Investigating enrichment and correlation rules

Investigate enrichment and correlation rules by filtering different properties. Determine which rules that you might need to edit in IBM® Detection and Response Center or search in IBM Security Data Explorer.

1. Go to Menu > Detection and Response Center.
2. Click the Alert enrichment and correlation tab. The default template shows all the rules for system-defined enrichment and correlation content. These rules are used by the system to enrich alerts with more severity information and to correlate the enriched alerts when needed.
   Tip: To ensure you always have the latest enrichment and correlation rules from the IBM Security App Exchange, go to the Actions menu, and ensure that the Enable IBM enrichment and correlation autoupdate option is selected. When new IBM enrichment and correlation rules are available, you see a notification on the menu bar.
3. Filter the rules by supported rule format and by rule attributes. For more information, see Alert enrichment and correlation properties.
   Tip: The more filters that you apply to the rules, the more fine-tuned the list of results you get. The Detection and Response Center uses the OR condition within the options of one filter group, and uses the AND condition across multiple groups of filters. Any column that you can filter on can also be added to the rule report through the column selection feature (gear icon). As you select filters, the unapplied filter tags appear in the filters row with a lighter colored background. After you apply the filters, the tags change to a darker colored background.
4. To find a rule with a specific name, filter on the name attribute by using a regular expression.
5. Customize the report presentation to make it easier to investigate your rules. To modify the column settings, click More options > Manage columns.
   1. Search or scroll down the window to find the column that you want to add to the report and select the relevant checkbox.
   2. In the Selected columns section of the window, drag the columns in the order that you want them displayed in the report.
   3. Click Apply.
6. To investigate details for a specific rule, select the rule name to open the rule details page. The rule details page contains sections for common rule attributes and test definitions. It also shows the enrichment rule logic so that you can get a better understanding of how the rule works.