An alert correlation policy involves user settings used to correlate alerts.

Policy modes

The following policy modes are supported:

  • Off
  • Observed
  • On

Off

In Off mode, the policy is inactive and does not affect alerts. You can use this mode to review a newly defined policy before choosing one of the other modes.

Observed

This mode permits you to simulate a policy without affecting alerts. The observed policy creates an observed inference, which simulates an inference as if On mode is active. The observed inference includes links to all alerts involved in the correlation.

On

In On mode, the policy drives automated actions on alerts.

Filter criteria setting

This setting filters alerts that you do not want correlated with other alerts covered by the same policy.

Inference subject setting

By default, an inference uses the subject of the alert with the earliest created date. You can optionally specify a subject to override the default subject.

Learned sequences

The correlation algorithm correlates alerts that occur near the same time and learns common alert sequences using historical data.

The continuous learning option causes the learning models to be continuously updated using recent data.

Trained sequences

Using the advanced option, you can train the alert correlation algorithm to correlate known alert sequences. A training file is used to provide training data.

Time-based sequences

Time-based sequences correlate alerts that occur in the same time interval. For example, you can use the within time window setting to correlate all alerts that occur within a five-minute interval.

Learning reinforcement

Learning reinforcement applies additional criteria in making correlation decisions on learned, trained, and time-based sequences.

Using topological relationships

Alerts that occur close in time and which are from connected resources are usually related to the same underlying cause. For example, a failed switch can cause a cascade of alerts on downstream servers and applications.

In deciding whether to correlate a sequence of alerts into an inference, a higher weight is applied to sequences when associated resources are topologically related.

Using attribute similarity

Attribute similarity criteria can be used in correlating sequences. Alerts can be related to the same underlying cause if they:

  • Occur at about the same time.
  • Have identical or similar attributes.

For example, application failure alerts can generate multiple alerts that have a similar subject.

Use the alert similarity setting to specify alert similarity criteria.