Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Viewing Information About Historical Correlation Runs

 

View the history of a historical correlation profile to see information about past runs for the profile. You can see the list of offenses that were created during the run and the catalog of events or flows that match the triggered the rules in the profile. You can view the history for historical correlation runs that are queued, running, complete, complete with errors, and canceled.

A historical correlation catalog is created for each rule that is triggered for each unique source IP address during the run, even if an offense was not created. The catalog contains all the events or flows that either fully or partially match the triggered rule.

You cannot build reports on historical correlation data directly from JSA. If you want to use third-party programs to build reports, you can export the data from JSA.

  1. Open the Historical Correlation dialog box.

    • On the Log Activity tab, click Actions >Historical Correlation.

    • On the Network Activity tab, click Actions >Historical Correlation.

    • On the Offenses tab, click Rules >Actions >Historical Correlation.

  2. Select a profile and click View History.

    1. If the historical correlation run status is Completed and the Offense Count is 0, the profile rules did not trigger any offenses.

    2. If the historical correlation run created offenses, in the Offense Count column, click the link to see a list of the offenses that were created.

      If only one offense was created, the offense summary is shown.

  3. In the Catalogs column, click the links to see the list of events that either fully or partially match the profile rules.

    The StartTime column in the event list represents the time that JSA received the event.

  4. Click Close.

Related Documentation