Create a correlation rule - Create new correlation rules from either the Correlation Rules page or when building a query in XQL Search, or import a many correlation rules from a file. - Administrator Guide - Cortex XSIAM - Cortex

Create a correlation rule - Create new correlation rules from either the Correlation Rules page or when building a query in XQL Search, or import a many correlation rules from a file. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product

Cortex XSIAM

Creation date

2024-03-06

Last date published

2025-05-14

Danger

To enable pivots from alerts to a third-party source system, ensure that you know the dataset field name which contains the URL of the source system. Some vendors already provide this URL as part of their API, and you can find it in the third-party product dataset. If there is no URL, you cannot enable this feature.

You can create a new correlation rule from either the Detection Rules → Correlation Rules page or when building a query in XQL Search. You can also import a number of correlation rules.

When setting up correlation rules, you have the following capabilities:

Specify whether the correlation rule is Scheduled, or scans the data in Real Time, as it’s ingested.
Define when the correlation rule runs.
Define whether alerts generated by the correlation rule are suppressed by a duration time and field.
Set the resulting action for the correlation rule, which includes any of the following:
- Generate an alert: You can also define the alert settings, which include the Alerts Field Mapping for incident enrichment, Alert domain, Alert Severity, MITRE Attack Tactics and Techniques, and other alert settings.
- Save data to a dataset: Use this option to test and fine-tune new rules before initiating alerts and applying correlation of correlation use cases.
- Add data to a lookup dataset
- Remove data from a lookup dataset
Define the URL field for EDR alerts ingested from an external third-party source. This configuration enables pivoting from alerts on the Cortex XSIAM Alerts page to the third-party user interface.

Note

When creating a Real Time Correlation Rule, you can only generate an alert as the resulting action for the Correlation Rule. All other options are disabled.
To ensure your Correlation rules raise alerts efficiently and do not overcrowd your Alerts table, Cortex XSIAM automatically disables Correlation rules that reach 5000 or more hits over a 24-hour period.

Open the New Correlation Rule editor.
You can do this in two ways:
- From the Correlation Rules page.
  1. Select Detection & Threat Intel → Detection Rules → Correlations.
  2. Select +Add Correlation.
- From XQL Search.
  1. Select Incident Response → Investigation → Query Builder → XQL Search.
  2. In the XQL query field, define the parameters for your Correlation Rule.
  3. Select Save as → Correlation Rule.
    The New Correlation Rule editor is displayed where the XQL Search section is populated with the query you already set in the XQL query field.
Configure the General settings.
- Specify a descriptive Name to identify the correlation rule.
- (Optional) Specify a Description for the correlation rule.
Use XQL to define the correlation rule in XQL Search field.
Define the correlation rule in the XQL Search field. After writing at least one line in XQL, you can Open full query mode to display the query in XQL Search. You can Test the XQL definition for the rule whenever you want.
Note
- When you open the New Correlation Rule editor from XQL Search, this XQL Search field is already populated with the XQL query that you defined.
- An administrator can create and view queries built with an unknown dataset that currently does not exist in Cortex XSIAM. All other users can only create and view queries built with an existing dataset.
When you finish writing the XQL for the Correlation Rule definition, select Continue editing rule to bring you back to the New Correlation Rule editor, and the complete query you set is added to the XQL Search field.
Note
- The XQL features for call, top, and wildcards in datasets (dataset in (<dataset prefix>_*)) are currently not supported in Correlation Rules. If you add them to the XQL definition, you will not be able to Create or Save the Correlation Rule.
- The XQL features for transaction in datasets (dataset in (<dataset prefix>_*)) are currently not supported in Real Time correlation rules.
- The XQL tag stage is currently not supported in correlation rules.
- Using the current_time() function in your XQL query for a correlation rule can yield unexpected results when there are lags or during downtime. This happens if the correlation rule doesn’t run exactly at the time of the data inside the timeframe, for example when a rule is dependent on another rule, or when a rule is stuck due to an error, and then runs in recovery mode. Instead, we recommend using the time_frame_end() function, which returns the timestamp at the end of the time frame in which the rule is executed.
Select to run the Correlation Rule in Real Time or Scheduled.
- Real Time Correlation Rules scan the data as it’s ingested.
- You can run Real Time Correlation Rules on Cortex XSIAM alerts, Cloud audit logs, third party datasets, and Data Models.
- When you start typing a Correlation Rule, Cortex XSIAM can detect that the query can be run in Real Time and recommend that you select Real Time.
- Real Time Correlation Rules only support the following XQL stages: dataset,datamodel, filter, alter, fields, and config case_sensitive. A Real Time Correlation Rule must include an XQL filter stage. For more information on these XQL stages, see the Cortex XSIAM XQL Language Reference Guide.
- The following XQL functions are not supported in a Real Time Correlation Rule: json_extract_scalar_array, parse_epoch, and time_frame_end.
- Dataset views are not supported in Real Time Correlation Rules.
If the Correlation Rule is Scheduled, configure the Timing settings.
- Time Schedule: Select the Time Schedule for the frequency of running the XQL Search definition set for the Correlation Rule as one of the following.
  - Every 10 Minutes: Runs every rounded 10 minutes at preset 10 minute intervals from the beginning of the hour, such as 10:10 AM, 10:20 AM, and 10:30 AM.
  - Every 20 Minutes: Runs every rounded 20 minutes at preset 20 minute intervals from the beginning of the hour, such as 10:20 AM, 10:40 AM, and 11:00 AM.
  - Every 30 Minutes: Runs every rounded 30 minutes at preset 30 minute intervals from the beginning of the hour, such as 10:30 AM, 11:00 AM, and 11:30 AM.
  - Hourly: Runs at the beginning of the hour, such as 1:00 AM or 2:00 AM.
  - Daily: Runs at midnight, where you can set a particular Timezone.
  - Custom: Displays the Time Schedule as Cron Expression fields, where you can set the cron expression in each time field to define the schedule frequency for running the XQL Search. The minimum query frequency is every 10 minutes and is already configured. You can also set a particular Timezone.
  By default, the query is set to run once an hour (1 Hour/s).
- Timezone (Optional): You can only set the Timezone when the Time Schedule is set to Daily or Custom. Otherwise, the option is disabled.
- Query time frame: Set the time frame for running a query, which can be up to 7 days. Specify a number in the field and in the other field select either Minute/s, Hour/s, or Day/s.
(Optional) Configure Alert Suppression settings.
Define whether the alerts generated by the Correlation Rule are suppressed by a duration time, field, or both.
- Enable alert suppression: Select this checkbox to Enable alert suppression. By default, this checkbox is clear and the alerts of the Correlation Rule are configured to not be suppressed.
- Duration time: Set the Duration time for how long to ignore other events that match the alert suppression criteria, which are based on the Fields listed. Specify a number in the field and in the other field select either Minute/s, Hour/s, or Day/s. By default, the generated alerts are configured to be suppressed by 1 hour (1 Hour/s). The Duration time can be configured for a maximum of 1 day.
- Fields (Optional): Select the fields that the alert suppression is based on. The fields listed are based on the XQL query result set. You can perform the following.
  - Select multiple fields from the list.
  - Select all to configure all the fields for suppression. This means that all the fields must match for the alerts to be suppressed. This option will generate multiple alerts during the suppression period.
  - Search for a particular field, which narrows the available options as you begin typing.
  - Do not set any Fields by leaving the field empty only 1 alert is generated during the suppression period.

Configure the resulting Action for the Correlation Rule.

You can select one of the following resulting actions to occur, where the configuration settings change depending on your selection:

Generates a Correlation type of alert according to the configured settings in the New Correlation Rule editor (default). When this option is selected a number of new sections are opened to configure the alert.

Alert Name: Specify a name. You can incorporate a variable based on a query output field in the format $fieldName.
Alert Domain: Select the domain to which you want to assign any triggered alerts.
Note
- The incident that contains the alerts will also be assigned to the selected domain. For more information, see Incident and alert domains.
- If you want to trigger a health alert, choose the Health domain. For more information about health alerts, see About health alerts.
Severity: Select the severity type whenever an alert is generated for this Correlation Rule as one of the following:
- Informational
- Low
- Medium
- High
- Critical
- User Defined: Select fields from inside the query.
Note
Whenever the severity type is Medium or above for the alert generated, an incident is automatically opened.
Category: Select the type of alert that is generated. The list of categories reflects the selected domain.
Alert Description (Optional): Specify a description of the behavior that will raise the alert. You can include dollar signs ($), which represent the fields names (i.e. output columns) in XQL Search.
For example.
```
The user $user_name has made $count failed login requests to $dest in a 24 hours period
```
Output.
```
The user lab_admin has made 234 failed login requests to 10.10.32.44 in a 24 hours period
```
Note
There is no validation or auto complete for these parameters and the values can be null or empty. In these scenarios, Cortex XSIAM does not display the null or empty values, but adds the text NULL or EMPTY in the descriptions.
Drill-Down Query (Optional): You can configure a Drill-Down Query for additional information about the alert for further investigation using XQL. This XQL query can accept parameters from the alert output for the Correlation Rule. Yet, keep in mind that when you create the Correlation Rule, Cortex XSIAM does not know in advance if the parameters exist or contain the correct values. As a result, Cortex XSIAM enables you to save the query, but the query can fail when you try and run it. You can also refer to field names using dollar signs ($) as explained in the Alert Description.
Once configured any alert generated for the Correlation Rule has a right-click pivot menu Open Drilldown Query option, an Open drilldown query link after you investigate a contributing event, and a quick action Open Drilldown Query icon () that is accessible in the Alerts page, which opens a new browser tab in XQL Search to run this query. If you do not define a Drill-Down Query, no right-click pivot menu option, link, or icon is displayed.
Drill-Down Query Time Frame: Select the time frame used to run the Drill-Down Query from one of the following options, which provides more informative details about the alert generated by the Correlation Rule.
- Generated Alert: Uses the time frame of the alert that is triggered, which is the first event and last event timestamps for the alert (default option). If there is only one event, the event timestamp is the time frame used for the query.
- XQL Search: Uses the time frame from when the Correlation Rule was run in XQL Search.
MITRE ATT&CK (Optional): Select the MITRE Tactics and MITRE Techniques you want to associate with the alert using the MITRE ATT&CK matrix.
1. You can access the matrix by selecting the MITRE ATT&CK bar or Open complete MITRE matrix link underneath the bar on the right.
2. Select the MITRE Tactics listed in the first row of the matrix and the applicable MITRE techniques and Sub-Techniques, which are listed in the other rows in the table. You can select either MITRE Tactics only, MITRE techniques and Sub-Techniques only, or a combination of both.
3. Click Select and the matrix window closes and the MITRE ATT&CK section in the New Correlation Rule editor lists the number of Tactics and Techniques configured, which is also listed in the bar. For example, in the following image, there are 3 Tactics and 4 Techniques configured. The three MITRE Tactics are Resource Development with 2 Techniques configured, Credential Access with 1 Technique configured, and Discovery with 1 Technique configured.

You can map the alert fields to display the mapped fields in the Alerts page to provide important information in analyzing your alerts. In addition, mapping the fields helps to improve incident grouping logic and enables Cortex XSIAM to list the artifacts and assets based on the map fields in the incident. The options available can change depending on your Correlation Rule definitions in XQL Search. Each preconfigured field that is automatically mapped is clearly displayed. There are two ways to map the alert fields.

Use preconfigured fields

Select this option if you want Cortex XSIAM to automatically map the fields for you. This checkbox only displays when your Correlation Rule can be configured to use Cortex XSIAM incident enrichment and then it is set as the default option. We recommend using this option whenever it is available to you.

When creating a Correlation Rule that runs on the Cortex Data Model (XDM), we recommend that this checkbox is selected. Cortex XSIAM automatically maps the XDM fields to alert fields as listed in the table below. This means that these XDM field values are displayed in the Alerts page.

You can edit the source mapped to preconfigured fields to customize the mapping to your needs. Click the Edit icon next to a field value to select one of the other values.

Note

When more than one XDM field is listed, Cortex XSIAM looks for the field value according to the order of the fields listed.

XDM Fields	Cortex XSIAM Alert Fields
xdm.source.host.fqdn	Domain
xdm.event.type	Event Type
xdm.target.file.filename, xdm.target.module.filename, xdm.email.attachment.filename	File name
xdm.target.file.sha256, xdm.target.module.sha256, xdm.email.attachment.sha256	File SHA256
xdm.source.host.ipv4_addresses	Host IP
xdm.source.host.hostname	Host Name
xdm.source.host.os_family	Host OS
xdm.source.process.executable.filename, xdm.source.process.name	Initiated By
xdm.source.process.command_line	Initiator CMD
xdm.source.process.executable.path	Initiator path
xdm.source.process.executable.sha256	Initiator SHA256
xdm.source.process.executable.signature_status	Initiator signature
xdm.source.process.executable.signer	Initiator signer
xdm.source.ipv4, xdm.source.host.ipv4_addresses	Local IP
xdm.target.process.executable.signature_status	Process execution signature
xdm.target.process.executable.signer	Process execution signer
xdm.target.host.hostname	Remote Host
xdm.target.ipv4, xdm.target.host.ipv4_addresses	Remote IP
xdm.target.port	Remote port
xdm.target.process.command_line	Target process CMD
xdm.target.process.executable.filename, xdm.target.process.name	Target Process Name
xdm.target.process.executable.path	Target Process Path
xdm.target.process.executable.sha256	Target process SHA256
xdm.target.url	URL
xdm.source.user.username	User name

Manually map the alert fields by selecting the fields that you want to map. When you create the Correlation Rule, Cortex XSIAM does not detect whether the alert fields that you mapped manually are valid. If the fields are invalid according to your mapping, null values are assigned to those fields.
Note
When Use the Cortex XSIAM default incident enrichment is not selected and you have not mapped any alert fields, the alert is dispatched into a new incident.
(Optional) Set fields as default for new Security Domain correlations: Saves the custom alert fields that are configured for this rule for all users. When a user next creates an incident for the same domain, these fields are automatically configured instead of the default field set.
To restore the system defaults, click Restore default system fields.
(Optional) To enable pivots from alerts to a third-party source system, in the Alerts Fields Mapping section, click +Add field and select the External URL option. For this field, search for and select the dataset field which stores the third-party URL.

Use to save the data generated from the Correlation Rule to a separate Target Dataset. This option is helpful when you are fine-tuning and testing a rule before promoting the rule to production. You can also save a rule to a dataset as a building block for the next Correlation Rule, which will be based on the results of the first Correlation Rule instead of building too complex XQL queries.

You can either create a new Target Dataset by specifying the name for the dataset in the field or select a preexisting Target Dataset that was created for a different Correlation Rule. The list only displays the datasets configured when creating a Correlation Rule. Different Correlation Rules can be saved to the same dataset and Cortex XSIAM will expand the dataset schema as needed. The dataset you configure for the Correlation Rule contains the following additional fields:

_rule_id
_rule_name
_insert_time

Add data to a specified lookup dataset. After selecting this option, perform the following:

In the Target Dataset field, select an existing lookup dataset to add the data.
In the displayed mapping, Cortex XSIAM lists fields from the lookup schema in the KEY column to enable you to map fields from the query to an entry in the lookup.
In the VALUE column, map at least one field from the query to an entry in the lookup dataset (KEY column).
(optional) You can set a single field or multiple fields as unique by selecting the checkbox in the UNIQUE column. A unique field means these fields are designated as a key to update existing entries as opposed to creating a new entry. If multiple fields are selected, these fields together are used to identify existing entries. If several existing entries meet the condition, all these entries are updated. If no existing entries meet the condition, the entry is added as a new one. If no field is marked as unique, records are added as new.

Important

The maximum size of a lookup dataset is 50 MB. If the data exceeds this limit, the add to lookup action fails.

Removes data from a specified lookup dataset. After selecting this option, perform the following:

In the Target Dataset field, select an existing lookup dataset to remove data.
In the displayed mapping, Cortex XSIAM lists fields from the lookup schema in the KEY column to enable you to map fields from the query to an entry in the lookup.
In the VALUE column, map at least one field from the query to an entry in the lookup dataset (KEY column). All rows (lookup entries) matching these field mapping values (filtering condition) will be deleted. If several existing entries meet the condition, all these entries are deleted. If no existing entries meet the condition, no entries are deleted.

(Optional) Disable the Correlation Rule.
Select Disable → Create if you want to finish configuring your Correlation Rule at a different time, but do not want to lose your settings. The Create button is only enabled when you have configured all the mandatory fields in the New Correlation Rule editor. Once configured, your Correlation Rule is listed in the Correlation Rules page, but is disabled. You can edit or enable the rule at any time by right-clicking the rule and selecting Edit Rule or Enable.
Create the correlation rule.
The rule is added to the table in the Correlation Rules page as an active rule and a notification is displayed.