Organization of rules

The Active Correlation Technology rule language organizes rules into rule blocks that are part of a rule set.

Rule set

The rule set contains the rules, organized into rule blocks, to be executed by an Active Correlation Technology engine. It is the rule execution unit. Each Active Correlation Technology engine acts on only one rule set at a time.

The rules that are contained in a rule set are triggered by events that are sent to the Active Correlation Technology engine. The events are delivered sequentially to the appropriate rules based on the event selection criteria for each rule, and one rule is executed at a time. The same event can apply to, and therefore trigger, multiple rules. These rules are not necessarily related, but they might be.

The order of rule blocks and rules within a rule set determines how events flow through the rule set.

Variables and imports can be defined at the rule set level for use in expressions (code that contains custom logic) throughout the scope of the rule set. An import is a programming language-specific way to access external code. A rule writer can define an import to import external modules (such as Java™ classes) for use in expressions within rules.

Rule block

The rule block is the organizational unit for grouping rules by function into domains within the rule set. A domain is the category to which a group of rules apply based on their function. For example, a domain can represent a specific geographic area, IT management discipline (such as security detection or network event correlation), or business organization (such as a specific company or division with a company).

Rule blocks can contain rules and other rule blocks. Because rule blocks can be nested, a hierarchy of rules can be constructed. For example, a rule set might contain a rule block for network event correlation, and the rule block for network event correlation might contain two other rule blocks: one for layer 2 correlation and one for IP correlation.

Therefore, a rule set provides event correlation capabilities for a variety of domains, and a rule block provides the organization for these different domains that might need access to a similar set of events.

Variables and imports can be defined at the rule block level for use in expressions throughout the scope of the rule block. The scope of a rule block includes any rules and other rule blocks that are contained in the rule block.

Rule

The rule is the correlation unit that is used to recognize relationships among events and to run the appropriate rule responses. A rule is an implementation of one of the following seven rule patterns and is organized, according to its function, into a rule block that is part of a rule set:
  • collection pattern
  • computation pattern
  • duplicate pattern
  • filter pattern
  • sequence pattern
  • threshold pattern
  • timer pattern

Each rule can provide unique event correlation capabilities according to its pattern, and rules can be chained through event forwarding. Through this chaining of rules, the event correlation capabilities of different patterns can be combined or nested.

Variables can be defined at the rule level for use in expressions throughout the scope of the rule.

Summary

In summary, the rule set is the execution unit, the rule block is the organizational unit, and the rule is the correlation unit. A rule set contains one or more rule blocks, each of which can contain additional rule blocks. Each of the rule blocks contains rules for a specific domain. Rule blocks can be nested to construct a hierarchy of rules. The order of rule blocks and rules within a rule set determines how events flow through the rule set.

Variables and imports can be defined at the rule set or rule block level for use in expressions within rules. The scope of the variable or import is the respective rule set or rule block. Variables can also be defined at the rule level, but this limits their scope to only the rule.