Overview
Setting up
- Account setup
- Starting Log360 Cloud
- Supported log sources
- Adding Syslog devices
- Subscription
- Prerequisites
- Service Level Agreement (SLA)
- Amazon Web Services (AWS)
- Microsoft 365 Auto Configuration
- Microsoft 365 Manual Configuration
Dashboard
Reports
- Available Reports
- Manage Predefined Reports
- Manage Report Views
- Custom Reports
- Types of Report Views
- Report Exporting
- Schedule exports
- Advanced Active Directory reports
  - User Work Hours
  - Account lockout analyzer
Compliance Reports
Search
- Search
- Search tool
- Save searches
- Share searches
- Export searches
- Add or remove fields from the search results
- Tagging tool
Cloud correlation
- Understanding correlation
- Generating correlation reports
- Managing correlation rules
Alerts
- Creating alert profiles
- View log alerts
- Ticketing tool integration
- Manage profiles
Incident Workbench
- Overview
- Access
- User analytics
- Process Analytics
- Advanced Threat Analytics
- Incident building
- Device summary
Incident management
- Incident management
Configuration settings
- Devices
- Applications
- Manage Cloud Sources
- Vulnerability data
- vCenter
- Threat management solutions
  - Threat Source
- File Monitoring
- Import log data
Admin settings
- Manage Agents
- Agent Settings
- Log Source Groups
- User management
- Accounts Management
- Configuring object level auditing
- Configuring audit policies
- Configuring Windows member server audit policies
- Technician audit
- Advanced Threat Analytics
- Bulk actions for Agents
- Privacy settings
- Notification settings
- Notification Templates
- Working Hour Settings
- Reload Historical Logs
- My account settings
- Product settings
- Log Collection Filter
- Custom log parsing
- License
- Cloud Storage Estimator
- Listener ports
- Log forwarding
Developer space
- Custom Widgets
- Extension Profile Generation
- Extension Builder
Marketplace
- Installing Extensions
- Compliance Extensions
- Nginx
Cloud protection
- Cloud Protection in Log360 Cloud
- Gateway Cluster
- Gateway Server
- Prerequisites for Gateway Server configuration
- Installing Gateway Server
- Endpoint Configuration
- Certificate Authority Configuration
- Manage Certificate Trust Store
- Two-way SSL Support
- Manage Banned Applications
- Manage Sanctioned Applications
- Gateway Server Failover
- Application Insight
- User Access Insight
- Cloud Access Reports
- CASB application reports
- Shadow Cloud Application Reports
- Reports on Banned Cloud Applications
- File Upload Reports
- Threat Analytics in Cloud Protection
- Regenerate Access Key
- Troubleshooting gateway server errors
API Support
Teams
- Overview
- Managing Teams
MSSP Edition
- Introduction
- MSSP Account Setup
- Dashboard
- Manage Clients
- Evaluation Clients
- My Account Settings
- Technician Management
- License
Troubleshooting
- Overview
- WMI-based errors
Encryption at Rest (EAR)
Contact us

Related Products
ADManager Plus

Active Directory Management & Reporting
Download | Demo
ADAudit Plus

Real-time Active Directory Auditing and UBA
Download | Demo
ADSelfService Plus

Self-Service Password Management
Download | Demo
EventLog Analyzer

Real-time Log Analysis & Reporting
Download | Demo
Exchange Reporter Plus

Exchange Server Auditing & Reporting
Download | Demo
AD360

Integrated Identity & Access Management
Download | Demo
Log360

Comprehensive SIEM and UEBA
Download | Demo

Managing correlation rules

Manage Rules page provides the option to modify, delete, enable, disable, set up alert profile, hide and show the rules. Navigate to this page by clicking on the Manage Rules button on the bottom left corner of the Correlation tab page.

Creating a Correlation rule

Log360 Cloud comes with a Custom Correlation Rule Builder which allows you to create custom rules using a drag and drop interface. While creating the rules, you can specify the threshold limit, filters, and more.

Click on the Create Correlation rule button placed at the the top right corner of the Manage Rules page.
Select the individual actions from the predefined list specified on the left pane and in the required sequential order. You can also search for actions using the search bar on the top.
Check the Threshold limit check box and enter the number of occurrences and time interval.
Select the next action and specify the time interval (seconds or minutes) within which it has to be followed by the previous action, under the Followed by within label.
Click Create.

Note: It will take up to fifteen minutes for Log360 Cloud to start correlating the logs after the rules are set. Newly set correlation rules do not take historic logs into account.

Advanced Options

Every action within a correlation rule maps to a log or a field within a log, such as message, port, user name, etc. The advanced options, accessible through the Filters on the right side of an action, allow you to set filter criteria for each log field. Additionally, you can define a threshold for the minimum number of actions and group the filter criteria to formulate rules for complex scenarios.

Link to

The Link to comparison type enables you to compare the value of a selected field in one action to the value of a field in another action within the same rule. For instance, if the Device Name field in Action 1 is linked to the Remote Device value in Actions 2 and 3, Action 1 will only trigger if the value in the Device Name field of Action 1 is exactly the same as the value in the Remote Device field of Actions 2 and 3.
When you choose Link to, the icon appears at the end of the filter. Clicking on the icon will present a new tab.
Click the checkbox corresponding to the field of the second action against which you want to compare the value of the previous action. Click OK to complete linking the two actions.

Is constant

The "is constant" condition treats a field's value as unchanging. An action with this condition triggers when the field's value remains the same across all iterations. For instance, if the "Target User" field in an action is set to "is constant," the action will trigger only when the field value is identical in every iteration. If the field value changes, the action will not trigger.

Custom action

Log360 Cloud allows users to create custom actions that can be used in correlation rules. With custom actions, users can define specific criteria and utilize these custom-defined actions to establish correlation rules, enhancing the flexibility and precision of their security configurations.

Creating a custom action

To create a Custom Action, click on Manage Custom Actions.
The Manage Custom Actions popup will open. In the top-right corner, click on the create new action button.
The Create Custom Action popup will open. Enter the name for the action.
Enter the action description (if required). Choose from the dropdowns provided to set the criteria for the action.
Click on Create.

Activating and deactivating rules:

From the Manage Rules page, select the rule which you want to activate.
Click on the Manage dropdown list and select Activate ( ).
To disable a rule, click on Deactivate ( ) from the list.

Editing rules

Select the rule you want to edit.
Click on the Update rule ( ) icon to open the correlation rule builder. Modify the rules on this page.

Deleting rules

Select the rule you want to delete, and click on the Delete rule ( ) icon.

Correlation Alert Profile

You can enable correlation alert profile to configure email notifications to receive triggered correlation reports.

View and manage correlation alerts under the Alerts tab of the product:

Enabling a Correlation alert profile will automatically activate the corresponding correlation rule, even if disabled.
View correlation alerts, assign owners and track their status under Correlation Alert Profiles.
Update notification settings for each correlation alert profile on the Manage Alert Profile page.

Also, You can add/map a triggered correlation alert as an incident, assign a security technician to respond to the incident, and track its status by following the same steps used for adding normal alert to incident.