An alert correlation policy involves user settings used to correlate alerts.
The following policy modes are supported:
In Off mode, the policy is inactive and does not affect alerts. You can use this mode to review a newly defined policy before choosing one of the other modes.
This mode permits you to simulate a policy without affecting alerts. The observed policy creates an observed inference, which simulates an inference as if On mode is active. The observed inference includes links to all alerts involved in the correlation.
In On mode, the policy drives automated actions on alerts.
Filter criteria setting
This setting filters alerts that you do not want correlated with other alerts covered by the same policy.
Inference subject setting
By default, an inference uses the subject of the alert with the earliest created date. You can optionally specify a subject to override the default subject.
The correlation algorithm correlates alerts that occur near the same time and learns common alert sequences using historical data.
The continuous learning option causes the learning models to be continuously updated using recent data.
Using the advanced option, you can train the alert correlation algorithm to correlate known alert sequences. A training file is used to provide training data.
Time-based sequences correlate alerts that occur in the same time interval. For example, you can use the within time window setting to correlate all alerts that occur within a five-minute interval.
Learning reinforcement applies additional criteria in making correlation decisions on learned, trained, and time-based sequences.
Using topological relationships
Alerts that occur close in time and which are from connected resources are usually related to the same underlying cause. For example, a failed switch can cause a cascade of alerts on downstream servers and applications.
In deciding whether to correlate a sequence of alerts into an inference, a higher weight is applied to sequences when associated resources are topologically related.
Using attribute similarity
Attribute similarity criteria can be used in correlating sequences. Alerts can be related to the same underlying cause if they:
- Occur at about the same time.
- Have identical or similar attributes.
For example, application failure alerts can generate multiple alerts that have a similar subject.
Use the alert similarity setting to specify alert similarity criteria.