You can investigate the events created by an issue.
When investigating an issue generated by a correlation rule, you can view all of the events created for the issue. You can have up to 1000 events per correlation rule.
In addition, if the correlation rule includes a drilldown query you can run the query in the Query Builder. The drilldown query provides additional information about an issue for further investigation.
From the Issues table, locate an issue created by a correlation rule.
Right-click the row, and select → .
(Optional) Open the drilldown query, if available.
Right-click the row and select → .
The drilldown query can accept parameters from the issue output for the correlation rule. In addition, the issue time frame used to run the drilldown query provides more details about the issue generated by the correlation rule. The time frame is the minimum and maximum timestamps of the events for the issue. If there is only one event, the event timestamp is the time frame used for the query.