Create a Correlation Rule - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

Create new Correlation Rules from either the Correlation Rules page or when building a query in XQL Search.


Correlation Rules require a Cortex XDR Pro license. There may be future changes to the Correlation Rules offerings, which can impact your licensing agreements. You will receive a notification ahead of time before any changes are implemented.

You can create a new Correlation Rule from either the Correlation Rules page or when building a query in XQL Search.

When setting up Correlation Rules, you have the following capabilities.

  • Define when the Correlation Rule runs.

  • Define whether alerts generated by the Correlation Rule are suppressed by a duration time and field.

  • Set the resulting action for the Correlation Rule as either to generate an alert or save the data to a dataset.

    • When generating an alert, you can also define the alert settings, which include the Alerts Field Mapping for incident enrichment, Alert domain, Alert Severity, MITRE Attack Tactics and Techniques, and other alert settings.

    • When saving the data to a dataset, you can test and fine-tune new rules before initiating alerts and applying correlation of correlation use cases.


To ensure your Correlation rules raise alerts efficiently and do not overcrowd your Alerts table, Cortex XDR automatically disables Correlation rules that reach 5000 or more hits over a 24-hour period.

How to create a correlation rule
  1. Open the New Correlation Rule editor.

    You can do this in two ways.

    • From the Correlation Rules page.

      1. Select Detection RulesCorrelations.

      2. Select +Add Correlation.

    • From XQL Search.

      1. Select Incident ResponseInvestigationQuery BuilderXQL Search.

      2. In the XQL query field, define the parameters for your Correlation Rule.

      3. Select Save asCorrelation Rule.

        The New Correlation Rule editor is displayed where the XQL Search section is populated with the query you already set in the XQL query field.

  2. Configure the General settings.

    • Specify a descriptive Name to identify the Correlation Rule.

    • (Optional) Specify a Description for the Correlation Rule.

  3. Use XQL to define the Correlation Rule in XQL Search field.

    Define the Correlation Rule in the XQL Search field. After writing at least one line in XQL, you can Open full query mode to display the query in XQL Search. You can Test the XQL definition for the rule whenever you want.


    • When you open the New Correlation Rule editor from XQL Search, this XQL Search field is already populated with the XQL query that you defined.

    • An administrator can create and view queries built with an unknown dataset that currently does not exist in Cortex XDR . All other users can only create and view queries built with an existing dataset.

    When you finish writing the XQL for the Correlation Rule definition, select Continue editing rule to bring you back to the New Correlation Rule editor, and the complete query you set is added to the XQL Search field.


    • The XQL features for transaction, call, top, and wildcards in datasets (dataset in (<dataset prefix>_*)) are not currently supported in Correlation Rules. If you add them to the XQL definition, you will not be able to Create or Save the Correlation Rule.

    • Using the current_time() function in your XQL query for a correlation rule can yield unexpected results when there are lags or during downtime. This happens if the correlation rule doesn’t run exactly at the time of the data inside the timeframe, for example when a rule is dependent on another rule, or when a rule is stuck due to an error, and then runs in recovery mode. Instead, we recommend using the c function, which returns the timestamp at the end of the time frame in which the rule is executed.

  4. Configure the Timing settings.

    • Time Schedule—Select the Time Schedule for the frequency of running the XQL Search definition set for the Correlation Rule as one of the following.

      • Every 10 Minutes—Runs every rounded 10 minutes at preset 10 minute intervals from the beginning of the hour, such as 10:10 AM, 10:20 AM, and 10:30 AM.

      • Every 20 Minutes—Runs every rounded 20 minutes at preset 20 minute intervals from the beginning of the hour, such as 10:20 AM, 10:40 AM, and 11:00 AM.

      • Every 30 Minutes—Runs every rounded 30 minutes at preset 30 minute intervals from the beginning of the hour, such as 10:30 AM, 11:00 AM, and 11:30 AM.

      • Hourly — Runs at the beginning of the hour, such as 1:00 AM or 2:00 AM.

      • Daily— Runs at midnight, where you can set a particular Timezone.

      • Custom— Displays the Time Schedule as Cron Expression fields, where you can set the cron expression in each time field to define the schedule frequency for running the XQL Search. The minimum query frequency is every 10 minutes and is already configured. You can also set a particular Timezone.

      By default, the query is set to run once an hour (1 Hour/s).

    • Timezone—(Optional) You can only set the Timezone when the Time Schedule is set to Daily or Custom. Otherwise, the option is disabled.

    • Query time frame—Set the time frame for running a query, which can be up to 7 days. Specify a number in the field and in the other field select either Minute/s, Hour/s, or Day/s.

  5. (Optional) Configure Alert Suppression settings.

    Define whether the alerts generated by the Correlation Rule are suppressed by a duration time, field, or both.

    • Enable alert suppression—Select this checkbox to Enable alert suppression. By default, this checkbox is clear and the alerts of the Correlation Rule are configured to not be suppressed.

    • Duration time—Set the Duration time for how long to ignore other events that match the alert suppression criteria, which are based on the Fields listed. Specify a number in the field and in the other field select either Minute/s, Hour/s, or Day/s. By default, the generated alerts are configured to be suppressed by 1 hour (1 Hour/s). The Duration time can be configured for a maximum of 1 day.

    • Fields—(Optional) Select the fields that the alert suppression is based on. The fields listed are based on the XQL query result set. You can perform the following.

      • Select multiple fields from the list.

      • Select all to configure all the fields for suppression. This means that all the fields must match for the alerts to be suppressed. This option will generate multiple alerts during the suppression period.

      • Search for a particular field, which narrows the available options as you begin typing.

      • Do not set any Fields by leaving the field empty only 1 alert is generated during the suppression period.

  6. Configure the resulting Action for the Correlation Rule.

    1. You can select either of the following resulting actions to occur, where the configuration settings change depending on your selection.

      • Generate alert—Generates a Correlation type of alert according to the configured settings in the New Correlation Rule editor (default). When this option is selected a number of new sections are opened to configure the alert.

      • Save to dataset (only for Scheduled Correlation Rules)—Saves the data generated from the Correlation Rule to a separate Target Dataset. This option is helpful when you are fine-tuning and testing a rule before promoting the rule to production. You can also save a rule to a dataset as a building block for the next Correlation Rule, which will be based on the results of the first Correlation Rule instead of building too complex XQL queries.

        You can either create a new Target Dataset by specifying the name for the dataset in the field or select a preexisting Target Dataset that was created for a different Correlation Rule. The list only displays the datasets configured when creating a Correlation Rule. Different Correlation Rules can be saved to the same dataset and Cortex XDR will expand the dataset schema as needed. The dataset you configure for the Correlation Rule contains the following additional fields.

        • _rule_id

        • _rule_name

        • _insert_time

      When you are finished configuring the Target Dataset, you can now either Createthe Correlation Rule or Save for later.

    2. If you selected Generate alert, configure the Alert Settings.

      • Alert Name—Specify a name. You can incorporate a variable based on a query output field in the format $fieldName.

      • Severity—Select the severity type whenever an alert is generated for this Correlation Rule as one of the following.

        • Informational

        • Low

        • Medium

        • High

        • Critical

        • User Defined—Select fields from inside the query.


        Whenever the severity type is Medium or above for the alert generated, an incident is automatically opened.

      • Category—Select the type of alert that is generated, which can be any of the following.

        • Collection

        • Credential Access

        • Dropper

        • Evasion

        • Execution

        • Evasive

        • Exfiltration

        • File Privilege Manipulation

        • File Type Obfuscation

        • Infiltration

        • Lateral Movement

        • Persistence

        • Privilege Escalation

        • Reconnaissance

        • Tampering

        • Other

        • User Defined—Select fields from inside the query.

      • Alert Description—(Optional) Specify a description of the behavior that will raise the alert. You can include dollar signs ($), which represent the fields names (i.e. output columns) in XQL Search.

        For example.

        The user $user_name has made $count failed login requests to $dest in a 24 hours period


        The user lab_admin has made 234 failed login requests to in a 24 hours period


        There is no validation or auto complete for these parameters and the values can be null or empty. In these scenarios, Cortex XDR does not display the null or empty values, but adds the text NULL or EMPTY in the descriptions.

      • Drill-Down Query—(Optional) You can configure a Drill-Down Query for additional information about the alert for further investigation using XQL. This XQL query can accept parameters from the alert output for the Correlation Rule. Yet, keep in mind that when you create the Correlation Rule, Cortex XDR does not know in advance if the parameters exist or contain the correct values. As a result, Cortex XDR enables you to save the query, but the query can fail when you try and run it. You can also refer to field names using dollar signs ($) as explained in the Alert Description.

        Once configured any alert generated for the Correlation Rule has a right-click pivot menu Open Drilldown Query option, an Open drilldown query link after you investigate a contributing event, and a quick action Open Drilldown Query icon (drilldown-icon.png) that is accessible in the Alerts page, which opens a new browser tab in XQL Search to run this query. If you do not define a Drill-Down Query, no right-click pivot menu option, link, or icon is displayed.

      • Drill-Down Query Time Frame—Select the time frame used to run the Drill-Down Query from one of the following options, which provides more informative details about the alert generated by the Correlation Rule.

        • Generated Alert—Uses the time frame of the alert that is triggered, which is the first event and last event timestamps for the alert (default option). If there is only one event, the event timestamp is the time frame used for the query.

        • XQL Search—Uses the time frame from when the Correlation Rule was run in XQL Search.

      • MITRE ATT&CK—(Optional) Select the MITRE Tactics and MITRE Techniques you want to associate with the alert using the MITRE ATT&CK matrix.

        1. You can access the matrix by selecting the MITRE ATT&CK bar or Open complete MITRE matrix link underneath the bar on the right.

        2. Select the MITRE Tactics listed in the first row of the matrix and the applicable MITRE techniques and Sub-Techniques, which are listed in the other rows in the table. You can select either MITRE Tactics only, MITRE techniques and Sub-Techniques only, or a combination of both.

        3. Click Select and the matrix window closes and the MITRE ATT&CK section in the New Correlation Rule editor lists the number of Tactics and Techniques configured, which is also listed in the bar. For example, in the following image, there are 3 Tactics and 4 Techniques configured. The three MITRE Tactics are Resource Development with 2 Techniques configured, Credential Access with 1 Technique configured, and Discovery with 1 Technique configured.

    3. (Optional) Configure the Alerts Fields Mappings.

      You can map the alert fields so that the mapped fields are displayed in the Alerts page to provide important information in analyzing your alerts. In addition, mapping the fields helps to improve incident grouping logic and enables Cortex XDR to list the artifacts and assets based on the map fields in the incident. The options available can change depending on your Correlation Rule definitions in XQL Search. There are two ways to map the alert fields.

      • Use the preconfigured Cortex XDR alert field mapping—Select this option if you want Cortex XDR to automatically map the fields for you. This checkbox only displays when your Correlation Rule can be configured to use Cortex XDR incident enrichment and then it is set as the default option. We recommend using this option whenever it is available to you.

      • Manually map the alert fields by selecting the fields that you want to map. When you create the Correlation Rule, Cortex XDR does not know whether the alert fields that you mapped manually are valid. If the fields are invalid according to your mapping, null values are assigned to those fields.


        In a case where Use the Cortex XDR default incident enrichment is not selected and you have not mapped any alert fields, the alert is dispatched into a new incident.

  7. (Optional) Disable the Correlation Rule.

    Select DisableCreate if you want to finish configuring your Correlation Rule at a different time, but do not want to lose your settings. The Create button is only enabled when you have configured all the mandatory fields in the New Correlation Rule editor. Once configured, your Correlation Rule is listed in the Correlation Rules page, but is disabled. You can edit or enable the rule at any time by right-clicking the rule and selecting Edit Rule or Enable.

  8. Create the Correlation Rule.

    The rule is added to the table in the Correlation Rules page as an active rule and a notification is displayed.

  9. Manage a Correlation Rule, as needed.

    At any time, you can return to the Correlation Rules page to view and manage your Correlation Rules. To manage a Correlation Rule, right-click the Correlation Rule and select the desired action.

    You can also monitor your correlation rule executions with the correlations_auditing data set. For more information, see Monitor correlation rules.