Create a correlation rule - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Create new correlation rules from either the Correlation Rules page or when building a query in XQL Search, or import a many correlation rules from a file.

Notice

There may be future changes to the correlation rules offerings, which can impact your licensing agreements. You will receive a notification ahead of time before any changes are implemented.

You can create a new correlation rule from either the Detection RulesCorrelation Rules page or when building a query in XQL Search. You can also import a number of correlation rules.

When setting up correlation rules, you have the following capabilities:

  • Specify whether the correlation rule is Scheduled, or scans the data in Real Time, as it’s ingested.

  • Define when the correlation rule runs.

  • Define whether alerts generated by the correlation rule are suppressed by a duration time and field.

  • Set the resulting action for the correlation rule, which includes any of the following:

    • Generate an alert: You can also define the alert settings, which include the Alerts Field Mapping for incident enrichment, Alert domain, Alert Severity, MITRE Attack Tactics and Techniques, and other alert settings.

    • Save data to a dataset: Use this option to test and fine-tune new rules before initiating alerts and applying correlation of correlation use cases.

    • Add data to a lookup dataset

    • Remove data from a lookup dataset

Note

  • When creating a Real Time Correlation Rule, you can only generate an alert as the resulting action for the Correlation Rule. All other options are disabled.

  • To ensure your Correlation rules raise alerts efficiently and do not overcrowd your Alerts table, Cortex XSIAM automatically disables Correlation rules that reach 5000 or more hits over a 24-hour period.