Skip to main content

Correlation Patterns

Alert Correlation Logic sets rules to correlate alerts into BigPanda incidents. BigPanda's open machine learning engine will automatically create correlation patterns based on the alerts received, and will suggest new patterns as situations arise. You can customize the correlation patterns to better fit your infrastructure at any time.

Correlation Patterns

Authentication

All BigPanda APIs require Bearer Token Authorization in the call headers.

This API uses the User API Key type of Authorization token.

BigPanda recommends adding Authentication headers only in the secure tool you use to make API calls.

Enrichment V2 required

The Correlation Patterns API uses the underlying systems of the Enrichment V2 Engine. Your organization must have migrated to Enrichment V2 before using the Correlation API.

DO NOT USE the API without Enrichment V2 enabled or existing V1 Correlation patterns may be damaged.

Creating correlation patterns

The system will reject a request to create a correlation pattern that is identical to an existing one.

Run order will be reset to time window mode

Resetting the correlation pattern order via API will undo all run order changes, including those made in the BigPanda UI. After making this API call, all correlation patterns will be run in order of time window, from largest time window to shortest.

Example 1. Create a correlation pattern
curl --request POST \
     --url https://api.bigpanda.io/resources/v2.0/correlation-patterns \
     --header 'Authorization: Bearer <USER API KEY>' \
     --header 'Content-Type: application/json' \
     ---data '{
    "tags": [
        "service",
        "check"
    ],
    "time_window": 60,
    "active": true,
    "cross_source": false,
}`
curl --request POST \
     --url https://eu-api.bigpanda.io/resources/v2.0/correlation-patterns \
     --header 'Authorization: Bearer <USER API KEY>' \
     --header 'Content-Type: application/json' \
     ---data '{
    "tags": [
        "service",
        "check"
    ],
    "time_window": 60,
    "active": true,
    "cross_source": false,
}`


Example 2. Retrieve a correlation pattern by ID
curl --request GET \
     --url https://api.bigpanda.io/resources/v2.0/correlation-patterns/${id} \
     --header 'Authorization: Bearer <USER API KEY>' \
     --header 'Content-Type: application/json'
curl --request GET \
     --url https://eu-api.bigpanda.io/resources/v2.0/correlation-patterns/${id} \
     --header 'Authorization: Bearer <USER API KEY>' \
     --header 'Content-Type: application/json'


Example 3. Retrieve all correlation patterns
curl --request GET \
     --url https://api.bigpanda.io/resources/v2.0/correlation-patterns \
     --header 'Authorization: Bearer <USER API KEY>' \
     --header 'Content-Type: application/json'
curl --request GET \
     --url https://eu-api.bigpanda.io/resources/v2.0/correlation-patterns \
     --header 'Authorization: Bearer <USER API KEY>' \
     --header 'Content-Type: application/json'


Example 4. Update a correlation pattern
curl --request PATCH \
     --url https://api.bigpanda.io/resources/v2.0/correlation-patterns/${id} \
     --header 'Authorization: Bearer <USER API KEY>' \
     --header "Content-Type: application/json" \
     --data '{
         "tags": [
             "service",
             "check"
         ],
         "time_window": 60,
         "active": true,
         "cross_source": false,
         "filter": "host= \"api\" AND source_system IN [ \"*\"]",
         }'
curl --request PATCH \
     --url https://eu-api.bigpanda.io/resources/v2.0/correlation-patterns/${id} \
     --header 'Authorization: Bearer <USER API KEY>' \
     --header "Content-Type: application/json" \
     --data '{
         "tags": [
             "service",
             "check"
         ],
         "time_window": 60,
         "active": true,
         "cross_source": false,
         "filter": "host= \"api\" AND source_system IN [ \"*\"]",
         }'


Example 5. Delete a correlation pattern
curl --request DELETE \
     --url https://api.bigpanda.io/resources/v2.0/correlation-patterns/${id} \
     --header 'Authorization: Bearer <USER API KEY>' \
     --header 'Content-Type: application/json'
curl --request DELETE \
     --url https://eu-api.bigpanda.io/resources/v2.0/correlation-patterns/${id} \
     --header 'Authorization: Bearer <USER API KEY>' \
     --header 'Content-Type: application/json'


Example 6. Update correlation pattern order
curl --request PUT \
     --url https://api.bigpanda.io/resources/v2.1/correlation-patterns-order \
     --header 'Authorization: Bearer <USER API KEY>' \
     --header 'Content-Type: application/json' \
     ---data '{
    "execution_order":
    [
    "6646d555-b555-4af0-861b-5271897e5ac4",
    "c1e8a555-8555-4fd3-8dec-c55eafd3d447",
    "39396555-4555-431b-9234-6cefe812ebd9"
        ]
    }'
curl --request PUT \
     --url https://eu-api.bigpanda.io/resources/v2.1/correlation-patterns-order \
     --header 'Authorization: Bearer <USER API KEY>' \
     --header 'Content-Type: application/json' \
     ---data '{
    "execution_order":
    [
    "6646dd33-b555-4af0-861b-5271897e5ac4",
    "c1e8a9cc-8555-4fd3-8dec-c55eafd3d447",
    "393968c0-4555-431b-9234-6cefe812ebd9"
        ]
    }'


Example 7. Reset correlation pattern order
curl --request POST \
     --url https://api.bigpanda.io/resources/v2.1/correlation-patterns-order/reset \
     --header 'Authorization: Bearer <USER API KEY>' \
     --header 'Content-Type: application/json'
curl --request POST \
     --url https://eu-api.bigpanda.io/resources/v2.1/correlation-patterns-order/reset \
     --header 'Authorization: Bearer <USER API KEY>' \
     --header 'Content-Type: application/json'


Parameters

The correlation-patterns object schema includes the following attributes:

Parameter

Description

Type

id

System-generated unique identifier for a correlation pattern

UUID

active

Whether the correlation pattern is active.

Default condition is true

Boolean

tags

Array of tag name(s) to correlate within the pattern.

At least 1 item must appear in the array.

No more than 5 items in the array.

No duplicate names in the array.

Array

time_window

Time frame to determine correlation in minutes

Integer

filter

BPQL Filter to set conditions for the correlation pattern

String

cross_source

Determines if alerts can be correlated from different source systems into the same incident

Default condition is true

Boolean

note

Brief description of the correlation pattern

String

created_at

Unix epoch time when the correlation pattern was created (in seconds).

Timestamp (in seconds)

created_by

The ID of the user who created the correlation pattern

User ID

updated_at

Unix epoch time when the correlation pattern was last updated (in seconds).

Timestamp (in seconds)

updated_by

The ID of the user who last updated the correlation pattern

User ID

suggested_at

Unix epoch time when the correlation pattern was suggested by machine learning (in seconds).

Timestamp (in seconds)

execution_order

The field to identify the correlation pattern order.

For GET calls: Returned as a single integer as part of the correlation pattern object.

For PUT calls: An array of correlation pattern ids in order by desired run order.

String or Integer

Execution_order field

The execution_order parameter is part of the Correlation Patterns Run Order feature. This feature is available in a limited release. Please note that if this feature is not enabled in your organization, this field will not work. If you’re interested in enabling this feature for your organization, contact your BigPanda account team.

Sample Correlation Pattern Object

  {
            "id": "393968c0-43ee-431b-9234-6cefe812ebd9",
            "active": false,
            "tags": [
                "dc"
            ],
            "cross_source": false,
            "time_window": 120,
            "filter": "source_system IN [ \"*\" ]",
            "created_by": "63bd568977a8d60012bf3dbe",
            "created_at": 1673374612,
            "updated_by": "63bd568977a8d60012bf3dbe",
            "updated_at": 1675360021,
            "source_systems": [
                "*"
            ],
            "execution_order": 1
        },