Create a correlation rule - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-09
Category
Administrator Guide
Abstract

Create new correlation rules from either the Correlation Rules page or when building a query in XQL Search, or import a many correlation rules from a file.

Notice

Correlation rules require a Cortex XDR Pro license. There may be future changes to the correlation rules offerings, which can impact your licensing agreements. You will receive a notification ahead of time before any changes are implemented.

You can create a new correlation rule from either the Detection RulesCorrelation Rules page or when building a query in XQL Search. You can also import a number of correlation rules.

When setting up correlation rules, you have the following capabilities:

  • Define when the correlation rule runs.

  • Define whether alerts generated by the correlation rule are suppressed by a duration time and field.

  • Set the resulting action for the correlation rule, which includes any of the following:

    • Generate an alert: You can also define the alert settings, which include the Alerts Field Mapping for incident enrichment, Alert Severity, MITRE Attack Tactics and Techniques, and other alert settings.

    • Save data to a dataset: Use this option to test and fine-tune new rules before initiating alerts and applying correlation of correlation use cases.

    • Add data to a lookup dataset

    • Remove data from a lookup dataset

Note

To ensure your correlation rules raise alerts efficiently and do not overcrowd your Alerts table, Cortex XDR automatically disables correlation rules that reach 5000 or more hits over a 24-hour period.