Skip to main content

Correlation RulesCorrelation Rules Guide

Preview Correlation Rule Details

Quickly view a summary of a correlation rule.

  1. On the Rules tab, click the More The more menu; three vertical grey dots on a white background. menu for a rule, then select View Details.

  2. View information about the rule:

    The details of a correlation rule labeled with red rectangles and callout boxes.

    • 1 The rule status: Enabled, Enabled (test mode), Disabled, or Stopped.

    • 2 How many times the rule has triggered.

      To view all events related to the rule in Search, click A blue square with an arrow pointing diagonally outward from the top-right corner.. You're directed to Search. The query rules.rule: "<rule name>" is automatically entered.

    • 3 The date and time the rule was last triggered.

    • 4 The rule sequences, including the search query that defines which events the events trigger the correlation rule and the conditions that must be satisfied for the rule to trigger.

    • 5 The rule outcomes; what happens when the correlation rule triggers.

    • 6 Other information about the rule, including:

      • Severity – The rule severity: None, Low, Medium, High or Critical; and the associated risk score.

      • Name – The correlation rule name.

      • Author – Who created the correlation rule.

      • Use Case – The Exabeam use case most relevant to the rule.

      • MITRE Properties – The ATT&CK techniques most relevant to the rule.

      • Tags – Tags associated with the rule.

      • EntitiesEntities associated with the rule.

      • Repeating Triggers – The field values by which the rule is suppressed if the rule is over-triggered.

  3. (Optional) To edit the rule, Click Edit Rule.