Create a Correlation Rule

Create new Correlation Rules from either the Correlation Rules page or when building a query in XQL Search.
Correlations Rules requires a Cortex XDR Pro license. There may be future changes to the Correlation Rules offerings, which can impact your licensing agreements. You will receive notification ahead of time before any changes are implemented.
You can create a new Correlation Rule from either the
Correlation Rules
page or when building a query in XQL Search.
When setting up Correlation Rules, you have the following capabilities.
  • Define the timing for when the Correlation Rule should run.
  • Define whether alerts generated by the Correlation Rule are suppressed by a duration time and field.
  • Set the resulting action for the Correlation Rule as either to generate an alert or save the data to a dataset.
    • When generating an alert, you can also define the alert settings, which includes the Alerts Field Mapping for incident enrichment, Alert Severity, MITRE Attack Tactics and Techniques, and other alert settings.
    • When saving the data to a dataset, you can test and fine-tune new rules before initiating alerts and applying correlation of correlation use-cases.
To create a Correlation Rule in Cortex XDR.
  1. Open the
    New Correlation Rule
    editor.
    You can do this in two way.
    • From the
      Correlation Rules
      page.
      1. Select
        Rules
        Correlations
        .
      2. Select
        +Add Correlation
        .
    • From
      XQL Search
      .
      1. Select
        Investigation
        Query Builder
        XQL Search
        .
      2. In the XQL query field, define the parameters for your Correlation Rule.
      3. Select
        Save as
        Correlation Rule
        .
        The
        New Correlation Rule
        editor is displayed where the
        XQL Search
        section is populated with the query you already set in the XQL query field.
  2. Configure the
    General
    settings.
    • Specify a descriptive
      Name
      to identify the Correlation Rule.
    • (
      Optional
      ) Specify a
      Description
      for the Correlation Rule.
  3. Use XQL to define the Correlation Rule in
    XQL Search
    field.
    Define the Correlation Rule in the
    XQL Search
    field. After writing at least one line in XQL, you can
    Open full query mode
    to display the query in XQL Search. You can
    Test
    the XQL definition for the rule whenever you want.
    When you open the
    New Correlations Rule
    editor from XQL Search, this
    XQL Search
    field is already populated with the XQL query that you defined.
    Once you are finished writing the XQL for the Correlation Rule definition, select
    Continue editing rule
    to bring you back to the
    New Correlation Rule
    editor, and the complete query you set is added to the
    XQL Search
    field.
    The XQL features for
    transaction
    ,
    call
    , and wildcards in datasets (
    dataset in (<dataset prefix>_*)
    ) are not currently supported in Correlation Rules. If you add them to the XQL definition, you will not be able to
    Create
    or
    Save
    the Correlation Rule.
  4. Configure the
    Timing
    settings.
    • Time Schedule
      —Select the
      Time Schedule
      for the frequency of running the
      XQL Search
      definition set for the Correlations Rule as one of the following.
      • Every 10 Minutes
        —Runs every rounded 10 minutes at preset 10 minute intervals from the beginning of the hour, such as 10:10 AM, 10:20 AM, and 10:30 AM.
      • Every 20 Minutes
        —Runs every rounded 20 minutes at preset 20 minute intervals from the beginning of the hour, such as 10:20 AM, 10:40 AM, and 11:00 AM.
      • Every 30 Minutes
        —Runs every rounded 30 minutes at preset 30 minute intervals from the beginning of the hour, such as 10:30 AM, 11:00 AM, and 11:30 AM.
      • Hourly
        — Runs at the beginning of the hour, such as 1:00 AM or 2:00 AM.
      • Daily
        — Runs at midnight, where you can set a particular
        Timezone
        .
      • Custom
        — Displays the
        Time Schedule as Cron Expression
        fields, where you can set the cron expression in each time field to define the schedule frequency for running the
        XQL Search
        . The minimum query frequency is every 10 minutes and is already configured. You can also set a particular
        Timezone
        .
    • Timezone
      —(
      Optional
      ) You can only set the
      Timezone
      when the
      Time Schedule
      is set to
      Daily
      or
      Custom
      . Otherwise, the option is disabled.
    • Query time frame
      —Set the time frame for running a query, which can be up to 7 days. Specify a number in the field and in the other field select either
      Minute/s
      ,
      Hour/s
      , or
      Day/s
      . By default, the query is to run once an hour (
      1 Hour/s
      ).
  5. (
    Optional
    ) Configure
    Alert Suppression
    settings.
    Define whether the alerts generated by the Correlation Rule are suppressed by a duration time, field, or both.
    • Enable alert suppression
      —Select this checkbox to
      Enable alert suppression
      . By default, this checkbox is clear and the alerts of the Correlation Rule are configured to not be suppressed.
    • Duration time
      —Set the
      Duration time
      for how long to ignore other events that match the alert suppression criteria, which are based on the
      Fields
      listed. Specify a number in the field and in the other field select either
      Minute/s
      ,
      Hour/s
      , or
      Day/s
      . By default, the generated alerts are configured to be suppressed by 1 hour (
      1 Hour/s
      ). The
      Duration time
      can be configured for a maximum of 1 day.
    • Fields
      —(
      Optional
      ) Select the fields that the alert suppression is based on. The fields listed are based on the XQL query result set. You can perform the following.
      • Select multiple fields from the list.
      • Select
        Select all
        to configure all the fields for suppression. This means that all the fields must match for the alerts to be suppressed. This option will generate multiple alerts during the suppression period.
      • Search
        for a particular field, which narrows the available options as you begin typing.
      • Do not set any
        Fields
        by leaving the field empty only 1 alert is generated during the suppression period.
  6. Configure the resulting
    Action
    for the Correlation Rule.
    1. You can select either of the following resulting actions to occur, where the configuration settings change depending on your selection.
      • Generate alert
        —Generates a
        Correlation
        type of alert according to the configured settings in the
        New Correlation Rule
        editor (default). When this option is selected a number of new sections are opened to configure the alert.
      • Save to dataset
        —Saves the data generated from the Correlation Rule to a separate
        Target Dataset
        . This option is helpful when you are fine-tuning and testing a rule before promoting the rule to production. You can also save a rule to a dataset as a building block for the next Correlation Rule, which will be based on the results of the first Correlation Rule instead of building too complex XQL queries.
        You can either create a new
        Target Dataset
        by specifying the name for the dataset in the field or select a preexisting
        Target Dataset
        that was created for a different Correlation Rule. The list only displays the datasets configured when creating a Correlation Rule. Different Correlation Rules can be saved to the same dataset and Cortex XDR will expand the dataset schema as needed. The dataset you configure for the Correlation Rule contains the following additional fields.
        • _rule_id
        • _rule_name
        • _insert_time
      When you are finished configuring the
      Target Dataset
      , you can now either Save for later the Correlation Rule or Create the Correlation Rule.
    2. Configure the
      Alert Settings
      .
      • Severity
        —Select the severity type whenever an alert is generated for this Correlation Rule as one of the following.
        • Informational
        • Low
        • Medium
        • High
      • Category
        —Select the type of alert that is generated, which can be any of the following.
        • Collection
        • Credential Access
        • Dropper
        • Evasion
        • Execution
        • Evasive
        • Exfiltration
        • File Privilege Manipulation
        • File Type Obfuscation
        • Infiltration
        • Lateral Movement
        • Persistence
        • Privilege Escalation
        • Reconnaissance
        • Tampering
        • Other
      • Alert Description
        —(
        Optional
        ) Specify a description of the behavior that will raise the alert. You can include dollar signs (
        $
        ), which represent the fields names (i.e. output columns) in XQL Search.
        For example.
        The user $user_name has made $count failed login requests to $dest in a 24 hours period
        Code copied to clipboard
        Unable to copy due to lack of browser support.
        Output.
        The user lab_admin has made 234 failed login requests to 10.10.32.44 in a 24 hours period
        Code copied to clipboard
        Unable to copy due to lack of browser support.
        There is no validation or auto complete for these parameters and the values can be null or empty. In these scenarios, Cortex XDR does not display the null or empty values, but adds the text
        NULL
        or
        EMPTY
        in the descriptions.
      • Drilldown Query
        —(
        Optional
        ) You can configure a
        Drilldown Query
        for additional information about the alert for further investigation using XQL. This XQL query can accept parameters from the alert output for the Correlation Rule. Yet, keep in mind that when you create the Correlation Rule, Cortex XDR does not know in advance if the parameters exist or contain the correct values. As a result, Cortex XDR enables you to save the query, but the query can fail when you try and run it. You can also refer to field names using dollar signs (
        $
        ) as explained in the Alert Description.
        Once configured any alert generated for the Correlation Rule has a right-click pivot menu Open Drilldown Query option, an
        Open drilldown query
        link after you Investigate Contributing Events, and a quick action
        Open Drilldown Query
        icon ( ) that is accessible in the
        Alerts
        page, which opens a new browser tab in XQL Search to run this query. If you do not define a
        Drilldown Query
        , no right-click pivot menu option, link, or icon is displayed.
        The time frame used to run the Drilldown Query provides more informative details about the alert generated by the Correlation Rule. The alert time frame is the minimum and maximum timestamps of the events for the alert. If there is only one event, the event timestamp is the time frame used for the query.
      • MITRE ATT&CK
        —(
        Optional
        ) Select the MITRE Tactics and MITRE Techniques you want to associate with the alert using the
        MITRE ATT&CK
        matrix.
        1. You can access the matrix by selecting the
          MITRE ATT&CK
          bar or
          Open complete MITRE matrix
          link underneath the bar on the right.
        2. Select the MITRE Tactics listed in the first row of the matrix and the applicable MITRE techniques and Sub-Techniques, which are listed in the other rows in the table. You can select either MITRE Tactics only, MITRE techniques and Sub-Techniques only, or a combination of both.
        3. Click
          Select
          and the matrix window closes and the
          MITRE ATT&CK
          section in the
          New Correlation Rule
          editor lists the number of
          Tactics
          and
          Techniques
          configured, which is also listed in the bar. For example, in the following image, there are
          3 Tactics and 4 Techniques
          configured. The three MITRE Tactics are
          Resource Development
          with 2 Techniques configured,
          Credential Access
          with 1 Technique configured, and
          Discovery
          with 1 Technique configured.
    3. (
      Optional
      ) Configure the
      Alerts Fields Mappings
      .
      You can map the alert fields, so that the mapped fields are displayed in the
      Alerts
      page to provide important information in analyzing your alerts. In addition, mapping the fields helps to improve incident grouping logic and enables Cortex XDR to list the artifacts and assets based on the map fields in the incident. The options available can change depending on your Correlation Rule definitions in
      XQL Search
      . There are two ways to map the alert fields.
      • Use the Cortex XDR default incident enrichment
        —Select this option if you want Cortex XDR to automatically map the fields for you. This checkbox only displays when your Correlation Rule can be configured to use Cortex XDR incident enrichment and then it is set as the default option. We recommend using this option whenever it is available to you.
      • Manually map the alert fields by selecting the fields that you want to map. When you create the Correlation Rule, Cortex XDR does not know whether the alert fields that you mapped manually are valid. If the fields are invalid according to your mapping, null values are assigned to those fields.
        In a case where
        Use the Cortex XDR default incident enrichment
        is not selected and you have not mapped any alert fields, the alert is dispatched into a new incident.
  7. (
    Optional
    )
    Save for later
    the Correlation Rule.
    Select
    Save for later
    Create
    when you want to finish configuring your Correlation Rule at a different time, but do not want to lose your settings. The
    Create
    button is only enabled when you have configured all the mandatory fields in the
    New Correlations Rule
    editor. Once configured, your Correlation Rule is listed in the
    Correlation Rules
    page, but is disabled. You can edit or enable the rule at any time by right-clicking the rule and selecting
    Edit Rule
    or
    Enable
    .
  8. Create
    the Correlation Rule.
    The rule is added to the table in the
    Correlations Rules
    page as an active rule and a notification is displayed.
  9. Manage a Correlation Rule, as needed.
    At any time, you can return to the
    Correlation Rules
    page to view and manage your Correlation Rules. To manage a Correlation Rule, right-click the Correlation Rule and select the desired action.
    • Open in XQL
      —View the XQL results for the Correlation Rule in XQL Search. You can
      Show results in new tab
      or
      Show results in same tab
      .
    • View related alerts
      —View the alerts generated by this Correlation Rule in the
      Alerts
      page. You can
      Show alerts in new tab
      or
      Show alerts in same tab
      .
    • Execute Rule
      —Run the rule now without waiting for the scheduled time.
    • Disable
      the selected Correlation Rule. This option is only available on an active rule.
    • Enable
      the selected Correlation Rule. This option is only available on an inactive rule.
    • Edit Rule
      —Edit the rule parameters configured in the
      Edit Correlation Rule
      editor.
    • Save as new
      —Duplicate the Correlation Rule and save it as a new Correlation Rule.
    • Delete
      the Correlation Rule.
    • Show rows with ‘<field value>’
      to filter the Correlation Rules list to only display the Correlation Rules with a specific field value that you selected in the table. On certain fields that are null, this option does not display.
    • Hide rows with ‘<Rule Description>’
      to filter the Correlation Rules list to hide the Correlation Rules with a specific field value that you selected in the table. On certain fields that are null, this option does not display.
    • Copy entire row
      to copy the text from all the fields in a row of a Correlation Rule.

Recommended For You