Correlation rule details - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

In the Correlation Rules page, you can view all of your enabled rules in a table format and the various fields displayed.

Note

There may be future changes to the Correlation Rules offerings, which can impact your licensing agreements. You will receive a notification ahead of time before any changes are implemented.

If you are assigned a role that enables InvestigationRules privileges, you can manage all user-defined Correlation Rules from Detection RulesCorrelations.

By default, the Correlation Rules page displays all enabled rules. To search for a specific rule, use the filters above the results table to narrow the results. From the Correlation Rules page, you can manage existing rules using the right-click pivot menu. You can also import and export rules in JSON format, which can help you to transfer your configurations between environments for onboarding, migration, backup, and sharing. You can bulk export and import multiple rules at a time.

In addition, the Correlation Rules page enables you to easily identify and resolve correlation rules errors. The number of errors is indicated at the top of the page in red using the format <number> errors found. You can change the view to only display the correlation rules with errors by selecting Show Errors Only. The LAST EXECUTION column in the table indicates a correlation rule with an error by displaying the last execution time in a red font and providing a description of the correlation rule error when hovering over the field. The following error messages are displayed in the applicable scenarios.

  • Invalid query

  • Query timeout

  • Dependency correlation did not complete

  • Unknown error

  • Delayed rule—This rule is running past its scheduled time, which can cause delayed results.

  • Dataset does not exist: <name of dataset>

    Note

    Only an administrator can create and view queries built with an unknown dataset that currently does not exist in Cortex XSIAM .

A notification is also displayed in Cortex XSIAM to indicate these correlation rules errors.