Observed Rule

For Observed Rule, you should fill related fields:

The user can also set rule priority. To set rule priority:

1. Open the correlation rule view.

2. Click the Advanced Configuration

3. Set the priority value as follows

The rules running order can be set by priority values. If the priority value is set to the smallest value for a rule. That rule runs firstly.

1. The rule considered previous Flow type as time and count (this time and count determined in flow frame in ms or number )
2. Click the Add Object button
3. Select the log fields (each log type has its own fields)

1. Select save to save the changes.

After saving the rule, the rule is listed in Correlation rules list as shown in the following figure:

You can copy, edit, and delete any rule as shown in the figure above.

Note the available logic operators:

Relations Between Logs

1. If the user wishes to define relations between logs, they can add another log object

1. If the user wishes to establish a time relation between logs, select After Time. A sample rule that can be used in this scenario would be: Detect a Firewall attack caused by user test and in 10 minutes if user test logs into Windows machine.
2. The user can connect log objects with AND, OR, or NOT logic operators as shown below:
3. The user can then link multiple logs by selecting the link button and connect log fields with each other. The user can link as many fields as they require.

GeneralCorrelationObject[2] Sourceaccount is linked to the GeneralCorrelationObject[1] Sourceaccount with link button as shown in the figure below:

1. Windows login condition shown in figure above can also be ensured by using taxonomy in the condition. This way, the login condition is instructed to taxonomy module as Windows login. There are 1536 taxonomy groups in SureLog. The users can use different taxonomies in formulating their rules. The Window login condition is ensured with taxonomy as shown in the figure below: