Deploying a correlation rule

You can deploy a correlation rule, for the rule to correlate live data.

Before you begin

Complete your review of the related events and the parent event that form the correlation rule. If necessary, change the correlation rule or related events configuration.

About this task

When you are happy with the correlation rule, you can choose to Deploy the correlation rule.
When you choose to Deploy the correlation rule, the rule moves out of its existing tab and into the Active tab within the View Related Events portlet. Active rule algorithm works to identify the related events in the live incoming events and correlates them so the operator knows what event to focus on. Performance statistics about the rule are logged which you can use to verify whether the deployed rule is being triggered.
Note: On rerun of a related events configuration scan, a warning message is displayed if any new groups are discovered that conflict with groups on which an existing deployed rule is based.
  • Click OK to accept the warning and continue deploying the existing rule. The new groups are ignored.
  • Click Cancel to ignore the warning and replace the existing deployed rule with a new rule based on the newly discovered group.
Complete the following steps to Deploy the correlation rule.

Procedure

  • Within the View Related Events portlet.
    1. View related events by group, see Viewing related events by group.
    2. In the View Related Events portlet, within the groups table, select either a related events group or a related events configuration and right-click. A menu is displayed.
    3. From the menu, select Deploy.
  • Within the Related Event Details portlet for a group or an event.
    1. View related events or related event groups, see Viewing related events and Viewing related events by group.
    2. Select an event or a related events group.
      • In the View Related Events portlet, within the groups table, select a related events group and right-click. A menu is displayed.
      • In the View Related Events portlet, within the events table, select an event and right-click. A menu is displayed.
    3. From the menu, select Show Details. The Related Event Details portlet opens.
    4. In the Related Event Details portlet, within any tab, select Deploy.

Results

The rule moves out of the New tab and into the Active tab within the View Related Events portlet.

What to do next

When you establish confidence with the rules and groups that are generated by a related events configuration, you might want all the generated groups to be automatically deployed in the future. If you want all the generated groups to be automatically deployed, return to Creating a new or modifying an existing analytics configuration and within the Configure Related Events window, tick the option Automatically deploy rules discovered by this configuration.