Detectors

The Detector section is used to group one or more Detection Rules under a named detector. This detector acts as a correlation logic block and will be used to generate incidents/alerts.

Navigation: Configurations > Rule Configuration > Detectors

Purpose: Detectors combine multiple detection rules and define the logic needed to trigger a correlation or incident.

On the Detector screen, You will see the newly created detector .And in the table, you can click "Edit" or “Delete” or “view” detector

Figure 1. Figure - Detector

Steps to Add Detector:

  1. Click “+ Detector”
  2. Enter:
    • Detector Name
    • Type – Choose matching log type
    • Description
  3. Select Detection Rules from the list
  4. Click Submit

Detectors are the final layer used for triggering incident alerts in the Event Correlation pipeline.

Figure 2. Figure - Detector Add

Steps to Edit Detector:

  1. Enter the required parameter

  2. Click Submit

Figure 3. Figure - Detector Edit
Figure 4. Figure - Detector Edit (cont.)

Steps to delete detector:

  1. Click on delete button
  2. Click OK to confirm the message in the pop-up dialog box.
Figure 5. Figure - Detector Delete

After play , the user can see the incident. If Paused then incident can be stopped

Figure 6. Figure - Detector Play
Figure 7. Figure - Detector Pause