Correlation Studio

Graphical workshop for designing and simulating event correlation rules with time constraints.

Concept

Correlation Studio helps case study designers relate events which must happen within a specific time frame in order for a particular situation to be identified, when not only a given set of events must occur in a strict order but each event must happen within a limited time range. Dealing with pending conditions or related events which can be notified in different orders is no more a puzzle.

Often, correlation system designers are overwhelmed by the problem. They are facing logs with thousands of alarms and they have only a vague idea of how some of them might be related. Correlation Studio includes a search engine which can help finding events which are repeated during a given period of time. From just a small set of events, the engine can find other events which were repeated too over the same period. This gives the designer a good starting point.

Definition

A set of events related by time constraints is called a chronicle.

Searching

Choose a log of alarms, specify a time range and run the search engine. You obtain a table of events which are repeated during this period of time. A pattern begins to appear. It can used to define a chronicle.

Editing

An event, in a broad sense, is just a filter on a list of values (eventType equipmentAlarm probableCause processorProblem ...). It's described by combining comparison functions on individual fields ((eventType = equipmentAlarm) AND (probableCause = processorProblem)).

The different events in a chronicle are represented by a graph. The time constraint between two events is shown on their link.

Simulation

Designing rules with chronicles is one part of the problem. Checking that chronicles indeed correlate events is just as essential.

Correlation Studio can apply a chonicle on different sets of events, showing how many times the chonicle proved to be true. A time line showing the sequences of events can be displayed.

The designer can then validate the chonicle.

Export to Excel

Export logs and sequences of events to Excel to use the spreadsheet's ability to display data in graphics.

A case in 3 steps

Specifying correlated events

For each chronicle, you define the different events by describing filters, you link them with a graph and you specify the time range between two events directly on the graph.

Loading a log of events

To test a chronicle, you load a series of events from an XML file.

Applying the chronicle

Apply a chronicle on a log to check if the different sequences of events which have been found are correct.