Working with Correlation Rules - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-12-04
Category
Administrator Guide
Abstract

Correlation Rules help you analyze correlations of multi-events from multiple sources by using the Cortex Query Language based engine for creating scheduled rules.

Correlation Rules help you analyze correlations of multi-events from multiple sources by using the Cortex Query Language (XQL) based engine for creating scheduled rules called Correlation Rules. Alerts can then be triggered based on these Correlation Rules with a defined time frame and set schedule, including every X minutes, once a day, once a week, or a custom time.

Once you have configured your Correlation Rules, you can manage the Correlation Rules in the Correlation Rules page, view and analyze the alerts generated from the Correlation Rules in the Alerts and Incidents pages. In addition, these Correlation Rules are factored into the number of incidents displayed in the dashboard.