Correlation: Detections

Correlation is the pipeline stage that runs after Ingest & Analytics produces indicatorsClosed An observed change in a specific metric stream that is recognized as being outside of an expected model. Indicators are correlated into triggers, and one or more triggers are grouped into incidents.. It looks for associations between indicators (e.g. same application and location, same time window, same metric type) and groups related indicators into a single detectionClosed One or more indicators that are correlated and may act as a trigger for incident creation or runbook execution.. Each detection becomes one incidentClosed A collection of one or more related triggers. Relationships that cause triggers to be combined into incidents include application, location, operating system, or a trigger by itself. and, when it starts a runbook run, acts as a triggerClosed A set of one or more indicators that have been correlated based on certain relationships, such as time, metric type, application affected, location, or network device.. For more information, see Detection and Trigger.

Within each detection, Correlation picks one indicator as the Primary Indicator (the leading indicator of the problem). That choice drives the incident description and determines which runbookClosed An automated workflow that executes a series of steps or tasks in response to a triggered event, such as the detection of anomalous behavior generating an incident, a lifecycle event, or a manually executed runbook. runs. All other indicators in the detection are Correlated Indicators and provide supporting context. So Correlation does two things: it reduces noise by grouping related indicators into one incident, and it decides which indicator is "first" so the right runbook runs and the incident summary makes sense.

Without correlation you would get one incident per indicator, which can be overwhelming. Correlation groups related anomalies (e.g. same app at the same location, or several interfaces on the same device) into a single incident and chooses a primary cause, so you get one actionable incident with context instead of many raw indicators. The primary indicator also controls which runbook executes and what appears in the incident description.

How to access: The Console UIClosed User Interface. The visual components and controls that users interact with to access features and manage the system. (user interface) has no separate "Correlation" or "Detections" page. You see the result of correlation on every incident. Open the Incidents page, then open an incident. On the Incident Details page, the Incident Sources section shows the Primary Indicator and any Correlated Indicators, with entity, metric, expected vs. observed values, and when correlation started. That content is the detection for that incident.

How the correlation stage builds a detection

Correlation processes every indicator from Ingest & Analytics to find associations or commonalities, groups related indicators into a single detection, and surfaces each detection as an incident.

When Correlation groups indicators into a detection, it also identifies which indicator is Primary (the leading indicator of the problem). The Primary Indicator is the basis for creating the incident and for deciding which runbook runs. All other indicators in the detection are Correlated indicators and play a supporting role.

Note: A detection can contain a single indicator when no associations or commonalities are found. In that case the detection has only a Primary Indicator and no Correlated Indicators.

For how triggers map to runbooks, see Automation (LogIQ Engine). For how indicators are produced, see Ingest & Analytics: Indicators.