Historical Correlation Overview
You configure a historical correlation profile to specify the historical data that you want to analyze and the rule set that you want to test against. When a rule is triggered, an offense is created. You can assign the offense for investigation and remediation.
The profile uses a saved search to collect the historical event and flow data to use in the run. Ensure that your security profile grants permission to view the events and flows that you want to include in the historical correlation run.
Rule Selection and Handling
The JSA console processes data against only the rules that are specified in the historical correlation profile.
Common rules test data in both events and flows. You must have permission to view both events and flows before you can add common rules to the profile. When a profile is edited by a user who doesn't have permission to view both events and flows, the common rules are automatically removed from the profile.
You can include disabled rules in a historical correlation profile. When the profile runs, the disabled rule is evaluated against the incoming events and flows. If the rule is triggered, and the rule action is to generate an offense, the offense is created even when the rule is disabled. To avoid generating unnecessary distractions, rule responses, such as report generation and mail notifications, are ignored during historical correlation.
Because historical correlation processing occurs in a single location, the rules that are included in the profile are treated as global rules. The processing does not change the rule from local to global, but handles the rule as if it were global during the historical correlation run. Some rules, such as stateful rules, might not trigger the same response as they would in a normal correlation that is run on a local event processor. For example, a local stateful rule that tracks five failed logins in 5 minutes from the same user name behaves differently under normal and historical correlation runs. Under normal correlation, this local rule maintains a counter for the number of failed logins that are received by each local event processor. In historical correlation, this rule maintains a single counter for the entire JSA system. In this situation, offenses might be created differently compared to a normal correlation run.
Historical correlation runs create offenses only when a rule is triggered and the rule action specifies that an offense must be created. A historical correlation run does not contribute to a real-time offense, nor does it contribute to an offense that was created from an earlier historical correlation run, even when the same profile is used.
The maximum number of offenses that can be created by a historical correlation run is 100. The historical correlation run stops when the limit is reached.
You can view historical offenses on the Threat and Security Monitoring dashboard and on the Offenses tab at the same time that you review real-time offenses.