Create a correlation group
Correlation groups let you create multiple distinct paths for alert correlation, making it possible for the same data to be correlated in different ways, or to correlate data differently based on different attributes. Every correlation definition must be included in a correlation group. It is possible to create a definition outside a group using the API, but it will not correlate alerts until it is moved into a group.
Note
When there are multiple correlation groups, it is possible for a single alert to be correlated in each group, potentially by multiple definitions in each group. Each alert could potentially be included in numerous incidents, depending on the configuration of groups and definitions. Carefully consider your goals when creating additional correlation groups.
Groups include settings which control:
Whether an alert can match more than one correlation definition within a group and be included in more than one incident
How similar incidents must be before they are merged into one incident
How to handle alerts which were not correlated into an incident
To create a new group:
Navigate to Correlate & Automate > Correlation Engine.
Click Add Correlation Group.
On the Basic Settings tab, enter a name for the group in the field provided.
Click the Correlation Settings tab and complete the information.
Under Correlation Matching, select one of the options:
Alerts can match all correlation definitions.
Alerts can match one definition. The definition evaluation order is customizable.
Note
This setting has a major impact on how correlation occurs. For more information, see Understand correlation group settings and definition order.
Under Automatic Merge, choose how similar incidents must be before they are merged together into one.
The default setting is that 80% similarity between the alerts in two incidents must exist before the incidents are merged together. Select any value in increments of 10 from 10% to 100%. You can also select any, which means that incidents are merged together when they have one alert in common.
If you selected "Alerts can match one definition" under Correlation Matching, select a setting under Uncorrelated Alerts.
This setting tells the Correlation Engine how to handle alerts that are not related to any other alerts, based on the group correlation definitions. These are the alerts that cannot be correlated into incidents with other alerts.
Choose one:
Do not create incidents for uncorrelated alerts.
Alerts which are not closely related enough to any other alerts to form incidents are ignored.
Create an incident for each uncorrelated alert.
Selecting this option creates an incident containing only one alert for each alert that does not meet the criteria for any correlation definition in this correlation group. This includes alerts which are not similar enough to other alerts to join an existing incident, alerts that are excluded by correlation definition filters, and situations when the number of alerts did not meet the criteria for the incident creation threshold to form an incident.
This option acts as a "catch all," ensuring that no alerts are lost. However, it can potentially create numerous incidents containing just one alert, so it is important to consider your correlation goals before enabling it.
Click Save.