Creating Correlation Rules to Monitor Data Ingestion Health - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide
Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-25
Category
Administrator Guide
Abstract

See examples of correlation rules for monitoring data ingestion health.

You can create correlation rules that monitor data collection for a specific source within a specific timeframe. Depending on your requirements, you can set up correlations that alert you when no logs are collected during a specified timeframe, or when there is a deviation from the regular pattern of log collection.

The following examples can help you to set up your own correlation rules with the data ingestion metrics:

Example 1: No logs collected from a data source for 1 hour

In this example, the correlation runs every hour and calculates the number of logs that are collected for each data source over the previous hour. If no logs are collected for a data source during an aggregation period, a security alert is triggered.

Example XQL:

preset = metrics_view  
| comp sum(total_event_count) as total_event_count_sum by _collector_id, _collector_ip, 
_collector_name, _collector_type, _final_reporting_device_ip, _final_reporting_device_name,
 _broker_device_id, _vendor, _product 
| filter total_event_count_sum = 0

Addition fields to specify in the correlation rule:

Field

Value

Time Schedule

Hourly

Query time frame

1 Hour

Alert Suppression

Select Enable alert suppression.

Fields

Uncheck total_event_rate_sum, leave other fields checked.

Action

Select Generate alert.

Severity

High

Category

Collection

Alerts Fields Mapping

The fields in the metrics_view preset are not mapped to the Alerts Table. To enrich your investigation capabilities and enable automation on the fields in the correlation, you can create custom alert fields.

Example 2: No logs received from a Firewall for 20 minutes

In this example, the correlation runs every 20 minutes and calculates the number of logs that are received for each firewall in a lookup dataset during the last 20 minutes. If no logs are received from a device during an aggregation period, a security alert is triggered.

Example XQL:

preset = metrics_view  
| join conflict_strategy = left  type = inner (dataset = ngfw_device_Id_keepalive 
| fields _device_id) as devices devices._device_id = _device_id  | comp sum(total_event_count)
 as total_event_count_sum by _device_id, _product,_vendor 
| filter total_event_count_sum = 0

Addition fields to specify in the correlation rule:

Field

Value

Time Schedule

Every 20 minutes

Query time frame

20 minutes

Alert Suppression

Select Enable alert suppression.

Fields

Uncheck total_event_rate_sum, leave other fields checked.

Action

Select Generate alert.

Severity

High

Category

Collection

Alerts Fields Mapping

The fields in the metrics_view preset are not mapped to the Alerts Table. To enrich your investigation capabilities and enable automation on the fields in the correlation, you can create custom alert fields.