Configure Correlation Rules to Auto Create Incidents

We can help you automate the incident creation based on a QQL rule query defined in a correlation rule. To help you create correlation rules, FIM provides a Correlation Rule wizard. In the wizard, define a query to specify a criteria for events you want to create incidents and a schedule to indicate when and how often you want to run the rule to create incidents for the events that matched the rule query.

Through auto correlation rules, incidents will get created when there is an event created that matches the Incident criteria. The correlation rule wizard also provides you an option to create alerts for the incidents that are created for this rule. See "Create an alerting rule for incidents".

You can access the Correlation wizard from the following pages:  

- Go to Incidents > Correlation Rules > Create Correlation Rule.

- Go to Events > All Event tab or Events > Event Review tab. Enter a search query in the search box and press Enter. Click menu button next to search box and select “Create Correlation Rule from Search Query”. When you create a correlation rule, the search query provided on the page is copied to the new correlation rule.

- Go to the Assets tab, select an asset and from the Quick Actions menu select "Create Correlation Rule" to create a correlation rule for an asset. When you create a correlation rule for an asset, the agent ID of the asset is copied to the new correlation rule. Use the operators "and/or" to customize your search query.

Note: For events with 'reputationStatus' as 'MALICIOUS', an Automated Incident will be created with below configuration:

Disposition = Malware

Change Type = Compromise

Approval Status = Policy Violation

Start review option will be available immediately.

Create a correlation rule using correlation rule wizard

Provide the correlation rule name and description. Enter a rule query. When the rule is triggered, the events matching the rule query are picked and added to the incidents. Optionally, use the Choose from my saved searches option to select a search query. We also provide a Queries from which you can choose predefined queries. See Query Library.

Create corelation rule

Note: After you upgrade the Cloud Agent to 4.1 and above, the File Path is displayed as (c:\directory\sub-directory\file.ext). If all the agents in your subscription are not upgraded to 4.1 and above, edit the existing QQL queries to add the new File Path format along with the old one.

Schedule the rule

Next, select the schedule to indicate when and how often you want to run the rule. By default, the rule will be run once. Schedule the rule by choosing a date, a start and end time. To set a recurring schedule, select Recurring Job check box. You have the option to schedule the rule to run daily between a specified time, every week or every month on chosen days between a specified time period.

FIM also supports cross date scheduling. Correlation can start at 10 pm on day 1 and end at 2 am on day 2 (effective schedule of 4 hours). If the end time is less than or equal to start time, the end time is considered as the time of next day. There is no end date for the schedule. User can deactivate or delete a correlation rule to stop creating incidents for the rule.

The scheduler runs every 5 minutes to pick up new jobs. Hence, it is recommended that while creating a schedule, you choose a "Start Time" greater than 15 minutes from the current time for a job to get picked up. If you choose a Start Time less than 15 minutes, it is possible that by the time you have created the rule, the scheduler has already picked up the job. In such a case your job will be picked up in the next scheduled cycle. This means One Time rule will never run as the time set for running the rule has already passed and if it is a Recurring rule, it will run at the next schedule.

When the correlation rule is run during the scheduled time, FIM will pick up all the events that are raised during the scheduled time and that match the search query provided in the rule. All these events are then added to the newly created incident. The naming convention used for incidents is correlation rule name followed by incident creation date and time. Note that you cannot change the Trigger criteria of a correlation rule in the edit mode.

Correlation wizard showing configurations for Trigger Criteria set as Recurring.

Choose review options for the auto created incidents

Finally, select an approval type to indicate if you want to automate the review process for the incident or manually review the incident. For Automated approval type, select a disposition category for reporting and classification, choose whether the incident resulted from a manual or automated change, mark the incident Approved, Unapproved Change or Policy Violation and provide a comment. Click Save to create the correlation rule.

Correlation wizard showing configurations for automated approval type.

Create an alerting rule for incidents

While saving a correlation rule, the Correlation rule wizard gives you an option to create alerts for the incidents created for a correlation rule.

Save and Create Alerting Rule button shown in Review Form step on the correlation wizard.

When you choose the option to create a rule, FIM opens the Alert Rule wizard to help you configure the alert rule. The new alert rule name and description will be the same as the correlation rule name and description from which the alert rule is created. The search query for the alert rule will default to Incidents and a query is created with incident status open or closed and correlation rule ID. See Creating a rule based alert.

Manage correlation rules

The Correlations Rules tab lists all the correlation rules.  The page shows details such as the name of the rule, rule id, whether the rule is currently active or deactivated, reviewer of the incident. The page also shows approval status, change type and disposition category values for approval type selected as Manual for incidents when creating/editing the rule. The Quick Actions menu on the page provides you options to view, edit, delete, activate/deactivate a rule and view the incidents of a rule.

Note that activate/deactivate option will be available for correlation rule that has a recurring schedule.

Quick Actions for Show Incidents

Manage Incidents

All the incidents generated for a correlation rule are listed in the All Incidents tab with type as "Automated". Note that you can not delete an incident that is generated for a correlation rule.

Manage Incident

Review incidents

An incident generated for a correlation rule is available for manual review after a grace period of 10 minutes from the scheduled end time of the rule. The “Start Review” option on the Quick Actions menu will be available for the incident after the grace period ends.