- Get Started with Correlation Rules
- Create Correlation Rules
- Manage Correlation Rules
- Share Correlation Rules
- Monitor Correlation Rules
Create Correlation Rules
Create fact-based correlation rules to surface well-known, well-defined abnormal behaviour and events.
You can create a correlation rule from scratch, a template, or a Search query.
There are four steps to creating a correlation rule: you build sequences, designate the outcomes of the rule, finalize some rule details, then review and save the rule.
To build a sequence, you first define the events that trigger the rule by querying for them using an experience similar to Search. Then, you define the conditions those events must meet for the rule to trigger. To consolidate the query results into subsets of events so the rule evaluates its conditions against each subset, use the Group by Field functionality. You can also build a sequence that detects the absence of an event or field.
After you create your sequences, you designate what happens when the rule triggers. There are four possible outcomes: Threat Center creates an alert; Threat Center creates a case or Case Manager creates an incident; Correlation Rules sends an email notification; or Correlation Rules sends information to a Webhook.
Before you can review and save the rule, you must finalize a few details, like the rule name and severity. To prevent alert fatigue, you can suppress the rule from triggering repeatedly or even suppress the rule from triggering repeatedly on a specific field value. To ensure the rule evaluates late-arriving events, you can also delay the rule from evaluating events until all events have arrived.