Create a Correlation Rule - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-12-12
Category
Administrator Guide
Abstract

Create new Correlation Rules from either the Correlation Rules page or when building a query in XQL Search.

Notice

There may be future changes to the Correlation Rules offerings, which can impact your licensing agreements. You will receive a notification ahead of time before any changes are implemented.

You can create a new correlation rule from either the Detection RulesCorrelation Rules page or when building a query in XQL Search. You can also import a number of correlation rules.

When setting up Correlation Rules, you have the following capabilities:

  • Specify whether the Correlation Rule is Scheduled, or scans the data in Real Time, as it’s ingested.

  • Define when the Correlation Rule runs.

  • Define whether alerts generated by the Correlation Rule are suppressed by a duration time and field.

  • Set the resulting action for the Correlation Rule, which includes any of the following:

    • Generate an alert: You can also define the alert settings, which include the Alerts Field Mapping for incident enrichment, Alert domain, Alert Severity, MITRE Attack Tactics and Techniques, and other alert settings.

    • Save data to a dataset: Use this option to test and fine-tune new rules before initiating alerts and applying correlation of correlation use cases.

    • Add data to a lookup dataset

    • Remove data from a lookup dataset

Note

  • When creating a Real Time Correlation Rule, you can only generate an alert as the resulting action for the Correlation Rule. All other options are disabled.

  • To ensure your Correlation rules raise alerts efficiently and do not overcrowd your Alerts table, Cortex XSIAM automatically disables Correlation rules that reach 5000 or more hits over a 24-hour period.