We are happy to share that we're starting a new weekly feature on this forum, called "This Week's Top Question". Each week, we will select one or more popular questions which we receive from our customers, and share the answer with you right here on the forum.
So, getting right to it:
Q: What are field-based conditions in event correlation? How and when do I use them?
A: Field-based conditions are useful when you are building correlation rules. So first, let's understand how a correlation rule is structured. A correlation rule is a pattern used to detect possible security incidents on your network. This pattern is made up of a sequence of log events - including Windows logon events, firewall denied connections, and tables created in databases - also known as 'actions'. EventLog Analyzer collects logs from the various devices on your network, and if a sequence of logs or user actions matches this pattern, you receive an alert instantly.
You can create custom rules by going to:
Correlation -> Manage rules -> +Create rule
You can modify existing rules by going to:
Correlation -> Manage rules -> Selecting the Update icon next to the required rule
When you are creating or modifying a correlation rule, you can use field-based conditions to make the rule more specific and well-defined. These conditions are applied to specific fields within the actions that make up the rule—for instance, the device name in a Windows logon, or the IP address from a connection denied by a firewall. You can find them by selecting "Advanced" for the required action, and then by clicking on the filter icon next to the required field name.
These are the types of conditions EventLog Analyzer allows you to apply:
These conditions offer a lot of flexibility in building correlation rules. Go ahead and try using them, and let us know if you require any assistance!