Monitor correlation rules - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-09
Category
Administrator Guide
Abstract

You can monitor your correlation executions with the correlations_auditing dataset.

Notice

This functionality is available in Cortex XDR Pro only.

Cortex XDR audits all correlation executions in the correlations_auditing dataset. The dataset records the query initiation times, end times, retry attempts, failure reasons, and other useful metrics. .

In the correlations_auditing dataset, audit entries are added as follows:

  • The rule starts executing. This is audited with the status of Initiated or Initiated Manually.

  • The rule completes successfully. This is audited as Completed.

  • The rule completes with errors. This is audited as Error.

Note

In the dataset, the Query start time and Query end time indicate the time frame of the data that was queried. The actual start and end times of the correlation rule execution are recorded in the _time field for the Initiated and Completed entries.

The following table describes the fields in the correlations_auditing dataset:

Field

Description

_time

Timestamp of the audit.

For entries with an Initiated or Initiated Manually status, this is the start time of the correlation rule execution. For entries with a Completed or Error status, this is the end time of the rule execution.

_id

Unique identifier of the audit entry.

Rule ID

Unique identification number for the correlation rule.

Name

Correlation rule name.

Status

The status of the correlation rule query.

Possible values are Initiated, Initiated Manually, Completed, and Error.

Query start time

The start time of the query time frame.

Query end time

The end time of the query time frame.

Time frame

Time frame for the query.

Failure reason

For correlation rules with errors, this field displays the error message.

Retry attempts

Number of retry attempts before the query initiated or failed to run.

Schedule

Scheduled frequency to execute the correlation rule.

Rule creation time

Date and time that the correlation rule was created.

Rule modification time

Date and time that the correlation rule was last modified.

Description

Description of the correlation rule.

Severity

Defined severity of the correlation rule.

Dataset

Target data set, as defined in the correlation rule

Suppression status

Whether alert suppression is Enabled or Disabled.

Suppression duration

Duration for which to ignore additional events that match the alert suppression criteria.

Suppression fields

Fields on which the alert suppression is based.

Timezone

Timezone on which the scheduled frequency is based.

MITRE ATT&CK Tactic

MITRE ATT&CK tactic that the correlation rule attempted to trigger.

MITRE ATT&CK Technique

MITRE ATT&CK technique that the correlation rule attempted to trigger.

Alert category

Category of alert as configured when creating the rule.

Source

Source of the correlation rule.

XQL search

XQL query for the correlation rule.

Drill-down query

XQL query configured for further investigation.

Alert name

Name of the alert that the correlation rule will trigger.