Correlation Rule Details
In the Correlation Rules page you can view all of your enabled rules in a table format and the various fields displayed.
Correlations Rules requires a Cortex XDR Pro license. There may be future changes to the Correlation Rules offerings, which can impact your licensing agreements. You will receive notification ahead of time before any changes are implemented.
If you are assigned a role that enables
privileges, you can view all user-defined Correlation Rules from
By default, the
Correlation Rulespage displays all enabled rules. To search for a specific rule, use the filters above the results table to narrow the results. From the
Correlation Rulespage, you can also manage existing rules using the right-click pivot menu.
The following table describes the fields that are available for each Correlation Rule in alphabetical order.
Certain fields are exposed and hidden by default. An asterisk (*) is beside every field that is exposed by default.
# OF ALERTS*
The number of alerts triggered for this rule.
Type of alert as configured when creating the rule.
The text displayed here depends on the resulting action configured for the Correlation Rule when the rule was created.
The description for the Correlation Rule that was configured when the rule was created.
Displays the Drilldown Query that you configured for additional information about the alert for further investigation using XQL when you created the rule. If you did not configure one, the field is left empty.Once configured any alert generated for the Correlation Rule has a right-click pivot menu Open Drilldown Query option, an
Open drilldown querylink after you Investigate Contributing Events, and a quick action
Open Drilldown Queryicon ( ) that is accessible in the
Alertspage, which opens a new browser tab in XQL Search to run this query. If you do not define a
Drilldown Query, no right-click menu option, link, or icon is displayed.The time frame used to run the Drilldown Query provides more informative details about the alert generated by the Correlation Rule. The alert time frame is the minimum and maximum timestamps of the events of the alert. If there is only one event, the event timestamp is the time frame used for the query.
Date and time when the Correlation Rule was created.
Date and time when the Correlation Rule was last executed.
MITRE ATT&CK TACTIC*
Displays the type of MITRE ATT&CK tactic the Correlation Rule is attempting to trigger on.
MITRE ATT&CK TECHNIQUE*
Displays the type of MITRE ATT&CK technique and sub-technique the Correlation rule is attempting to trigger on.
Date and time when the Correlation Rule was last modified.
Unique name that describes the rule.
Unique identification number for the rule.
Displays the Time Schedule for the frequency of running the XQL Search definition set for the Correlation Rule when the rule was created. The options displayed are one of the following.
Correlation rule severity that was defined when the Correlation Rule was created.
User who created this Correlation Rule.
Rule status: Enabled or Disabled.
The duration time for how long to ignore other events that match the alert suppression criteria that was configured when the rule was created. This is required to configure.
The fields that the alert suppression is based on, which was configured when the rule was created. The fields listed are based on the XQL query result set for the rule. This is optional to configure.
Displays the Suppression Status as either Enabled or Disabled as configured when the rule was created.
Displays the time frame for running a query, which can be up to 7 days as configured when the rule was created.
Displays the Timezone when the Time Schedule for the frequency of running the XQL Search definition set for the Correlation Rule is set to run daily or using a cron expression. Otherwise, this field is left empty.
Displays the XQL definition for the Correlation Rule that was configured in XQL Search when the rule was created.
Recommended For You
Recommended videos not found.