- Get Started with Correlation Rules
- Create Correlation Rules
- Manage Correlation Rules
- Find Correlation Rules
- Share Correlation Rules
- View Correlation Rules Metrics
When you create a correlation rule, you can toggle Group by Field on for a sequence. The Group by Field functionality groups the query results by the fields you select and creates subsets of events. The rule evaluates its conditions against each subset, and you can also suppress the rule based on a subset of events.
Each subset represents a unique combination of the fields you select. For example, let's say you select src_ip and email_address as the fields you're using for the Group by Field functionality, and the rule is evaluating the following events:
Event | src_ip | email_address |
|---|---|---|
Event 1 | 1.1.1.1 | |
Event 2 | 1.1.1.1 | |
Event 3 | 1.1.1.1 | |
Event 4 | 2.2.2.2 | |
Event 5 | 2.2.2.2 | |
Event 6 | 2.2.2.2 | |
Event 7 | 3.3.3.3 | |
Event 8 | 3.3.3.3 | |
Event 9 | 3.3.3.3 |
Using the Group by Field functionality with the src_ip and emaiL_address fields, the rule groups the events into the following subsets:
Subset | src_ip | email_address | Number of Events |
|---|---|---|---|
Subset 1 | 1.1.1.1 | 3 | |
Subset 2 | 2.2.2.2 | 3 | |
Subset 3 | 3.3.3.3 | 3 |
To successfully group correlation rule detections in Threat Center, the correlation rule Group by Field functionality must use the same fields by which you want to group detections in Threat Center. For example, to group correlation rule detections with the same User and Src Ip into the same alert, the correlation rule that created the detections must also group events by User and Src Ip.