Skip to main content

Correlation RulesCorrelation Rules Guide

Table of Contents

Create Correlation Rules

Create fact-based correlation rules to surface well-known, well-defined abnormal behaviour and events.

You can create a correlation rule from scratch, a template, or a Search query.

There are four steps to creating a correlation rule: you build sequences, designate the outcomes of the rule, finalize some rule details, then review and save the rule.

To build a sequence, you first define the events that trigger the rule by querying for them using an experience similar to Search. Then, you define the conditions those events must meet for the rule to trigger. To consolidate the query results into subsets of events so the rule evaluates its conditions against each subset, use the Group by Field functionality. You can also build a sequence that detects the absence of an event or field.

After you create your sequences, you can optionally designate what happens when the rule triggers. There are three possible outcomes: Threat Center creates a case or Case Manager creates an incident, depending on your license; Correlation Rules sends an email notification; or Correlation Rules sends information to a Webhook. If you don't specify an outcome, an event is still automatically created every time the rule triggers. If you have a license that supports Threat Center, Threat Center may also automatically create an alert every time the rule triggers, depending on whether you're testing the rule.

Before you can review and save the rule, you must finalize a few details, like the rule name and severity. To prevent alert fatigue, you can suppress the rule from triggering repeatedly or even suppress the rule from triggering repeatedly on a specific field value. To ensure the rule evaluates late-arriving events, you can also delay the rule from evaluating events until all events have arrived.