Using correlation macros

As shown in the previous sections, correlation match expressions can range from simple keywords to fairly involved expressions. In practice, these expressions are often reused, with minor modifications, in threads, actions, and triggers.

To simplify this reuse of correlation expressions, BMC Defender Server provides a traditional Macro facility, where a keyword can represent an entire expression. This simplifies the creation and implementation of match expressions throughout the system.

The Correlation > Config > Macros screen provides general utility in creating, editing, and deleting macro correlation expressions that can be used in various correlation rules on the system. Once a macro is defined, it is referenced by a thread, action, or trigger by bracketing the macro name with the special double at @@ characters, such as @@my_macro@@. During execution of the expression, the macro name is then replaced by its corresponding value.

In addition to simplifying the implementation, organization, and maintenance of correlation match expressions, the Macro facility provides a unique perspective on correlation requirements by permitting a user to think in higher terms than discrete correlation terms, as described in this section.

Section summary and additional notes about correlation macros

  • Macros serve to organize and simplify the creation and maintenance of expressions on the system by allowing easy reuse of correlation match expressions in threads, actions, and triggers.
  • Macros can be thought of as both sensors and synonyms for message meaning. In particular, creation of synonym lists is an inescapable requirement of semantic correlation.
  • Although macros are not required to implement any specific correlation, you can quickly see the value of using macros in place of specific expressions. Any expression that is used more than once, or has any significant complexity, is a good candidate for a macro.
  • Macros are often conjoined with other macros or keywords or expressions using the logical operators. Therefore, macros are often used as building blocks for larger correlation strategies.

This section provides information about the following topics:

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*