Correlation Rule Details

In the Correlation Rules page you can view all of your enabled rules in a table format and the various fields displayed.
Correlations Rules requires a Cortex XDR Pro license. There may be future changes to the Correlation Rules offerings, which can impact your licensing agreements. You will receive notification ahead of time before any changes are implemented.
If you are assigned a role that enables
Investigation
Rules
privileges, you can view all user-defined Correlation Rules from
Rules
Correlations
.
By default, the
Correlation Rules
page displays all enabled rules. To search for a specific rule, use the filters above the results table to narrow the results. From the
Correlation Rules
page, you can also manage existing rules using the right-click pivot menu.
The following table describes the fields that are available for each Correlation Rule in alphabetical order.
Certain fields are exposed and hidden by default. An asterisk (*) is beside every field that is exposed by default.
Field
Description
# OF ALERTS
*
The number of alerts triggered for this rule.
ALERT CATEGORY
*
Type of alert as configured when creating the rule.
  • Collection
  • Credential Access
  • Dropper
  • Evasion
  • Execution
  • Evasive
  • Exfiltration
  • File Privilege Manipulation
  • File Type Obfuscation
  • Infiltration
  • Lateral Movement
  • Persistence
  • Privilege Escalation
  • Reconnaissance
  • Tampering
  • Other
DATASET
*
The text displayed here depends on the resulting action configured for the Correlation Rule when the rule was created.
  • alerts
    —When your resulting action for the rule was configured to
    Generate alert
    .
  • Dataset name—When your resulting action for the rule was configured to
    Save to dataset
    .
DESCRIPTION
*
The description for the Correlation Rule that was configured when the rule was created.
DRILL-DOWN QUERY
Displays the Drilldown Query that you configured for additional information about the alert for further investigation using XQL when you created the rule. If you did not configure one, the field is left empty.Once configured any alert generated for the Correlation Rule has a right-click pivot menu Open Drilldown Query option, an
Open drilldown query
link after you Investigate Contributing Events, and a quick action
Open Drilldown Query
icon ( ) that is accessible in the
Alerts
page, which opens a new browser tab in XQL Search to run this query. If you do not define a
Drilldown Query
, no right-click menu option, link, or icon is displayed.The time frame used to run the Drilldown Query provides more informative details about the alert generated by the Correlation Rule. The alert time frame is the minimum and maximum timestamps of the events of the alert. If there is only one event, the event timestamp is the time frame used for the query.
INSERTION DATE
Date and time when the Correlation Rule was created.
LAST EXECUTION
*
Date and time when the Correlation Rule was last executed.
MITRE ATT&CK TACTIC
*
Displays the type of MITRE ATT&CK tactic the Correlation Rule is attempting to trigger on.
MITRE ATT&CK TECHNIQUE
*
Displays the type of MITRE ATT&CK technique and sub-technique the Correlation rule is attempting to trigger on.
MODIFICATION DATE
*
Date and time when the Correlation Rule was last modified.
NAME
*
Unique name that describes the rule.
RULE ID
Unique identification number for the rule.
SCHEDULE
*
Displays the Time Schedule for the frequency of running the XQL Search definition set for the Correlation Rule when the rule was created. The options displayed are one of the following.
  • Every 10 Minutes
  • Every 20 Minutes
  • Every 30 Minutes
  • Hourly
  • Daily
  • Displays the Time Schedule as Cron Expression fields.
SEVERITY
*
Correlation rule severity that was defined when the Correlation Rule was created.
SOURCE
*
User who created this Correlation Rule.
STATUS
Rule status: Enabled or Disabled.
SUPPRESSION DURATION
*
The duration time for how long to ignore other events that match the alert suppression criteria that was configured when the rule was created. This is required to configure.
SUPPRESSION FIELDS
*
The fields that the alert suppression is based on, which was configured when the rule was created. The fields listed are based on the XQL query result set for the rule. This is optional to configure.
SUPPRESSION STATUS
*
Displays the Suppression Status as either Enabled or Disabled as configured when the rule was created.
TIME FRAME
*
Displays the time frame for running a query, which can be up to 7 days as configured when the rule was created.
TIMEZONE
Displays the Timezone when the Time Schedule for the frequency of running the XQL Search definition set for the Correlation Rule is set to run daily or using a cron expression. Otherwise, this field is left empty.
XQL SEARCH
Displays the XQL definition for the Correlation Rule that was configured in XQL Search when the rule was created.

Recommended For You