Create a Correlation Rule
Create new Correlation Rules from either the Correlation Rules page or when building a query in XQL Search.
Correlations Rules requires a Cortex XDR Pro license. There may be future changes to the Correlation Rules offerings, which can impact your licensing agreements. You will receive notification ahead of time before any changes are implemented.
You can create a new Correlation Rule from either the
Correlation Rulespage or when building a query in XQL Search.
When setting up Correlation Rules, you have the following capabilities.
- Define the timing for when the Correlation Rule should run.
- Define whether alerts generated by the Correlation Rule are suppressed by a duration time and field.
- Set the resulting action for the Correlation Rule as either to generate an alert or save the data to a dataset.
- When generating an alert, you can also define the alert settings, which includes the Alerts Field Mapping for incident enrichment, Alert Severity, MITRE Attack Tactics and Techniques, and other alert settings.
- When saving the data to a dataset, you can test and fine-tune new rules before initiating alerts and applying correlation of correlation use-cases.
To create a Correlation Rule in Cortex XDR.
- Open theNew Correlation Ruleeditor.You can do this in two way.
- From theCorrelation Rulespage.
- Select+Add Correlation.
- FromXQL Search.
- Select.InvestigationQuery BuilderXQL Search
- In the XQL query field, define the parameters for your Correlation Rule.
- Select.Save asCorrelation RuleTheNew Correlation Ruleeditor is displayed where theXQL Searchsection is populated with the query you already set in the XQL query field.
- Configure theGeneralsettings.
- Specify a descriptiveNameto identify the Correlation Rule.
- (Optional) Specify aDescriptionfor the Correlation Rule.
- Use XQL to define the Correlation Rule inXQL Searchfield.Define the Correlation Rule in theXQL Searchfield. After writing at least one line in XQL, you canOpen full query modeto display the query in XQL Search. You canTestthe XQL definition for the rule whenever you want.When you open theNew Correlations Ruleeditor from XQL Search, thisXQL Searchfield is already populated with the XQL query that you defined.Once you are finished writing the XQL for the Correlation Rule definition, selectContinue editing ruleto bring you back to theNew Correlation Ruleeditor, and the complete query you set is added to theXQL Searchfield.The XQL features fortransaction,call, and wildcards in datasets (dataset in (<dataset prefix>_*)) are not currently supported in Correlation Rules. If you add them to the XQL definition, you will not be able toCreateorSavethe Correlation Rule.
- Configure theTimingsettings.
- (Optional) ConfigureAlert Suppressionsettings.Define whether the alerts generated by the Correlation Rule are suppressed by a duration time, field, or both.
- Enable alert suppression—Select this checkbox toEnable alert suppression. By default, this checkbox is clear and the alerts of the Correlation Rule are configured to not be suppressed.
- Duration time—Set theDuration timefor how long to ignore other events that match the alert suppression criteria, which are based on theFieldslisted. Specify a number in the field and in the other field select eitherMinute/s,Hour/s, orDay/s. By default, the generated alerts are configured to be suppressed by 1 hour (1 Hour/s). TheDuration timecan be configured for a maximum of 1 day.
- Fields—(Optional) Select the fields that the alert suppression is based on. The fields listed are based on the XQL query result set. You can perform the following.
- Select multiple fields from the list.
- SelectSelect allto configure all the fields for suppression. This means that all the fields must match for the alerts to be suppressed. This option will generate multiple alerts during the suppression period.
- Searchfor a particular field, which narrows the available options as you begin typing.
- Do not set anyFieldsby leaving the field empty only 1 alert is generated during the suppression period.
- Configure the resultingActionfor the Correlation Rule.
- You can select either of the following resulting actions to occur, where the configuration settings change depending on your selection.
- Generate alert—Generates aCorrelationtype of alert according to the configured settings in theNew Correlation Ruleeditor (default). When this option is selected a number of new sections are opened to configure the alert.
- Save to dataset—Saves the data generated from the Correlation Rule to a separateTarget Dataset. This option is helpful when you are fine-tuning and testing a rule before promoting the rule to production. You can also save a rule to a dataset as a building block for the next Correlation Rule, which will be based on the results of the first Correlation Rule instead of building too complex XQL queries.You can either create a newTarget Datasetby specifying the name for the dataset in the field or select a preexistingTarget Datasetthat was created for a different Correlation Rule. The list only displays the datasets configured when creating a Correlation Rule. Different Correlation Rules can be saved to the same dataset and Cortex XDR will expand the dataset schema as needed. The dataset you configure for the Correlation Rule contains the following additional fields.
- Configure theAlert Settings.
- Severity—Select the severity type whenever an alert is generated for this Correlation Rule as one of the following.
- Category—Select the type of alert that is generated, which can be any of the following.
- Credential Access
- File Privilege Manipulation
- File Type Obfuscation
- Lateral Movement
- Privilege Escalation
- Alert Description—(Optional) Specify a description of the behavior that will raise the alert. You can include dollar signs ($), which represent the fields names (i.e. output columns) in XQL Search.For example.The user $user_name has made $count failed login requests to $dest in a 24 hours periodCode copied to clipboardUnable to copy due to lack of browser support.Output.The user lab_admin has made 234 failed login requests to 10.10.32.44 in a 24 hours periodCode copied to clipboardUnable to copy due to lack of browser support.There is no validation or auto complete for these parameters and the values can be null or empty. In these scenarios, Cortex XDR does not display the null or empty values, but adds the textNULLorEMPTYin the descriptions.
- Drilldown Query—(Optional) You can configure aDrilldown Queryfor additional information about the alert for further investigation using XQL. This XQL query can accept parameters from the alert output for the Correlation Rule. Yet, keep in mind that when you create the Correlation Rule, Cortex XDR does not know in advance if the parameters exist or contain the correct values. As a result, Cortex XDR enables you to save the query, but the query can fail when you try and run it. You can also refer to field names using dollar signs ($) as explained in the Alert Description.Once configured any alert generated for the Correlation Rule has a right-click pivot menu Open Drilldown Query option, anOpen drilldown querylink after you Investigate Contributing Events, and a quick actionOpen Drilldown Queryicon ( ) that is accessible in theAlertspage, which opens a new browser tab in XQL Search to run this query. If you do not define aDrilldown Query, no right-click pivot menu option, link, or icon is displayed.The time frame used to run the Drilldown Query provides more informative details about the alert generated by the Correlation Rule. The alert time frame is the minimum and maximum timestamps of the events for the alert. If there is only one event, the event timestamp is the time frame used for the query.
- MITRE ATT&CK—(Optional) Select the MITRE Tactics and MITRE Techniques you want to associate with the alert using theMITRE ATT&CKmatrix.
- You can access the matrix by selecting theMITRE ATT&CKbar orOpen complete MITRE matrixlink underneath the bar on the right.
- Select the MITRE Tactics listed in the first row of the matrix and the applicable MITRE techniques and Sub-Techniques, which are listed in the other rows in the table. You can select either MITRE Tactics only, MITRE techniques and Sub-Techniques only, or a combination of both.
- ClickSelectand the matrix window closes and theMITRE ATT&CKsection in theNew Correlation Ruleeditor lists the number ofTacticsandTechniquesconfigured, which is also listed in the bar. For example, in the following image, there are3 Tactics and 4 Techniquesconfigured. The three MITRE Tactics areResource Developmentwith 2 Techniques configured,Credential Accesswith 1 Technique configured, andDiscoverywith 1 Technique configured.
- (Optional) Configure theAlerts Fields Mappings.You can map the alert fields, so that the mapped fields are displayed in theAlertspage to provide important information in analyzing your alerts. In addition, mapping the fields helps to improve incident grouping logic and enables Cortex XDR to list the artifacts and assets based on the map fields in the incident. The options available can change depending on your Correlation Rule definitions inXQL Search. There are two ways to map the alert fields.
- Use the Cortex XDR default incident enrichment—Select this option if you want Cortex XDR to automatically map the fields for you. This checkbox only displays when your Correlation Rule can be configured to use Cortex XDR incident enrichment and then it is set as the default option. We recommend using this option whenever it is available to you.
- Manually map the alert fields by selecting the fields that you want to map. When you create the Correlation Rule, Cortex XDR does not know whether the alert fields that you mapped manually are valid. If the fields are invalid according to your mapping, null values are assigned to those fields.In a case whereUse the Cortex XDR default incident enrichmentis not selected and you have not mapped any alert fields, the alert is dispatched into a new incident.
- (Optional)Save for laterthe Correlation Rule.Selectwhen you want to finish configuring your Correlation Rule at a different time, but do not want to lose your settings. TheSave for laterCreateCreatebutton is only enabled when you have configured all the mandatory fields in theNew Correlations Ruleeditor. Once configured, your Correlation Rule is listed in theCorrelation Rulespage, but is disabled. You can edit or enable the rule at any time by right-clicking the rule and selectingEdit RuleorEnable.
- Createthe Correlation Rule.The rule is added to the table in theCorrelations Rulespage as an active rule and a notification is displayed.
- Manage a Correlation Rule, as needed.At any time, you can return to theCorrelation Rulespage to view and manage your Correlation Rules. To manage a Correlation Rule, right-click the Correlation Rule and select the desired action.
- Open in XQL—View the XQL results for the Correlation Rule in XQL Search. You canShow results in new taborShow results in same tab.
- View related alerts—View the alerts generated by this Correlation Rule in theAlertspage. You canShow alerts in new taborShow alerts in same tab.
- Execute Rule—Run the rule now without waiting for the scheduled time.
- Disablethe selected Correlation Rule. This option is only available on an active rule.
- Enablethe selected Correlation Rule. This option is only available on an inactive rule.
- Edit Rule—Edit the rule parameters configured in theEdit Correlation Ruleeditor.
- Save as new—Duplicate the Correlation Rule and save it as a new Correlation Rule.
- Deletethe Correlation Rule.
- Show rows with ‘<field value>’to filter the Correlation Rules list to only display the Correlation Rules with a specific field value that you selected in the table. On certain fields that are null, this option does not display.
- Hide rows with ‘<Rule Description>’to filter the Correlation Rules list to hide the Correlation Rules with a specific field value that you selected in the table. On certain fields that are null, this option does not display.
- Copy entire rowto copy the text from all the fields in a row of a Correlation Rule.
Recommended For You
Recommended videos not found.