Skip to main content

Correlation RulesCorrelation Rules Guide

Table of Contents

Create a Correlation Rule from Search

Create a correlation rule from a Search query. You can also create a correlation rule from scratch or from a template.

1. Create a Search Query

  1. In Search, search for the events on which your rule triggers.

  2. Click the More menu search-query-moremenu.png.

  3. Select Convert to Rule.

    search-query-moremenu-converttorule.png

2. Create a Sequence

To create a sequence, first search for events on which your rule triggers. Searching for events is similar to Search. You can choose to build a search or type one out, you use the same syntax when typing a search, and you can select recent and saved searches. After you define events of interest, you define the conditions that the events must meet.

When you create a rule from a Search query, the first sequence is automatically populated with that query. To continue building out the sequence, adjust the query or define the conditions.

If the rule triggers on a set of related events, define multiple sequences. The condition of all sequences must be satisfied for the rule to trigger. For example, to detect a brute force attempt, define the first sequence as a certain number of failed log-on events from an external IP address within five seconds and the second sequence as a successful log-on event from the same external IP address within 30 minutes. Sequences can be ordered, so sequences and their conditions must be satisfied in a specific order for the rule to trigger; or unordered, so all sequences and their conditions can be satisfied in any order for the rule to trigger.

  1. (Optional) In Sequence name, name the sequence.

  2. To define the events that trigger the correlation rule, search for events of interest:

    • Build a query.

    • Enter a query.

    • To select a recent or saved query in Search, click CRRecentSavedSearchesIcon.png, then select a query.

      You can only see saved queries marked private. You can't see public saved query.

  3. To see events that match your query and were created in in the last 15 minutes in Search, click Test Last 15 mins. If you modify your query in Search, you're prompted to update your query with those changes when you return to Correlation Rules. To retain the changes you made in Search, click Update Query.

  4. Under Condition, define conditions that must be satisfied for the rule to trigger.

    • If the rule triggers with the first event that matches the query you defined, select Trigger on first match. You must select this if you used a context table lookup to build your query.

    • To define a condition, click a term in the condition statement, then select another term. The available terms and fields change dynamically.

      CRConditionsSelectCountDropDown.png

      As you define the condition, Correlation Rules validates the condition statement. If a term turns red, the condition statement is invalid and you can't continue. Click the invalid term, then select another option.

      The Count and Unique Count terms are case insensitive; for example, for Event A with dest_host host123 and Event B with dest_host Host123, the count is two.

    • To select from a list of common conditions, click Start With Examples. For a condition, click Select, then click Apply.

    • To consolidate the query results by specific fields into subsets of events and evaluate the condition against each subset, toggle Group by Field on, then select a field. You can select up to five fields.

  5. To define additional sequences, click + New Sequence.

  6. (Optional) After you define multiple sequences, you can remove them, order them, define which field values all events returned across sequences should share for the rule to trigger, and specify whether the sequences are ordered or unordered:

    • To remove a sequence, click Remove Sequence.

    • If your sequences are ordered and a sequence should be satisfied before other sequences, click Move Up.

    • If your sequences are ordered and a sequence should be satisfied after other sequences, click Move Down.

    • If events returned by all sequences should share the same field value for the rule to trigger, under Common Properties > Select fields to group by, select the field. For example, if the rule triggers when all events returned across sequences contain the same source IP address, select src_ip. You can select up to 10 fields.

      If you selected a field in the Group by Field functionality in an individual sequence and the field value is shared across sequences, it automatically appears in the list.

    • To specify that the sequences be satisfied in a specific order for the rule to trigger, under Common Properties > Exabeam Sequences, select In Order.

    • To specify that the sequences can be satisfied in any order for the rule to trigger, under Common Properties > Exabeam Sequences, select Unordered.

  7. If you defined multiple sequences, under Overall Rule Threshold, you must define a period in which all sequences must be evaluated for the rule to trigger.

    If the sequences are ordered, the value should be more than the sum of time taken for each sequence to evaluate its condition. For example, if your first sequence is defined as Trigger if the Count of Event is More than 5 in the last 3 Minutes and your second sequence is defined as Trigger if the Count of Events is More than 5 in the last 5 Minutes , your overall rule threshold must be more than eight minutes.

    If the sequences are unordered, the value should be at least the maximum time taken across sequences to evaluate their conditions. For example, if your first sequence is defined as Trigger if the Count of Event is More than 5 in the last 3 Minutes and your second sequence is defined as Trigger if the Count of Events is More Than 5 in the last 5 Minutes, your overall rule threshold must be five minutes or more.

  8. Click Next.

3. Define Outcomes

Specify what happens when the rule triggers. There are four possible outcomes:

  • Threat Center creates an alert.

  • Threat Center creates a case or Case Manager creates an incident.

  • Correlation Rules sends an email notification. If you have an Exabeam Security Log Management license, this is the only possible outcome.

  • Correlation Rules sends information to a webhook.

If you have Threat Center, it automatically creates an alert whenever a rule triggers.

For Advanced Analytics to generate Smart Timeline alerts from a triggered correlation rule, two conditions must be met:

  • The event that triggered the rule must contain user, src_host, and dest_host fields and at least one must have a value.

  • At least one sequence in the rule must use the Group by Field functionality with user, src_host, or dest_host fields and these fields must have a value.

Designate Threat Center Alert as an Outcome

To create an alert in Threat Center, click Next. You don't specify an outcome. An alert is automatically created in Threat Center.

Designate Threat Center Case or Case Manager Incident as an Outcome

Depending on your license, Threat Center creates a case or Case Manager creates an incident.

  1. If you're designating a Threat Center case as an outcome, ensure you've enabled the Create Correlation Case pre-built Automation Management playbooks. The Create Correlation Case pre-built playbooks must be enabled for Threat Center to create a case when the correlation rule triggers.

  2. Select Create a Case.

  3. Enter a case description.

  4. Click Next.

Designate Email Notification as an Outcome

Notify people in your organization that the rule was triggered. If you have a Exabeam Security Log Management license, this is the only possible outcome.

  1. Select Send an Email.

  2. Enter information about the email:

    • In Recipients, enter the recipients' email addresses.

    • In Subject, enter the email subject.

    • In Description, enter the email content.

    • To send the top 1000 associated events as an email attachment, select Attach events as CSV (limit 1,000).

  3. Click Next.

Designate Webhook as an Outcome

  1. Ensure that you've added the webhook in Exabeam Security Operations Platform settings.

  2. Select Send to Webhook.

  3. From the list, select up to three Webhooks. If there are no Webhooks defined in your system or the Webhook you want to use is not in the list, click Add a new webhook in settings and add a Webhook.

  4. Click Next.

4. Finalize Correlation Rule Details

  1. Enter information about the rule:

    • Rule Name – Enter a rule name.

    • (Optional) Use Case – From the list, select an Exabeam use case most relevant to the rule. To search for a specific use case, start typing.

    • (Optional) Tags – Add up to 10 tags. Select from a list of existing tags or create a new one. Tags are shared among Exabeam Security Operations Platform applications, and you can search for them in Search, Dashboards, and Threat Center using the tags: field.

    • (Optional) MITRE – From the list, select up to 10 MITRE ATT&CK® techniques most relevant to the rule. To search for a specific ATT&CK technique, start typing. To view more information about a technique on the MITRE organization's website, click CRMitreMoreInfoIcon.png.

    • (Optional) Rule Severity – On the scale, select a severity: None, Low, Medium, High or Critical.

  2. (Optional) To prevent an alert from over-triggering, suppress the rule from triggering repeatedly:

    1. Under Triggering Suppression, toggle Suppress Repeating Trigger on, then specify how long the rule is suppressed after it's first triggered. For example, if you set the suppression period to two minutes, if a rule triggers once, then triggers again within two minutes, the second trigger is suppressed. If the rule triggers more than 50 times in five minutes, Correlation Rules automatically disables the rule.

    2. (Optional) If you used the Group by Field functionality in any sequence or designated common properties for the rule, you can suppress the rule when it triggers repeatedly on the values of a specified field. Within the suppression period, the rule triggers on the first event with a specific field value but is suppressed for all subsequent events with the same field value. For another event with the same field but a different value, the rule triggers again.

      Toggle Granular Suppression on, then under Grouping Field/s, select the fields by which the rule is suppressed.

  3. (Optional) To ensure the rule evaluates late-arriving events, delay the rule from evaluating events until all events have arrived. Toggle Delay Rule Evaluation For on, then specify how long the rule waits before evaluating events. You can specify a time between seven and 360 minutes. To determine the correct value using the Log Delay Insights dashboard, click Log Delay Dashboard.

  4. (Optional) Determine if and how the rule is enabled:

    • To immediately enable the rule after it's created, toggle Enable Rule on.

    • To test the rule, enabling it but suppressing the outcomes, click Test Mode.

5. Review and Save the Correlation Rule

  1. Under Summary, review the sequences and outcomes you defined.

  2. Click Save.