You can monitor your correlation executions with the correlations_auditing
dataset.
Cortex XSIAM audits all correlation executions in the correlations_auditing
dataset. The dataset records the query initiation times, end times, retry attempts, failure reasons, and other useful metrics. You can use this dataset to monitor your correlation executions. Cortex XSIAM also provides OOTB health alerts that are triggered when a correlation rule completes with errors. For more information, see About health alerts.
In the correlations_auditing
dataset, audit entries are added as follows:
The rule starts executing. This is audited with the status of Initiated or Initiated Manually.
The rule completes successfully. This is audited as Completed.
The rule completes with errors. This is audited as Error.
Note
In the dataset, the Query start time and Query end time indicate the timeframe of the data that was queried. The actual start and end times of the correlation rule execution are recorded in the _time field for the Initiated and Completed entries.