Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Viewing Information About Historical Correlation Runs

 

View the history of a historical correlation profile to see information about past runs for the profile.

You can see the list of offenses that were created during the run and the catalog of events or flows that match the triggered rules in the profile. You can view the history for historical correlation runs that are queued, running, complete, complete with errors, and canceled.

For each rule in the profile that contributes to an offense, a catalog is created for each unique value of the property that the offense is indexed on. For each rule that does not contribute to an offense, a single catalog is created.

The following table shows how a historical correlation profile handles catalog creation under different scenarios. In each scenario, the catalog contains all the events or flows that either fully or partially match the triggered rule.

Table 1: Historical Correlation Catalog Examples

Scenario

Result

A rule generates offenses that are indexed on source IP address. The events that triggered the rule have three different source IP addresses.

The historical correlation profile creates three catalogs.

A rule generates offenses that are indexed on username. The events that triggered the rule have five different usernames.

The historical correlation profile creates five catalogs.

A rule is triggered, but the rule action does not create an offense.

The historical correlation profile creates a single catalog that includes all events that triggered the rule.

You cannot build reports on historical correlation data directly from JSA. If you want to use third-party programs to build reports, you can export the data from JSA.

  1. Open the Historical Correlation dialog box.
    • On the Log Activity or Network Activity tab, click Actions > Historical Correlation.

    • On the Offenses tab, click Rules >Actions >Historical Correlation.

  2. Select a profile and click View History.
    1. If the historical correlation run status is Completed and the Offense Count is 0, the profile rules did not trigger any offenses.

    2. If the historical correlation run created offenses, in the Offense Count column, click the link to see a list of the offenses that were created.

      If only one offense was created, the offense summary is shown.

  3. In the Catalogs column, click the links to see the list of events that either fully or partially match the profile rules.

    The StartTime column in the event list represents the time that JSA received the event.

  4. Click Close.