Correlation Rules Tab

The Correlation Rules tab ( netwitness_adminicon_25x22.png (Admin) > select a service and click netwitness_actiondd.png > View > Config > Correlation Rules tab) enables you to manage correlation rules. Basic correlation rules are applied at the session level and alert the user to specific activities that may be occurring in their environment. NetWitness applies correlation rules over a configurable sliding time window.

What do you want to do?

User Role I want to... Documentation
Administrator add or edit a correlation rule Configure Correlation Rules

Related Topics

Quick Look

The following figure shows the Correlation Rules tab.


The following figure shows the Rule Editor dialog for a correlation rule.


The following table describes the Correlation Rules tab columns.

Column Description


This column indicates whether a rule has pending changes. Rules that are currently active on the Decoder have no indicator. If the rule is new or has been modified, the column contains netwitness_ic-pending2.png​. Once the rules are applied, the pending indicator is removed.


This is the descriptive name for the rule.


This is the definition of the condition that triggers an action when matched.

In conditions, all string literals and time stamps must be quoted. Do not quote number values and IP addresses. Configure Decoder Rules provides additional details.

Instance Key

This is the target indicator to base the event upon. It can be a single primary key, such as ip.src or a compound primary key such as ip.src,ip.dst.


This is the minimum number of occurrences required to trigger a correlation session and can include a associated key that identifies the meta type that were are counting to determine if the condition is satisfied. The correlation engine cannot use IPv4 or IPv6 as an associated meta type. Use one of these three arguments:

  • u_count(associated_key) = the count of unique values of the specified key. A key is required.
  • sum(associated_key) = the values of the specified key. a key is required.
  • count() = number of sessions, no associated key used. If included, it is ignored.

Time Window

This is the duration in hours, minutes, or seconds within which the threshold must be reached to trigger a correlation session.


This column indicates whether the rule is enabled or disabled with a circle icon. If the circle is filled green, the rule is enabled. If the circle is empty, the rule is disabled.

The Rule Editor dialog provides the fields and options needed to define a network rule. The fields correspond exactly to the grid columns.

Action Description


Resets the contents of the dialog to their values before editing; changes are discarded.


Cancels any edits and closes the Rule Editor Dialog.


Saves the new rule or edited rule, and adds it to the rules grid. The Rule Editor Dialog closes.


(Rules with deprecated syntax only) Applies a corrected rule individually to the Decoder service. See Fix Rules with Invalid Syntax.