What's a correlation rule? - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-01
Category
Administrator Guide
Abstract

Correlation rules help you analyze correlations of multi-events from multiple sources by using the Cortex Query Language based engine for creating scheduled rules.

Notice

Managing correlation rules requires a Cortex XDR Pro license.

Correlation rules help you analyze correlations of multi-events from multiple sources by using the Cortex Query Language (XQL) based engine for creating scheduled rules. Alerts can then be triggered based on these correlation rules with a defined time frame and set schedule, including every X minutes, once a day, once a week, or a custom time.

After you configure your correlation rules, you can manage them in Detection RulesCorrelations, and view and analyze the generated alerts in Incidents and the Alerts Table. In addition, alerts triggered by correlation rules are factored into the number of incidents displayed in the dashboards.