Monitor correlation rules - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

You can monitor your correlation executions with the correlations_auditing dataset.

Cortex XDR audits all correlation executions in the correlations_auditing dataset. The dataset records the query initiation times, end times, retry attempts, failure reasons, and other useful metrics. You can use this dataset to monitor your correlation executions, and set up correlation rules to trigger alerts when correlation errors occur.

In the correlations_auditing dataset, audit entries are added as follows:

  • The rule starts executing. This is audited with the status of Initiated or Initiated Manually.

  • The rule completes successfully. This is audited as Completed.

  • The rule completes with errors. This is audited as Error.


In the dataset, the Query start time and Query end time indicate the timeframe of the data that was queried. The actual start and end times of the correlation rule execution are recorded in the _time field for the Initiated and Completed entries.

The following correlation rule triggers alerts when correlations fail to run:


Value to specify

Rule Name

Correlation errors


dataset = correlations_auditing | filter status = "Error"

Time Schedule


Query time frame

1 Hour


Generate alert

Alert Name

Correlation error




User Defined

After setting up the correlation rule, you can set up a new forwarding configuration to send an email or Slack message when Correlation error alerts are triggered. For more information, see Configure Notification Forwarding.

The following table describes the fields in the correlations_auditing dataset:




Timestamp of the audit.

For entries with an Initiated or Initiated Manually status, this is the start time of the correlation rule execution. For entries with a Completed or Error status, this is the end time of the rule execution.


Unique identifier of the audit entry.

Rule ID

Unique identification number for the correlation rule.


Correlation rule name.


The status of the correlation rule query.

Possible values are Initiated, Initiated Manually, Completed, and Error.

Query start time

The start time of the query timeframe.

Query end time

The end time of the query timeframe.

Time frame

Time frame for the query.

Failure reason

For correlation rules with errors, this field displays the error message.

Retry attempts

Number of retry attempts before the query initiated or failed to run.


Scheduled frequency to execute the correlation rule.

Rule creation time

Date and time that the correlation rule was created.

Rule modification time

Date and time that the correlation rule was last modified.


Description of the correlation rule.


Defined severity of the correlation rule.


Target data set, as defined in the correlation rule

Suppression status

Whether alert suppression is Enabled or Disabled.

Suppression duration

Duration for which to ignore additional events that match the alert suppression criteria.

Suppression fields

Fields on which the alert suppression is based.


Timezone on which the scheduled frequency is based.


MITRE ATT&CK tactic that the correlation rule attempted to trigger.

MITRE ATT&CK Technique

MITRE ATT&CK technique that the correlation rule attempted to trigger.

Alert category

Category of alert as configured when creating the rule.


Source of the correlation rule.

XQL search

XQL query for the correlation rule.

Drill-down query

XQL query configured for further investigation.

Alert name

Name of the alert that the correlation rule will trigger.