| Role Availability | Read-Only | Investigator | Analyst | Manager |
|---|
- Go to Settings > Rules > Correlation Rules.
-
You can use the search field above the table to search for a rule by entering the search text in the field and then clicking the
icon. You can also filter the rules by Rule Type (Customized - rules overriden by users or LevelBlue - rules provided by LevelBlue Labs Threat Intelligence) or Rule Status (Enabled or Disabled).
- Click the rule to expand and see the rule details. You can see the strategy, method, and rule itself. You will also see the number of occurrences, length, mute length, and priority assigned to the correlation rule. You can edit the default values. See instructions below for overriding correlation rules.
-
Click the
icon to open the Alarms List view page.
The page includes Rules Name as a filter so that you can see how many alarms match the selected rule.
Note: The mute length indicates how long the rule is not going to generate an alarm.
- Click Edit in the Modifiable Fields section within the correlation rule flyout.
-
Specify the new values for the different fields.
Field Description Occurrences The number of event occurrences that you want to produce a match on the conditional expression to trigger the rule. Mute Length Indicates how long the rule is not going to generate an alarm. Length The timespan that you want to use to identify a match for multiple occurrences. Priority See Priority Fields for Alarms for more information. -
Click Save.
The correlation rule will be updated, and the rule type will be changed from LevelBlue to Customized.