Creating and Configuring a Category for Incident Correlation in FojiSoft

FojiSoft is a powerful data integration platform that allows you to correlate alerts and events together to identify and manage incidents efficiently. This documentation will guide you through the process of creating and configuring a category in FojiSoft for incident correlation. The category will define the rules and criteria for correlating alerts and events, helping you identify and respond to potential incidents in real-time. To configure the category, you will need to provide the following fields: Name, Max Time Between Events, Max Incident Lifetime, Filter, Log Query, and more.

Step 1: Creating a New Category

1. Log in to your FojiSoft account and navigate to the "Categories" section.
2. Click on the "Create Category" button to start creating a new incident correlation category.

Step 2: Naming the Category

1. In the "Name" field, enter a descriptive name for your category. This name should reflect the purpose or scope of the category.

Step 3: Configuring Time Between Events

1. Provide the "Max Time Between Events" value. This value defines the maximum time gap allowed between two correlated events in an incident. For example, if you set this value to 5 minutes, FojiSoft will consider events occurring within 5 minutes of each other as part of the same incident.
2. Select the time unit (seconds, minutes, hours) from the dropdown that corresponds to the "Max Time Between Events" value.

Step 4: Configuring Incident Lifetime

1. Provide the "Max Incident Lifetime" value. This value specifies the maximum duration of an incident, starting from the time of the first event. After this duration, FojiSoft will consider the incident closed.
2. Select the time unit (seconds, minutes, hours) from the dropdown that corresponds to the "Max Incident Lifetime" value.

Step 5: Defining Filters

1. Under the "Filter" section, choose between the "Builder" or "Code" option to define the criteria for correlating alerts and events.
2. If you select the "Builder" option, use the "And" or "Or" operator to combine multiple filters. Click on the "+" button to add an "Add Filter Expression" or "Add Group" as needed.
3. For each "Add Filter Expression" or "Add Group," select the field (Data, Description, Labels, Name, Severity, URL) from the dropdown to apply the filter.
4. If the selected field is "Data" or "Labels," add the "Path" for data or labels filtering.
5. Select the appropriate operator (<, <=, >, >=, contains, Does not equal, ends with, equals, is falsy, is truthy, starts with) from the dropdown and, if necessary, provide the corresponding value for the filter.

Step 6: Defining Trigger Filters

The optional trigger filter can be used to control which correlated events will actually create a new incident. The trigger filter is applied after the primary filter and only events matching both will initiate a new incident. The trigger filter may be used to include additional events in an incident without those events triggering incidents on their own.

1. Under the "Trigger Filter" section, choose between the "Builder" or "Code" option to define the criteria for correlating alerts and events.
2. If you select the "Builder" option, use the "And" or "Or" operator to combine multiple filters. Click on the "+" button to add an "Add Filter Expression" or "Add Group" as needed.
3. For each "Add Filter Expression" or "Add Group," select the field (Data, Description, Labels, Name, Severity, URL) from the dropdown to apply the filter.
4. If the selected field is "Data" or "Labels," add the "Path" for data or labels filtering.
5. Select the appropriate operator (<, <=, >, >=, contains, Does not equal, ends with, equals, is falsy, is truthy, starts with) from the dropdown and, if necessary, provide the corresponding value for the filter.

Step 7: Adding a Log Query

1. Under the "Log Query" section, add a log query that correlates with the events and alerts. This query will retrieve relevant logs and data to be used for incident correlation.

Step 8: Configuring Additional Fields

1. Under the "Fields" section of the incident correlation category, you can configure additional fields to enhance the categorization and display of correlated incidents.
2. "Name" Field: In the "Name" field, provide a name for the correlated incident. This name will be used to identify and refer to the incident within the FojiSoft platform.
3. "Minimum Similarity Path": Specify the "Minimum Similarity Path" to control the matching accuracy when correlating alerts and events. This path will define the minimum similarity required between two events to be considered as part of the same incident.
4. "Toggle - Show in Header": Toggle this option to determine whether or not to display the correlated incident's information in the header of your FojiSoft dashboard. This option can help you quickly identify and track ongoing incidents.
5. "Decimal Places": If relevant to your data, you can specify the number of "Decimal Places" for numeric values displayed in the incident correlation results. This ensures that the data is displayed with the desired level of precision.

Step 9: Saving the Category Configuration

1. After providing the necessary configuration details, click on the "Save" or "Create" button to save the category configuration.
2. FojiSoft will now use the defined rules and criteria in this category to correlate alerts and events, identifying and managing incidents automatically.
3. You can now use this category to monitor and respond to potential incidents within your FojiSoft environment.

Conclusion

By following the steps outlined in this documentation, you can create and configure a category for incident correlation in FojiSoft. This category allows you to define specific rules and criteria to correlate alerts and events, helping you identify and manage incidents effectively, streamline incident response, and ensure a proactive approach to incident management within your FojiSoft platform.

‍