Watching a correlation rule
You can watch a correlation rule and monitor the rule performance before you deploy the rule for the rule to correlate live data.
Before you begin
About this task
When you choose to
Watch the correlation rule, the rule moves out of its existing tab and into
the Watched tab within the View Related Events portlet. While the rule is in
Watched, the rule is not creating synthetic events or correlating but does
record performance statistics. You can check the rule's performance before you deploy the rule for
the rule to correlate live data.
Complete the
following steps to Watch the correlation rule. Note: On rerun of a related events configuration scan,
a warning message is displayed if any new groups are discovered that conflict with groups on which
an existing watched rule is based.
- Click OK to accept the warning and continue watching the existing rule. The new groups are ignored.
- Click Cancel to ignore the warning and replace the existing watched rule with a new rule based on the newly discovered group.
Note: any NEW groups which conflict with existing non-NEW groupsany already existing
patterns cannot be edited. Only newly discovered patterns can be edited.