syntax
- Logical Expressions in Analytics Rule Syntax
- String Operations Using Analytics Rule Syntax
- Integer Operations Using Analytics Rule Syntax
- Time Operations Using Analytics Rule Syntax
- Network Operations Using Analytics Rule Syntax
- Context Operations Using Analytics Rule Syntax
- Entity Operations Using Analytics Rule Syntax
- Correlation Rule Operations Using Analytics Rule Syntax
- Monitor the Analytics Engine
- Correlation Rules
- Threat Scoring
Correlation Rule Sequences
Sequences are the building blocks for rule logic that define the events and conditions that trigger a correlation rule.
A sequence is the component of a correlation rule that defines which events trigger the rule and the condition the events must satisfy for the rule to trigger. The first step in building a correlation rule is creating a sequence.
To create a sequence, first search for events on which your rule triggers. Searching for events is similar to Search. You can choose to build a search or type one out, you use the same syntax when typing a search, and you can select recent and saved searches. After you define events of interest, you define the conditions that the events must meet.
If the rule triggers on a set of related events, define multiple sequences. The condition of all sequences must be satisfied for the rule to trigger. For example, to detect a brute force attempt, define the first sequence as a certain number of failed log-on events from an external IP address within five seconds and the second sequence as a successful log-on event from the same external IP address within 30 minutes. Sequences can be ordered, so sequences and their conditions must be satisfied in a specific order for the rule to trigger; or unordered, so all sequences and their conditions can be satisfied in any order for the rule to trigger.
To prevent a rule from over-triggering, Correlation Rules automatically disables a rule if If events satisfy the conditions of any sequence more than 500 times in five minutes. Correlation Rules also automatically disables a rule if the rule triggers more than 50 times in five minutes.
By default, you can enable up to 200 sequences.