Correlation Rules require a Cortex XDR Pro license. There may be future changes to the Correlation Rules offerings, which can impact your licensing agreements. You will receive a notification ahead of time before any changes are implemented.
If you are assigned a role that enables→ privileges, you can view all user-defined Correlation Rules from → → .
By default, the Correlation Rules page displays all enabled rules. To search for a specific rule, use the filters above the results table to narrow the results. From the Correlation Rules page, you can also manage existing rules using the right-click pivot menu.
In addition, the Correlation Rules page helps you easily identify and resolve Correlation Rules errors. The number of errors is indicated at the top of the page in red font using the format <number> errors found. You can change the view to only display the Correlation Rules with errors by selecting Show Errors Only. The LAST EXECUTION column in the table indicates a Correlation Rule with an error by displaying the last execution time in a red font and providing a description of the Correlation Rule Error when hovering over the field. The following error messages are displayed in the applicable scenarios.
Dependency correlation did not complete
Delayed rule—This rule is running past its scheduled time, which can cause delayed results.
Dataset does not exist: <name of dataset>
Only an administrator can create and view queries built with an unknown dataset that currently does not exist in Cortex XDR .
A notification is also displayed in Cortex XDR to indicate these Correlation Rules errors.
The following table describes the fields that are available for each Correlation Rule in alphabetical order.
Certain fields are exposed and hidden by default. An asterisk (*) is beside every field that is exposed by default.
# OF ALERTS*
The number of alerts triggered for this rule.
Type of alert as configured when creating the rule.
The text displayed here depends on the resulting action configured for the Correlation Rule when the rule was created.
The description for the Correlation Rule that was configured when the rule was created.
Displays the Drill-Down Query that you configured for additional information about the alert for further investigation using Cortex Query Language (XQL) when you created the rule. If you did not configure one, the field is left empty.
Once configured any alert generated for the Correlation Rule has a right-click pivot menu Open Drilldown Query option, an Open drilldown query link after you investigate any contributing events, and a quick action Open Drilldown Query icon () that is accessible in the Alerts page, which opens a new browser tab in XQL Search to run this query. If you do not define a Drill-Down Query, no right-click menu option, link, or icon is displayed.
The Drill-Down Query Time Frame can be configured as either.
For a Correlation Rule with an error, displays the error message, which can be one of the following.
Date and time when the Correlation Rule was created.
Date and time when the Correlation Rule was last executed. Indicates a Correlation Rule with an error by displaying the last execution time in a red font and providing a description of the Correlation Rule Error when hovering over the field. Indicates Real-time in the case of a Real Time Correlation Rule.
MITRE ATT&CK TACTIC*
Displays the type of MITRE ATT&CK tactic the Correlation Rule is attempting to trigger.
MITRE ATT&CK TECHNIQUE*
Displays the type of MITRE ATT&CK technique and sub-technique the Correlation rule is attempting to trigger.
Date and time when the Correlation Rule was last modified.
Unique name that describes the rule.
Unique identification number for the rule.
Displays the Time Schedule for the frequency of running the XQL Search definition set for the Correlation Rule when the rule was created. The options displayed are one of the following.
Correlation Rule severity that was defined when the Correlation Rule was created. Severity levels can be Informational, Low, Medium, High, Critical, and Customized.
Whenever an alert is generated with a severity type of Medium and above based on the Correlation Rule, a new incident is automatically opened.
User who created this Correlation Rule.
Rule status: Enabled or Disabled.
The duration time for how long to ignore other events that match the alert suppression criteria that was configured when the rule was created. This is required to configure.
The fields that the alert suppression is based on, which was configured when the rule was created. The fields listed are based on the XQL query result set for the rule. This is optional to configure.
Displays the Suppression Status as either Enabled or Disabled as configured when the rule was created.
Displays the time frame for running a query, which can be up to 7 days as configured when the rule was created.
Displays the Timezone when the Time Schedule for the frequency of running the XQL Search definition set for the Correlation Rule is set to run daily or using a cron expression. Otherwise, this field is left empty.
Displays the XQL definition for the Correlation Rule that was configured in XQL Search when the rule was created.