You're viewing version 2.11 of the OpenSearch documentation. This version is no longer maintained. For the latest version, see the current documentation. For information about OpenSearch version maintenance, see Release Schedule and Maintenance Policy.
Correlation engine APIs
Correlation engine APIs allow you to create new correlation rules, view findings and correlations within a certain time window, and perform other tasks.
The query used to filter security logs for correlation.
category
String
The log type associated with the log source.
Example request
POST/_plugins/_security_analytics/correlation/rules{"correlate":[{"index":"vpc_flow","query":"dstaddr:4.5.6.7 or dstaddr:4.5.6.6","category":"network"},{"index":"windows","query":"winlog.event_data.SubjectDomainName:NTAUTHORI*","category":"windows"},{"index":"ad_logs","query":"ResultType:50126","category":"ad_ldap"},{"index":"app_logs","query":"endpoint:/customer_records.txt","category":"others_application"}]}
Example response
{"_id":"DxKEUIkBpIjg64IK4nXg","_version":1,"rule":{"name":null,"correlate":[{"index":"vpc_flow","query":"dstaddr:4.5.6.7 or dstaddr:4.5.6.6","category":"network"},{"index":"windows","query":"winlog.event_data.SubjectDomainName:NTAUTHORI*","category":"windows"},{"index":"ad_logs","query":"ResultType:50126","category":"ad_ldap"},{"index":"app_logs","query":"endpoint:/customer_records.txt","category":"others_application"}]}}
Response fields
Field
Type
Description
_id
String
The Id for the new rule.
List all findings and their correlations within a time window
This API provides a list of all findings and their correlations within a specified time window:
The correlation score for the correlated finding. The score is based on the proximity of relevant findings in the threat scenario defined by the correlation rule.