Alert Logic customers with log data, including those with Log Manager, Cloud Defender, and Managed Detection & Response entitlements, are able to use Expert Mode search to build custom correlations. With this release, you are able to create more powerful custom rules, access more data types, and use both new and original correlations to manage data.
Correlations allow customers to set a rule that watches for patterns in data. This rule examines data as it is collected, and when data matches the pattern, an incident or alert is triggered. Correlations are helpful in detecting data patterns that Alert Logic incidents do not currently cover, especially for cases specific to your own data and environment. For example, you might want to be alerted about administrative activity in an application you built yourself, or when a sensitive host communicates with the internet through a monitored firewall. Once the data can be collected and searched, creating a correlation turns that search into an alert.
Correlations vs. Incidents
An incident is a correlation of events that imply harm to an information system, violate acceptable use policies, or circumvent standard security practices, and that may be classified into one of four risk levels - low, medium, high, and critical - as defined by the Alert Logic ActiveAnalytics platform or a Security Operations analyst. Incidents are created by Alert Logic and reviewed by our Security Operations Center (SOC). If there is an Alert Logic incident for a data use case of yours, you do not need to create a correlation. If there is not, a correlation may be helpful.
In contrast to incidents, correlations are custom, real-time alerts that work very similarly to incidents, but that are not automatically reviewed by the SOC. Data is collected, ingested by Alert Logic, and persisted in long-term storage, where the data can be searched interactively or on a schedule. Correlations create a new processing rule - aside from Alert Logic incident processing rules already in place - that are explicitly under your control and for your use only.
Correlations and Search
Correlations are written, created, and managed in the Search console within the Alert Logic console, but general search and correlation creation are separate entities. Correlations use the same syntax as search - including Simple and Expert queries - and work on collected data such as log messages. You can run a search yourself or schedule a search to run periodically, but for real-time alerting, Alert Logic recommends using correlations.
Correlations are created and managed within the Alert Logic console at (navigation menu) > Investigate > Search > Search. Create your correlation in the same way you would perform a search - using the syntax options for either Simple or Expert Mode search formats. Click on the down arrow next to the Search button and select Create Correlation.
A Create a Correlation screen will appear, within which you will add details, including the correlation's name and generating options. Here, you can also edit the correlation as necessary before you save and continue. Click Save and Continue.
On the next screen, Create an Observation Notification, allows you to set up a notification for your correlation. Add details, choose your correlation name under Correlation Rule, and manage recipients and notification delivery here. Click Save.
Now, based on the defined correlation and recipient and notification delivery parameters you have set, alerts will be generated. If you chose to create an incident, these will also be visible in the Incident console, found within the Alert Logic console at > Respond > Incidents.
Saved correlations can now be found under the Correlations tab, alongside Search. Here, you can access, edit, and delete all existing correlations, as well as manage notifications.
For additional technical information on improved correlations and search, see the following pieces of Alert Logic documentation: