Correlation Rule Details - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

In the Correlation Rules page, you can view all of your enabled rules in a table format and the various fields displayed.

Note

Correlation Rules require a Cortex XDR Pro license. There may be future changes to the Correlation Rules offerings, which can impact your licensing agreements. You will receive a notification ahead of time before any changes are implemented.

If you are assigned a role that enables InvestigationRules privileges, you can view all user-defined Correlation Rules from Detection & Threat IntelDetection RulesCorrelations.

By default, the Correlation Rules page displays all enabled rules. To search for a specific rule, use the filters above the results table to narrow the results. From the Correlation Rules page, you can also manage existing rules using the right-click pivot menu.

In addition, the Correlation Rules page helps you easily identify and resolve Correlation Rules errors. The number of errors is indicated at the top of the page in red font using the format <number> errors found. You can change the view to only display the Correlation Rules with errors by selecting Show Errors Only. The LAST EXECUTION column in the table indicates a Correlation Rule with an error by displaying the last execution time in a red font and providing a description of the Correlation Rule Error when hovering over the field. The following error messages are displayed in the applicable scenarios.

  • Invalid query

  • Query timeout

  • Dependency correlation did not complete

  • Unknown error

  • Delayed rule—This rule is running past its scheduled time, which can cause delayed results.

  • Dataset does not exist: <name of dataset>

    Note

    Only an administrator can create and view queries built with an unknown dataset that currently does not exist in Cortex XDR .

A notification is also displayed in Cortex XDR to indicate these Correlation Rules errors.

The following table describes the fields that are available for each Correlation Rule in alphabetical order.

Note

Certain fields are exposed and hidden by default. An asterisk (*) is beside every field that is exposed by default.

Field

Description

# OF ALERTS*

The number of alerts triggered for this rule.

ALERT CATEGORY*

Type of alert as configured when creating the rule.

  • Collection

  • Credential Access

  • Dropper

  • Evasion

  • Execution

  • Evasive

  • Exfiltration

  • File Privilege Manipulation

  • File Type Obfuscation

  • Infiltration

  • Lateral Movement

  • Persistence

  • Privilege Escalation

  • Reconnaissance

  • Tampering

  • Other

DATASET*

The text displayed here depends on the resulting action configured for the Correlation Rule when the rule was created.

  • alerts—When your resulting action for the rule was configured to Generate alert.

  • Dataset name—When your resulting action for the rule was configured to Save to dataset.

DESCRIPTION*

The description for the Correlation Rule that was configured when the rule was created.

DRILL-DOWN QUERY

Displays the Drill-Down Query that you configured for additional information about the alert for further investigation using Cortex Query Language (XQL) when you created the rule. If you did not configure one, the field is left empty.

Once configured any alert generated for the Correlation Rule has a right-click pivot menu Open Drilldown Query option, an Open drilldown query link after you investigate any contributing events, and a quick action Open Drilldown Query icon (drilldown-icon.png) that is accessible in the Alerts page, which opens a new browser tab in XQL Search to run this query. If you do not define a Drill-Down Query, no right-click menu option, link, or icon is displayed.

The Drill-Down Query Time Frame can be configured as either.

  • Generated Alert—Uses the time frame of the alert that is triggered, which is the first event and last event timestamps for the alert (default option).

  • XQL Search—Uses the time frame from when the Correlation Rule was run in XQL Search.

FAILURE REASON

For a Correlation Rule with an error, displays the error message, which can be one of the following.

  • Invalid query

  • Query timeout

  • Dependency correlation did not complete

  • Unknown error

  • Delayed rule—This rule is running past its scheduled time, which can cause delayed results.

  • Dataset does not exist: <name of dataset>

    Note

    Only an administrator can create and view queries built with an unknown dataset that currently does not exist in Cortex XDR.

INSERTION DATE

Date and time when the Correlation Rule was created.

LAST EXECUTION*

Date and time when the Correlation Rule was last executed. Indicates a Correlation Rule with an error by displaying the last execution time in a red font and providing a description of the Correlation Rule Error when hovering over the field.

MITRE ATT&CK TACTIC*

Displays the type of MITRE ATT&CK tactic the Correlation Rule is attempting to trigger.

MITRE ATT&CK TECHNIQUE*

Displays the type of MITRE ATT&CK technique and sub-technique the Correlation rule is attempting to trigger.

MODIFICATION DATE*

Date and time when the Correlation Rule was last modified.

NAME*

Unique name that describes the rule.

RULE ID

Unique identification number for the rule.

SCHEDULE*

Displays the Time Schedule for the frequency of running the XQL Search definition set for the Correlation Rule when the rule was created. The options displayed are one of the following.

  • Every 10 Minutes

  • Every 20 Minutes

  • Every 30 Minutes

  • Hourly

  • Daily

  • Displays the Time Schedule as Cron Expression fields.

SEVERITY*

Correlation Rule severity that was defined when the Correlation Rule was created. Severity levels can be Informational, Low, Medium, High, Critical, and Customized.

Whenever an alert is generated with a severity type of Medium and above based on the Correlation Rule, a new incident is automatically opened.

SOURCE*

User who created this Correlation Rule.

STATUS

Rule status: Enabled or Disabled.

SUPPRESSION DURATION*

The duration time for how long to ignore other events that match the alert suppression criteria that was configured when the rule was created. This is required to configure.

SUPPRESSION FIELDS*

The fields that the alert suppression is based on, which was configured when the rule was created. The fields listed are based on the XQL query result set for the rule. This is optional to configure.

SUPPRESSION STATUS*

Displays the Suppression Status as either Enabled or Disabled as configured when the rule was created.

TIME FRAME*

Displays the time frame for running a query, which can be up to 7 days as configured when the rule was created.

TIMEZONE

Displays the Timezone when the Time Schedule for the frequency of running the XQL Search definition set for the Correlation Rule is set to run daily or using a cron expression. Otherwise, this field is left empty.

XQL SEARCH

Displays the XQL definition for the Correlation Rule that was configured in XQL Search when the rule was created.