This update was made to assist in requests we were getting for Correlation of many devices. Either the requests were not specific on what the Cause and Effects are. Or the requests were so large that keeping track of the changes would be challenging. This attempts to reduce the number of entries required to track which events should be correlated.
At the same time an update was made to allow the correlate logic to be dynamically driven. The specific issue was that requests were also coming in to drive a new action, or update an existing action all the time. So the correlate rule now drives its when decisions based on table entries. It then drives the logic of what to update based on the match table entries.
Any feed back on this to improve the process would be appreciated. I have tested it at a base level, and it functions for my needs. However; I would like to make it generic enough so that any new requests I get will not be an issue.
Attached is a document the goes over an update to the EOT logic for Same Domain Correlation.
The out of the box EOT code was slightly modified. Specifically the removal of the rules:
The top two generate an event to assist in the correlation logic. This did not work for our environment, so I removed them. I had to add a rule that has the same logic as same_domain_check. However; it searches the known Events in the system instead of the new event class.
The everything rule was removed and replaced with two new rules. The first rule is for the Effect Events, and the second rule is for the Cause Events.
Finally a new rule was added to parse out information from events and attempt to make generic entries for correlation..