Define Group Context parameters for Correlation Situation elements

The Group context finds event patterns in traffic by keeping track of whether all events in the defined set of Situations match at least once in any order within the defined time period.

The Group context has a table that allows you to define local filters and log fields for selecting which details are considered when events are grouped. In this context, the order in which the events occur is not relevant. If you would like the order of the events to matter, use the Sequence context instead.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Double-click the Event Match cells for each Member cell and define a local filter. The local filter selects the events for examination.
    You can add and remove members using the buttons to the right (to remove a member, first select a cell within that member’s column).
  2. Double-click the Needed Number cell of each member and enter the number of occurrences of the Event Match that are required for the events to be grouped.
  3. Double-click the Event Binding field and select the Event Binding that defines the set of log events to match.
  4. Drag and drop the relevant Situations to the Correlated Situations field.
  5. Select whether you want to Keep and Forward Events.
  6. Enter the Time Window Size in seconds. All events must occur during this length of time for the Correlation Situation to match.
  7. Select whether you want to trigger Continuous Responses.
  8. (Optional) Select the Usage Context to define where correlation is done.
    Note: If you select a Usage Context that does not include the Log Server, events only match if they are all detected by the same NGFW Engine or NGFW Engine Cluster.