Correlation Patterns
Alert Correlation Logic sets rules to correlate alerts into BigPanda incidents. BigPanda's open machine learning engine will automatically create correlation patterns based on the alerts received, and will suggest new patterns as situations arise. You can customize the correlation patterns to better fit your infrastructure at any time.
Correlation Patterns
Authentication
All BigPanda APIs require Bearer Token Authorization in the call headers.
This API uses the User API Key type of Authorization token.
BigPanda recommends adding Authentication headers only in the secure tool you use to make API calls.
Enrichment V2 required
The Correlation Patterns API uses the underlying systems of the Enrichment V2 Engine. Your organization must have migrated to Enrichment V2 before using the Correlation API.
DO NOT USE the API without Enrichment V2 enabled or existing V1 Correlation patterns may be damaged.
Creating correlation patterns
The system will reject a request to create a correlation pattern that is identical to an existing one.
Run order will be reset to time window mode
Resetting the correlation pattern order via API will undo all run order changes, including those made in the BigPanda UI. After making this API call, all correlation patterns will be run in order of time window, from largest time window to shortest.
curl --request POST \
--url https://api.bigpanda.io/resources/v2.0/correlation-patterns \
--header 'Authorization: Bearer <USER API KEY>' \
--header 'Content-Type: application/json' \
---data '{
"tags": [
"service",
"check"
],
"time_window": 60,
"active": true,
"cross_source": false,
}`curl --request POST \
--url https://eu-api.bigpanda.io/resources/v2.0/correlation-patterns \
--header 'Authorization: Bearer <USER API KEY>' \
--header 'Content-Type: application/json' \
---data '{
"tags": [
"service",
"check"
],
"time_window": 60,
"active": true,
"cross_source": false,
}`curl --request GET \
--url https://api.bigpanda.io/resources/v2.0/correlation-patterns/${id} \
--header 'Authorization: Bearer <USER API KEY>' \
--header 'Content-Type: application/json'curl --request GET \
--url https://eu-api.bigpanda.io/resources/v2.0/correlation-patterns/${id} \
--header 'Authorization: Bearer <USER API KEY>' \
--header 'Content-Type: application/json'curl --request GET \
--url https://api.bigpanda.io/resources/v2.0/correlation-patterns \
--header 'Authorization: Bearer <USER API KEY>' \
--header 'Content-Type: application/json'curl --request GET \
--url https://eu-api.bigpanda.io/resources/v2.0/correlation-patterns \
--header 'Authorization: Bearer <USER API KEY>' \
--header 'Content-Type: application/json'curl --request PATCH \
--url https://api.bigpanda.io/resources/v2.0/correlation-patterns/${id} \
--header 'Authorization: Bearer <USER API KEY>' \
--header "Content-Type: application/json" \
--data '{
"tags": [
"service",
"check"
],
"time_window": 60,
"active": true,
"cross_source": false,
"filter": "host= \"api\" AND source_system IN [ \"*\"]",
}'curl --request PATCH \
--url https://eu-api.bigpanda.io/resources/v2.0/correlation-patterns/${id} \
--header 'Authorization: Bearer <USER API KEY>' \
--header "Content-Type: application/json" \
--data '{
"tags": [
"service",
"check"
],
"time_window": 60,
"active": true,
"cross_source": false,
"filter": "host= \"api\" AND source_system IN [ \"*\"]",
}'curl --request DELETE \
--url https://api.bigpanda.io/resources/v2.0/correlation-patterns/${id} \
--header 'Authorization: Bearer <USER API KEY>' \
--header 'Content-Type: application/json'curl --request DELETE \
--url https://eu-api.bigpanda.io/resources/v2.0/correlation-patterns/${id} \
--header 'Authorization: Bearer <USER API KEY>' \
--header 'Content-Type: application/json'curl --request PUT \
--url https://api.bigpanda.io/resources/v2.1/correlation-patterns-order \
--header 'Authorization: Bearer <USER API KEY>' \
--header 'Content-Type: application/json' \
---data '{
"execution_order":
[
"6646d555-b555-4af0-861b-5271897e5ac4",
"c1e8a555-8555-4fd3-8dec-c55eafd3d447",
"39396555-4555-431b-9234-6cefe812ebd9"
]
}'curl --request PUT \
--url https://eu-api.bigpanda.io/resources/v2.1/correlation-patterns-order \
--header 'Authorization: Bearer <USER API KEY>' \
--header 'Content-Type: application/json' \
---data '{
"execution_order":
[
"6646dd33-b555-4af0-861b-5271897e5ac4",
"c1e8a9cc-8555-4fd3-8dec-c55eafd3d447",
"393968c0-4555-431b-9234-6cefe812ebd9"
]
}'curl --request POST \
--url https://api.bigpanda.io/resources/v2.1/correlation-patterns-order/reset \
--header 'Authorization: Bearer <USER API KEY>' \
--header 'Content-Type: application/json'curl --request POST \
--url https://eu-api.bigpanda.io/resources/v2.1/correlation-patterns-order/reset \
--header 'Authorization: Bearer <USER API KEY>' \
--header 'Content-Type: application/json'Parameters
The correlation-patterns object schema includes the following attributes:
Parameter | Description | Type |
|---|---|---|
id | System-generated unique identifier for a correlation pattern | UUID |
active | Whether the correlation pattern is active. Default condition is true | Boolean |
tags | Array of tag name(s) to correlate within the pattern. At least 1 item must appear in the array. No more than 5 items in the array. No duplicate names in the array. | Array |
time_window | Time frame to determine correlation in minutes | Integer |
filter | BPQL Filter to set conditions for the correlation pattern | String |
cross_source | Determines if alerts can be correlated from different source systems into the same incident Default condition is true | Boolean |
note | Brief description of the correlation pattern | String |
created_at | Unix epoch time when the correlation pattern was created (in seconds). | Timestamp (in seconds) |
created_by | The ID of the user who created the correlation pattern | User ID |
updated_at | Unix epoch time when the correlation pattern was last updated (in seconds). | Timestamp (in seconds) |
updated_by | The ID of the user who last updated the correlation pattern | User ID |
suggested_at | Unix epoch time when the correlation pattern was suggested by machine learning (in seconds). | Timestamp (in seconds) |
execution_order | The field to identify the correlation pattern order. For GET calls: Returned as a single integer as part of the correlation pattern object. For PUT calls: An array of correlation pattern ids in order by desired run order. | String or Integer |
Execution_order field
The execution_order parameter is part of the Correlation Patterns Run Order feature. This feature is available in a limited release. Please note that if this feature is not enabled in your organization, this field will not work. If you’re interested in enabling this feature for your organization, contact your BigPanda account team.
Sample Correlation Pattern Object
{
"id": "393968c0-43ee-431b-9234-6cefe812ebd9",
"active": false,
"tags": [
"dc"
],
"cross_source": false,
"time_window": 120,
"filter": "source_system IN [ \"*\" ]",
"created_by": "63bd568977a8d60012bf3dbe",
"created_at": 1673374612,
"updated_by": "63bd568977a8d60012bf3dbe",
"updated_at": 1675360021,
"source_systems": [
"*"
],
"execution_order": 1
},