Correlation rules help you analyze correlations of multi-events from multiple sources by using the Cortex Query Language based engine for creating scheduled rules.
Notice
Managing correlation rules requires a Cortex XDR Pro license.
Correlation rules help you analyze correlations of multiple events from multiple sources by using the Cortex Query Language (XQL) based engine for creating scheduled rules. Issues are then generated based on these correlation rules with a defined time frame and set schedule, including every X minutes, once a day, once a week, or a custom time.
Some examples of events for which you might want to create correlation rules are:
A user has a number of failed logins, and then a successful login within a small window.
A device on a watch list has an activity.
A device connects to an IP that's on a watch list.
Two specific events occur in a 10 minute window.
After you configure your correlation rules, you can manage them in → → , and view and analyze the generated issues in Cases and the Issues Table. In addition, issues generated by correlation rules are factored into the number of cases displayed in the dashboards.