Correlation Rules Features Introduced in 2023
November 2023
This release does not include new features for Correlation Rules.
October 2023
The following Correlation Rules features were introduced in October 2023:
Feature | Description |
|---|---|
Increased Number of Correlation Rule Templates | Exabeam has introduced 4 new Correlation Rule templates that cover the following use cases:
|
Granular Suppression | To prevent you from missing a detection when a correlation rule is suppressed for a specific grouped field, you can now choose to suppress the rule by a specific value. You can set the specific value when you configure the granular suppression threshold during the Correlation Rule creation process. |
Increased Trigger Delay | The rule trigger delay has been increased to allow you to choose a delay of up to six hours. This enables you to view events triggered by the rules that come in up to six hours late. For more information, see Determine Rule Delay Value. |
September 2023
The following Correlation Rules features were introduced in September 2023:
Feature | Description |
|---|---|
Increased Number of Correlation Rule Templates | Exabeam has introduced 5 new Correlation Rule templates. These new templates cover the following use cases:
|
Automatic Alert Creation | If your license supports Alert and Case Management, you can now create or edit a rule without specifying an outcome. A default alert will be generated with Alert and Case Management when the rule triggers. |
Aggregation Condition Enhancement | When defining the conditions that must be met for your rule sequence to trigger, if you use aggregation functions (count, unique count, min, max, average, sum), you can now specify two values and choose to trigger the rule if the calculated value falls between these two values (inclusive).  |
August 2023
The following Correlation Rule features were introduced in August 2023:
Feature | Description |
|---|---|
Increased Number of Correlation Rule Templates | Exabeam has introduced 5 new Correlation Rule templates. These new templates enable you to create new types of correlation rules with a focus on Windows. These new templates cover the following use cases:
|
API Supported Rule Chaining | A new API for Correlation Rules has been introduced to support the creation of chained correlation rules. This enables you to quickly create and manage Correlation Rules at scale using the Exabeam API. |
Notification and Handling of Rules with Errors | For rules built on queries that utilize context tables or custom fields, Correlation Rules now automatically disables the rule and provides an email notification. This helps you to proactively address the rules that are no longer active. |
Associated Events Included in Email Outcomes | You can now attach The top 1000 associated events to the Email outcome of a correlation rule trigger. This enables you to view the associated events without having to access Search, allowing for quicker investigation and triage. |
July 2023
The following Correlation Rule features were introduced in July 2023:
Feature | Description |
|---|---|
Increased Number of Correlation Rule Templates | Exabeam has introduced 10 new Correlation Rule templates. This enables you to create new types of correlation rules using standard correlation rule templates for the following use cases:
|
Chained Correlation Rules | Correlation Rules has been enhanced to allow you to define multiple sequences (query + condition) in a single rule, with common field values across sequences. This enables you to create high fidelity rules that will detect a sequence of varying or similar events occurring one after another within a given period. |
Enhanced Search Testing | Correlation Rules has enhanced the query testing ability so that you can fine tune and perfect your queries before adding them to your rule. |
June 2023
The following Correlation Rule features were introduced in June 2023:
Feature | Description |
|---|---|
Increased Number of Correlation Rule Templates | Exabeam has introduced 20 new Correlation Rule templates. This enables you to create new types of correlation rules using standard correlation rule templates for the following use cases:
|
May 2023
Feature | Description |
|---|---|
Webhook Status Visibility | Correlation Rules now displays information on the current status of the webhooks. Now, when the sending of a rule trigger to a webhook has failed, you have the information necessary to proactively fix issues with the webhooks. |
Aggregated Condition Values Visibility | Correlation Rules now displays the values for aggregated conditions in the events. Previously when a rule was triggered on aggregated conditions, you had no way of knowing what the actual value was that triggered the rule. This provides you with additional contextual information during an investigation. |
Raw Log from First Match Trigger | Correlation Rules now provides the raw log from the first time a correlation rule is triggered, rather than just a link to the log. Now, you can run playbooks which include information from an event that triggered a rule within Case Manager. This change enables greater automation and flexibility when remediating cases as a result of a rule trigger. |
April 2023
Feature | Description |
|---|---|
Notifications for Auto Disabling of Correlation Rules | Correlation Rules has been enhanced to show notifications within the application if a rule has been automatically disabled due to violating the 50 triggers in 5 minutes guardrail. Previously, notifications were only sent by email, if the Correlation Rule had an email outcome for the rule. In addition, the notification email sent for auto disabled rules now contains a link to take you directly to the rules display page. This ensures that you are immediately aware of any malformed rules, so you can take action to modify your rule. |
Custom and Metadata Fields in Correlation Rule Conditions | Correlation Rules has been enhanced to allow you to choose custom and metadata fields when building conditions for your Correlation Rule. Previously, only fields contained in the Common Information Model were available for selection. |
Bulk Enabling and Disabling of Correlation Rules | Correlation Rules has been enhanced to provide you the ability to enable and disable multiple rules at one time. Previously, rules had to be enabled or disabled one by one. This provides improved ease of use and management of Correlation Rules. |
Correlation Rule Tags | Correlation Rules has been enhanced to allow you to add custom tags to your rules. Previously the only tags allowed were Exabeam use cases, and MITRE ATT&CK® TTPs. You can enter any text into the tags field, your rule will be tagged and will be searchable by that tag. All rule triggers will also contain that tag in the trigger event. This allows for greater flexibility for reporting and easier triage. |
View Correlation Rule Details | Correlation Rules has been enhanced to allow you to quickly view a summary of all of the details about a rule in one panel. Previously the only way to view these details was to go into edit mode for a rule and then navigate through the pages of the wizard (query, conditions, outcomes, etc.) to see all of the details. |
Clone Correlation Rule | Correlation rules has been enhanced to allow you to clone an existing rule as a starting point to creating a new correlation rule. Previously all rules had to be created from scratch. This allows you to create rules that have small variations in them without having to create the entire rule over and over again. |
Delay Correlation Rule | When authoring a new rule, Correlation Rules allows you enter a time delay for your rule. The window of time in which the rule will evaluate events is a 4 minute window. Setting this time delay allows you to move the sliding window's start time by the delay time that you specify. This ensures that events parsed from logs that have been delayed will not be skipped. |
March 2023
Feature | Description |
|---|---|
Added MITRE ATT&CK® Techniques and Tactics | Correlation Rules has been enhanced to allow you to select a MITRE ATT&CK® technique when creating a new rule. You will also be able to see the MITRE ATT&CK tactics as well as the techniques that are mapped to each tactic. You will be able to filter your rules by the techniques, and you will be able to search by the MITRE ATT&CK ID and/or names when searching for rule triggers or alerts. |
Improved Mean Time To Detect | The Mean Time To Detect (the time between the raw log time stamp, and the time when a correlation rule would trigger on that log) has been reduced. |
February 2023
Feature | Description |
|---|---|
Webhooks | Correlation Rules now allows you to create a Webhook and supports sending a message to the Webhook as an outcome to a rule trigger. |
Improved Notification Email Formatting | The formatting in the email sent as the result of a Correlation Rule trigger has been greatly improved, making the notification much easier to read. |
Exabeam introduces Secured Resources functionality, a new capability to configure restricted log event subsets and limit their visibility based on a role. This provides a powerful mechanism to control data access for specific roles. These restrictions will apply to Search, Dashboards, and Correlation Rule Builder. When building your query for a rule, you will be informed when your access to certain events are restricted. This will help to explain why you might be receiving fewer search results than you expected. |
January 2023
Feature | Description |
|---|---|
Correlation Rules now support queries that compare a field's value against context tables. This enables you to manage large lists of indicators of compromise (IOC) fields, and search against these lists, providing a way to leverage your company context for your searches. |