- Get Started with Correlation Rules
- Create Correlation Rules
- Create a Correlation Rule Using the Exabeam Nova Rule Creator
- Create a Correlation Rule from Scratch Using the Manual Rule Creator
- Create a Correlation Rule from a Template
- Create a Correlation Rule from Search
- Group by Field in Correlation Rules
- Detect Absent Events or Fields Using Correlation Rules
- Granular Suppression
- Correlation Rule Evaluation Delay
- Manage Correlation Rules
- Find Correlation Rules
- Share Correlation Rules
- View Correlation Rules Metrics
Create a Correlation Rule Using the Exabeam Nova Rule Creator
Create a correlation rule by prompting Exabeam Nova with natural language descriptions of the correlation rule you want to create.
On the Rules tab, click + New Rule, then select Exabeam Nova Rule Creator.
In Describe the rule you want to create, enter a natural language description of the correlation rule you want to create. For best results, ensure that you mention:
The activity the correlation rule detects; for example, lateral movement or unauthorized remote control
The conditions that trigger the correlation rule; for example, a user logs into or initiates a remote command session on another endpoint using remote-execution tools (e.g., PsExec, WinRM/Powershell Remoting, SSH, WMI)
The time frame of the trigger activity; for example, more than 50 emails are delivered to the same recipient email address within a 5-hour rolling window
The outcome of the correlation rule; for example, send an email to [email protected] with "Alert: Potential Unauthorized Remote Control" as the email subject, and "A user has logged into or initiated a remote command session on another endpoint." as the email description.
Suppression behavior; for example, after the first trigger, suppress the rule from triggering on the same value within the next two minutes
Any restrictions for when the correlation rule triggers; for example, the first Monday of every month, on the weekends only
To help you get started, Exabeam Nova Rule Creator lists a number of clickable example prompts. When you click on an example prompt, it automatically populates the text input box, which you can then send to Exabeam Nova or customize.
To send the description to Exabeam Nova Rule Creator, click
. Exabeam Nova Rule Creator validates whether your description meets correlation rule field requirements, then generates a draft of the correlation rule.Review the correlation rule draft. To continue tuning the correlation rule, continue prompting Exabeam Nova Rule Creator with the changes you want to see in the correlation rule.
You can also ask Exabeam Nova Rule Creator other questions about correlation rules; for example, what a group-by field, granular suppression, or correlation rule evaluation delay is.
To create the correlation rule, click .