Correlation Patterns Run Order
Customize the correlation engine to finetune correlation patterns for your use cases.
BigPanda’s correlation engine matches incoming alerts to correlation patterns in a specific order. By default, patterns are ordered by the time window of the correlation pattern, from largest time window to shortest.
While this order is usually BigPanda’s recommendation, there are scenarios where patterns with shorter time windows should be prioritized. For example, a data center outage is a high priority incident, but will likely have a shorter time window setting to prevent over-correlating.
Now, you have the option to manually order your correlation patterns to better reflect real system relationships.
Edit Pattern Order
To access the run order for correlation patterns, click the bidirectional arrow icon to the right of the correlation pattern search bar.
This will open a list of all your correlation patterns, both active and inactive. This list will also show you the time window for each correlation pattern, as well as the source system(s) and any filters.
To manually set a new run order, simply drag and drop correlation patterns to arrange them in your desired order. This action will switch your run order to manual mode. Once you save the new order, all new alerts will use the new pattern order.
New Pattern Placement in Manual Ordering Mode
If you create a new correlation pattern while patterns are manually ordered, that pattern will automatically be added to the bottom of the run order. To change when this pattern runs, you’ll need to edit the run order and drag and drop the new pattern to the desired placement.
To run correlation patterns in order of time window instead, simply click Reorder by time window in the upper right corner of the window. The run order for all correlation patterns will then be sorted from longest time window to shortest. Any new patterns created will be added in order by run time.
Learn more about correlation patterns in Manage Alert Correlation.
Display Discrepancy in Incident Console V1
Users not enrolled in the V2 incident console may see discrepancies between their manual correlation pattern order and the order in which correlated alerts are listed in the incident details pane. This is a known UI bug that displays alerts based on time window, even when the alerts themselves are correlated in a manual order. It does not affect the function of the manual run order.
This bug exists only in the V1 incident feed. If you are interested in enabling the V2 incident console for your organization, contact your BigPanda account team.
Correlation Patterns Run Order API Support
Correlation Pattern Run Order can be managed with the Correlation Patterns API using two new endpoints and the new execution-order
field.
Limited Availability
This feature is available in a limited release. Please note that if this feature is not enabled in your organization, the following API functions will not work. If you’re interested in enabling this feature for your organization, contact your BigPanda account team.
There are three changes to the Correlation Patterns API:
-
Retrieve a Correlation Pattern by ID now returns the execution_order field as part of its payload.
-
Update Correlation Patterns Order is a new endpoint that allows you to set the run order for specific correlation patterns via API. Note that using this API call will set the run order for all correlation patterns to manual mode.
-
Reset Correlation Patterns Order is a new endpoint that allows you to set all correlation patterns to run in order from largest time window to smallest. Note that using this API call will set the run order for all correlation patterns to the time window mode.
Partial Ordering
If you use the API to update the order of a partial set of your correlation patterns, the updated correlation patterns will be moved to the top of the run order. For example, if you have a list of seven correlation patterns and you only update the run order for three of them, those three will become the first three patterns to run.
New Field for Correlation Patterns Run Order
Attribute | Description | Type |
---|---|---|
execution_order | The field to identify the correlation pattern order. For GET calls: Returned as a single integer as part of the correlation pattern object. For PUT calls: An array of correlation pattern ids in order by desired run order. | String or Integer |
Example Return for Retrieve a Correlation Pattern by ID
"item": [
{
"id": "393968c0-43ee-431b-9234-6cefe812ebd9",
"active": false,
"tags": [
"dc"
],
"cross_source": false,
"time_window": 120,
"filter": "source_system IN [ \"*\" ]",
"created_by": "63bd568977a8d60012bf3dbe",
"created_at": 1673374612,
"updated_by": "63bd568977a8d60012bf3dbe",
"updated_at": 1675360021,
"source_systems": [
"*"
],
"execution_order": 1
},
Example Update Correlation Pattern Order
{
"execution_order":
[
"6646dd33-bce3-4af0-861b-5271897e5ac4",
"c1e8a9cc-8bbb-4fd3-8dec-c55eafd3d447",
"393968c0-43ee-431b-9234-6cefe812ebd9"
]
}
Updated 7 months ago