Create a Correlation Rule - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-05-06
Last date published
2024-09-09
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XSIAM/Cortex-XSIAM-Documentation
Abstract

Create new Correlation Rules from either the Correlation Rules page or when building a query in XQL Search.

Notice

There may be future changes to the Correlation Rules offerings, which can impact your licensing agreements. You will receive a notification ahead of time before any changes are implemented.

You can create a new Correlation Rule from either the Correlation Rules page or when building a query in XQL Search.

When setting up Correlation Rules, you have the following capabilities:

  • Specify whether the Correlation Rule is Scheduled, or scans the data in Real Time, as it’s ingested.

  • Define when the Correlation Rule runs.

  • Define whether alerts generated by the Correlation Rule are suppressed by a duration time and field.

  • Set the resulting action for the Correlation Rule, which includes any of the following:

    • Generate an alert: You can also define the alert settings, which include the Alerts Field Mapping for incident enrichment, Alert domain, Alert Severity, MITRE Attack Tactics and Techniques, and other alert settings.

    • Save data to a dataset: Use this option to test and fine-tune new rules before initiating alerts and applying correlation of correlation use cases.

    • Add data to a lookup dataset

    • Remove data from a lookup dataset

Note

  • When creating a Real Time Correlation Rule, you can only generate an alert as the resulting action for the Correlation Rule. All other options are disabled.

  • To ensure your Correlation rules raise alerts efficiently and do not overcrowd your Alerts table, Cortex XSIAM automatically disables Correlation rules that reach 5000 or more hits over a 24-hour period.

How to create a correlation rule
  1. Open the New Correlation Rule editor.

    You can do this in two ways:

    • From the Correlation Rules page.

      1. Select Detection & Threat IntelDetection RulesCorrelations.

      2. Select +Add Correlation.

    • From XQL Search.

      1. Select Incident ResponseInvestigationQuery BuilderXQL Search.

      2. In the XQL query field, define the parameters for your Correlation Rule.

      3. Select Save asCorrelation Rule.

        The New Correlation Rule editor is displayed where the XQL Search section is populated with the query you already set in the XQL query field.

  2. Configure the General settings.

    • Specify a descriptive Name to identify the Correlation Rule.

    • (Optional) Specify a Description for the Correlation Rule.

  3. Use XQL to define the Correlation Rule in XQL Search field.

    Define the Correlation Rule in the XQL Search field. After writing at least one line in XQL, you can Open full query mode to display the query in XQL Search. You can Test the XQL definition for the rule whenever you want.

    Note

    • When you open the New Correlation Rule editor from XQL Search, this XQL Search field is already populated with the XQL query that you defined.

    • An administrator can create and view queries built with an unknown dataset that currently does not exist in Cortex XSIAM . All other users can only create and view queries built with an existing dataset.

    When you finish writing the XQL for the Correlation Rule definition, select Continue editing rule to bring you back to the New Correlation Rule editor, and the complete query you set is added to the XQL Search field.

    Note

    • The XQL features for call, top, and wildcards in datasets (dataset in (<dataset prefix>_*)) are currently not supported in Correlation Rules. If you add them to the XQL definition, you will not be able to Create or Save the Correlation Rule.

    • The XQL features for transaction in datasets (dataset in (<dataset prefix>_*)) are currently not supported in Real Time correlation rules.

    • Using the current_time() function in your XQL query for a correlation rule can yield unexpected results when there are lags or during downtime. This happens if the correlation rule doesn’t run exactly at the time of the data inside the timeframe, for example when a rule is dependent on another rule, or when a rule is stuck due to an error, and then runs in recovery mode. Instead, we recommend using the time_frame_end() function, which returns the timestamp at the end of the time frame in which the rule is executed.

  4. Select to run the Correlation Rule in Real Time or Scheduled.

    • Real Time Correlation Rules scan the data as it’s ingested.

    • You can run Real Time Correlation Rules on Cortex XSIAM alerts, Cloud audit logs, third party datasets, and Data Models.

    • When you start typing a Correlation Rule, Cortex XSIAM can detect that the query can be run in Real Time and recommend that you select Real Time.

    • Real Time Correlation Rules only support the following XQL stages: dataset,datamodel, filter, alter, fields, and config case_sensitive. A Real Time Correlation Rule must include an XQL filter stage. For more information on these XQL stages, see the Cortex XSIAM XQL Language Reference Guide.

    • The following XQL functions are not supported in a Real Time Correlation Rule: json_extract_scalar_array, parse_epoch, and time_frame_end.

  5. If the Correlation Rule is Scheduled, configure the Timing settings.

    • Time Schedule: Select the Time Schedule for the frequency of running the XQL Search definition set for the Correlation Rule as one of the following.

      • Every 10 Minutes: Runs every rounded 10 minutes at preset 10 minute intervals from the beginning of the hour, such as 10:10 AM, 10:20 AM, and 10:30 AM.

      • Every 20 Minutes: Runs every rounded 20 minutes at preset 20 minute intervals from the beginning of the hour, such as 10:20 AM, 10:40 AM, and 11:00 AM.

      • Every 30 Minutes: Runs every rounded 30 minutes at preset 30 minute intervals from the beginning of the hour, such as 10:30 AM, 11:00 AM, and 11:30 AM.

      • Hourly: Runs at the beginning of the hour, such as 1:00 AM or 2:00 AM.

      • Daily: Runs at midnight, where you can set a particular Timezone.

      • Custom: Displays the Time Schedule as Cron Expression fields, where you can set the cron expression in each time field to define the schedule frequency for running the XQL Search. The minimum query frequency is every 10 minutes and is already configured. You can also set a particular Timezone.

      By default, the query is set to run once an hour (1 Hour/s).

    • Timezone (Optional): You can only set the Timezone when the Time Schedule is set to Daily or Custom. Otherwise, the option is disabled.

    • Query time frame: Set the time frame for running a query, which can be up to 7 days. Specify a number in the field and in the other field select either Minute/s, Hour/s, or Day/s.

  6. (Optional) Configure Alert Suppression settings.

    Define whether the alerts generated by the Correlation Rule are suppressed by a duration time, field, or both.

    • Enable alert suppression: Select this checkbox to Enable alert suppression. By default, this checkbox is clear and the alerts of the Correlation Rule are configured to not be suppressed.

    • Duration time: Set the Duration time for how long to ignore other events that match the alert suppression criteria, which are based on the Fields listed. Specify a number in the field and in the other field select either Minute/s, Hour/s, or Day/s. By default, the generated alerts are configured to be suppressed by 1 hour (1 Hour/s). The Duration time can be configured for a maximum of 1 day.

    • Fields (Optional): Select the fields that the alert suppression is based on. The fields listed are based on the XQL query result set. You can perform the following.

      • Select multiple fields from the list.

      • Select all to configure all the fields for suppression. This means that all the fields must match for the alerts to be suppressed. This option will generate multiple alerts during the suppression period.

      • Search for a particular field, which narrows the available options as you begin typing.

      • Do not set any Fields by leaving the field empty only 1 alert is generated during the suppression period.

  7. Configure the resulting Action for the Correlation Rule.

    You can select one of the following resulting actions to occur, where the configuration settings change depending on your selection:

  8. (Optional) Disable the Correlation Rule.

    Select DisableCreate if you want to finish configuring your Correlation Rule at a different time, but do not want to lose your settings. The Create button is only enabled when you have configured all the mandatory fields in the New Correlation Rule editor. Once configured, your Correlation Rule is listed in the Correlation Rules page, but is disabled. You can edit or enable the rule at any time by right-clicking the rule and selecting Edit Rule or Enable.

  9. Create the Correlation Rule.

    The rule is added to the table in the Correlation Rules page as an active rule and a notification is displayed.

  10. Manage a Correlation Rule, as needed.

    At any time, you can return to the Correlation Rules page to view and manage your Correlation Rules. To manage a Correlation Rule, right-click the Correlation Rule and select the desired action.

    You can also monitor your correlation rule executions with the correlations_auditing data set. For more information, see Monitor correlation rules.