USM Anywhere™

Correlation Lists

Role Availability Read-Only Analyst Manager

USM Anywhere enables you to create correlation lists. Use a correlation list to group values together to apply to a single rule. So instead of creating a rule for each value, you can save time and effort by creating a correlation list and using it in a rule.

When creating correlation lists for rules, you can use a standard field, such as event_name or event_description. A helpful use for correlation lists is the creation of user blacklist, whitelists, or both, like event_names. Or you can enter anything you want in the items of the correlation lists, but only up to 500 characters per item. There is a limit of 1000 items per correlation list.

To see an example of an alarm rule using a correlation list, see Example: Creating an Alarm Rule Using a Correlation List.

To create a correlation list

  1. Go to Settings > Rules > Correlation Lists.

    Correlation Lists main window

  2. Click New List.

    New Correlation List dialog box

  3. Enter a name for the correlation list in the Name field and, if desired, a description to clarify its use in the Description field.

    4. Important: The valid characters for the correlation list name are uppercase letters (A–Z), lowercase letters (a–z), numerical digits (0–9), and underscore (_). You can enter up to 64 characters.

  4. Click Add Item to include items in your list.

    5. Important: The list items are restricted to a string format to match the formats of the tested event detail items.

  5. Click Save.

To add a new item to a list

  1. Go to Settings > Rules > Correlation Lists.
  2. Click the list to expand the details of the list.

  3. Click Add Item.

    Add new item to your list

    The Add Item dialog box opens.

    Add Item Dialog Box

  4. Enter the value and click Save.

To modify a correlation list

  1. Go to Settings > Rules > Correlation Lists.

  2. Click the icon of the list you want to modify.

    Edit icon in the main correlation lists page

  3. Modify the data of the items that need to be modified.
  4. Click Save.

To delete a correlation list

  1. Go to Settings > Rules > Correlation Lists.

  2. Click theicon of the list you want to delete.

    Delete Icon in the Correlation Lists main page

    The delete dialog box opens.

  3. Click Delete.

To modify an item of a list

  1. Go to Settings > Rules > Correlation Lists.
  2. Click the list to expand the details of the list.

  3. Click the icon of the item you want to modify.

    Modify an item inside a list

  4. Modify the item and click the icon.

To delete an item of a list

  1. Go to Settings > Rules > Correlation Lists.
  2. Click the list to expand the details of the list.
  3. Click the icon of the item you want to delete.