Monitor correlation rules - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide
Product
Cortex XDR
License
Pro
Creation date
2024-02-26
Last date published
2024-04-21
Category
Administrator Guide
Abstract

You can monitor your correlation executions with the correlations_auditing dataset.

Cortex XDR audits all correlation executions in the correlations_auditing dataset. The dataset records the query initiation times, end times, retry attempts, failure reasons, and other useful metrics. You can use this dataset to monitor your correlation executions, and set up correlation rules to trigger alerts when correlation errors occur.

In the correlations_auditing dataset, audit entries are added as follows:

  • The rule starts executing. This is audited with the status of Initiated or Initiated Manually.

  • The rule completes successfully. This is audited as Completed.

  • The rule completes with errors. This is audited as Error.

Note

In the dataset, the Query start time and Query end time indicate the timeframe of the data that was queried. The actual start and end times of the correlation rule execution are recorded in the _time field for the Initiated and Completed entries.

Set up a correlation rule to monitor correlation errors

The following correlation rule triggers alerts when correlations fail to run:

Field

Value to specify

Rule Name

Correlation errors

XQL

dataset = correlations_auditing | filter status = "Error"

Time Schedule

Hourly

Query time frame

1 Hour

Action

Generate alert

Alert Name

Correlation error

Severity

Medium

Category

User Defined

After setting up the correlation rule, you can set up a new forwarding configuration to send an email or Slack message when Correlation error alerts are triggered. For more information, see Configure Notification Forwarding.

Field descriptions for the correlations_auditing dataset

The following table describes the fields in the correlations_auditing dataset:

Field

Description

_time

Timestamp of the audit.

For entries with an Initiated or Initiated Manually status, this is the start time of the correlation rule execution. For entries with a Completed or Error status, this is the end time of the rule execution.

_id

Unique identifier of the audit entry.

Rule ID

Unique identification number for the correlation rule.

Name

Correlation rule name.

Status

The status of the correlation rule query.

Possible values are Initiated, Initiated Manually, Completed, and Error.

Query start time

The start time of the query timeframe.

Query end time

The end time of the query timeframe.

Time frame

Time frame for the query.

Failure reason

For correlation rules with errors, this field displays the error message.

Retry attempts

Number of retry attempts before the query initiated or failed to run.

Schedule

Scheduled frequency to execute the correlation rule.

Rule creation time

Date and time that the correlation rule was created.

Rule modification time

Date and time that the correlation rule was last modified.

Description

Description of the correlation rule.

Severity

Defined severity of the correlation rule.

Dataset

Target data set, as defined in the correlation rule

Suppression status

Whether alert suppression is Enabled or Disabled.

Suppression duration

Duration for which to ignore additional events that match the alert suppression criteria.

Suppression fields

Fields on which the alert suppression is based.

Timezone

Timezone on which the scheduled frequency is based.

MITRE ATT&CK Tactic

MITRE ATT&CK tactic that the correlation rule attempted to trigger.

MITRE ATT&CK Technique

MITRE ATT&CK technique that the correlation rule attempted to trigger.

Alert category

Category of alert as configured when creating the rule.

Source

Source of the correlation rule.

XQL search

XQL query for the correlation rule.

Drill-down query

XQL query configured for further investigation.

Alert name

Name of the alert that the correlation rule will trigger.