# Main

It is the <mark style="color:green;">first stage for create</mark> a rule correlation.

***

### **Identification**

**ID:** Each rule is automatically identified by an ID, which [<mark style="color:green;">is generated according to the prefix set during the MSP configuration.</mark>](/system-settings/configuring-the-mss/configuring-the-msps-profile.md#rule-identification-code)

**Language:** The system <mark style="color:green;">allows versions in different languages within the same profile</mark>, providing a customized consultation according to the user's language preference.

**Name:** Serves for the direct <mark style="color:green;">identification of the rule</mark>.

**Attack:** <mark style="color:green;">Defines the attack vector</mark> that the rule aims to prevent or mitigate.

{% hint style="info" %}
The name and attack fields are essential for integration with systems like ChatGPT, facilitating the automatic filling of playbooks and rule details.
{% endhint %}

<figure><img src="/files/XUKAfgF7ml8W0786Fg7u" alt=""><figcaption><p>Identification Stage</p></figcaption></figure>

***

### **Data Source**

**Data Source:** <mark style="color:green;">Identifies the data source</mark> of the selected correlation rule.

**Event Type:** There are two main types of events in information security:

* **Security Intelligence Events:** Associated with data sources that have security intelligence (e.g., endpoint protection or application firewalls) and are usually linked to specific threats. These <mark style="color:green;">do not require complex correlation rules for anomaly identification.</mark>
* **Non-Security Intelligence Events:** Related to data sources without security intelligence (e.g., operating systems), which <mark style="color:green;">require more complex correlation rules.</mark> In these cases, the analyst must create custom event types for these data sources.

<figure><img src="/files/KN8Y5BWZFtpGwlyWRVhx" alt=""><figcaption><p>Data Source Stage</p></figcaption></figure>

***

### **Integration**

<mark style="color:green;">It is possible to prepare the rule for one or more monitoring solutions.</mark> The selection of vendors directly impacts the listing of relationships and grouping rules (grouping rules).

<figure><img src="/files/5kFmaGzpOdddLvQNSxLa" alt=""><figcaption><p>Integration Stage</p></figcaption></figure>

***

### **Relations**

This functionality provides the system with <mark style="color:green;">information about which SIEM rule relates to the correlation rule.</mark> This allows for more efficient management and an integrated view of security policies.

<figure><img src="/files/sS3KiLDweSP19VdkWl99" alt=""><figcaption><p>Relations Stage</p></figcaption></figure>

***


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.inopli.com/response/rules/main.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.