Correlation Patterns
Find information about the performance of your correlation patterns.
The Correlation Patterns dashboard provides insight into the effectiveness and trends of your correlation patterns. The dashboard enables you to view data on all of your patterns at a glance, and to drill down to view granular information about a specific correlation pattern.
Dashboard Duplication
The Correlation Patterns dashboard cannot currently be duplicated. See the Unified Analytics Dashboards documentation for a full list of duplicable dashboards.
Correlation Patterns Dashboard
Key Features
The Correlation Patterns dashboard allows you to:
- Visualize and track data on alert correlation across your instance.
- Drill down to view analytics on specific correlation patterns.
- Determine ways to improve configuration settings to reduce noise.
Correlation Patterns
The Correlation Patternss dashboard displays information on how all of your correlation patterns are performing.
Timeline widgets
Timeline widgets are based on incident updates in the selected start timeframe.
The following widgets are available within the dashboard:
| Widget Name | Description |
|---|---|
| Compression Rate | The percent of processed alerts formed into incidents. The compression rate calculation is 1 - (Total Incidents) / (Total entities) |
| # Total Alerts | The total number of alerts that were processed by correlation during the given timeframe. Total alerts are calculated by counting the total number of entities. If there's no correlation pattern, 1 entity is counted. |
| # Total Incidents Formed | The total number of incidents created during the given timeframe. Total incidents formed is calculated by counting the total number of incident IDs. |
| Average Compression Trend | The average compression percentage over time for total incidents, actioned incidents, and non-actioned incidents. The calculation for total incident compression is 1 - (Total incidents) / (Total entities) The calculation for actioned incident compression is 1 - (Total incidents), (Is_Actioned =true) / (Total entities), (Is_Actioned=true) The calculation for non-actioned incident compression is 1 - (Total incidents), (Is_Actioned =false) / (Total entities), (Is_Actioned=false) |
| Total Alerts Trend | The total number of alerts correlated, over time. Total alerts are calculated by counting the total number of entities per day. |
| Correlated Incidents Trend | The number of actioned vs non-actioned correlated incidents. The number of actioned correlated incidents is calculated by finding the total number of incidents where is_actioned=true. The number of actioned correlated incidents is calculated by finding the total number of incidents where is_actioned=false. |
| Correlation Patterns Effectiveness Comparison | A table showing detailed data on your correlation patterns. The following information is displayed per correlation pattern: Pattern - The tags used in the correlation pattern. The No Pattern row refers to incidents that did not match any correlation pattern. Time Window (min) - The time window in which this pattern will correlate alerts together. Compression - The percent of alerts that were correlated into incidents. # Alerts - Number of alerts correlated by the pattern. # Incidents - Number of incidents created by the pattern. # Actioned INC - Number of actioned incidents. # Non-Actioned INC - The number of non-actioned incidents. # Splits - The number of splits that occurred on incidents created by the correlation pattern. # Merges - The number of merges that occurred on incidents created by the correlation pattern. |
| Total Splits | The total number of incidents split into new incidents that occurred in the dashboard’s timeframe. |
| Total Merges | The total number of source incidents merged into new incidents that occurred in the dashboard’s timeframe. |
| Splits & Merges Trend | A line graph showing the trend of splits and merges over time. |
Correlation Pattern Filter
In addition to the time filter, the Correlation Patterns dashboard allows you to filter by a specific correlation pattern.
Select patterns from the filter to drill down into and compare the effectiveness of individual patterns.
Incidents that don’t match any Correlation Pattern won’t compress. The No Pattern incidents row in the Correlation Patterns Effectiveness Comparison widget will highlight these. You can also use the filter to drill down into No Pattern incidents.
Learn more about using filters and widget options in the Filter Dashboards documentation.
Next Steps
View Unified Analytics dashboards
Learn how to Manage Unified Analytics
Find definitions of Unified Analytics key metrics
Dive into potential reporting fields in Unified Analytics Reporting Tables. If your organization uses the Standard Data Model, you can find these tables in the Standard Data Model documentation.
Updated 4 months ago