Correlation Rules Features Introduced in 2024

November 2024

The following features were introduced in Correlation Rules in November 2024:

Feature	Description
Rule Export and Import	To share correlation rules and convert correlation rules to sigma rules, you can now export correlation rules from one environment and import them into another.

October 2024

The following features were introduced in Correlation Rules in October 2024:

Feature	Description
Sequence Limit Clarification	It's now clear throughout the Correlation Rules application that there's a limit on the number of sequences you can enable.

September 2024

The following features were introduced in Correlation Rules in September 2024:

Feature	Description
Sequence Query Expansion	In the query you use to create a sequence, you can now: Reference two context tables per sequence. Query geolocation IP data enriched by Log Stream to produce new geo-named fields like `geo_src_ip`. You can then group query results by these geolocation IP fields. Search for a common term, a URL, or something with special characters by enclosing your search term in backticks.

August 2024

This release does not include new features for Correlation Rules.

July 2024

This release does not include new features for Correlation Rules.

June 2024

This release does not include new features for Correlation Rules.

May 2024

This release does not include new features for Correlation Rules.

April 2024

The following features were introduced in Correlation Rules in April 2024:

Feature	Description
Triggered Correlation Rule Event Enhancements	When a correlation rule triggers, Correlation Rules creates an event that you can then search for in the Search application. Fields were added to, removed from, renamed, and reorganized in these events. The `rules` field was added to triggered correlation rule events. It contains an array of triggered rule properties. Fields moved under the `rule` field include: `mitre_labels` – MITRE ATT&CK^® tactics and techniques associated with the triggered rule.^[a] `rule` – The rule name. `rule_id` – The rule ID. `rule_reason` – The condition satisfied so the correlation rule could trigger. `rule_severity` – The severity associated with the rule: None, Low, Medium, High or Critical. `rule_usecases` – The Exabeam use cases associated with the triggered rule. The `url` field was renamed `event_url`. The field identifies a URL to the Search application with a query for events associated with the triggered rule. Fields removed from triggered correlation rule events include: `alert_source` `trigger_time`
^[a]MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation ("MITRE"). Exabeam is not affiliated with or sponsored or endorsed by MITRE. Nothing herein is a representation of the views or opinions of MITRE or its personnel.

Feature

Description

Triggered Correlation Rule Event Enhancements

When a correlation rule triggers, Correlation Rules creates an event that you can then search for in the Search application. Fields were added to, removed from, renamed, and reorganized in these events.

The rules field was added to triggered correlation rule events. It contains an array of triggered rule properties.

Fields moved under the rule field include:

mitre_labels – MITRE ATT&CK^® tactics and techniques associated with the triggered rule.^[a]
rule – The rule name.
rule_id – The rule ID.
rule_reason – The condition satisfied so the correlation rule could trigger.
rule_severity – The severity associated with the rule: None, Low, Medium, High or Critical.
rule_usecases – The Exabeam use cases associated with the triggered rule.

The url field was renamed event_url. The field identifies a URL to the Search application with a query for events associated with the triggered rule.

Fields removed from triggered correlation rule events include:

alert_source
trigger_time

^[a]MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation ("MITRE"). Exabeam is not affiliated with or sponsored or endorsed by MITRE. Nothing herein is a representation of the views or opinions of MITRE or its personnel.

March 2024

This release does not include new features for Correlation Rules.

February 2024

The following features were introduced in Correlation Rules in February 2024:

Feature	Description
Webhook Outcome Enhancements	For correlation rules that trigger on first match, you can now clearly identify the event that triggered the rule in the webhook outcome. The `related_event` field now contains the raw log of the event that triggered the rule.

January 2024

The following features were introduced in Correlation Rules in January 2024:

Feature	Description
Unordered Sequences	You can now detect more complicated threats where behaviours occur around the same time, but not one after another. All sequences and their conditions can be satisfied in any order for the rule to trigger.
Event or Field Absence Detection	You can now identify whether you've stopped receiving a specific log, which may indicate there are issues with collecting or ingesting data from a specific machine. Detect missing events, fields, or values that were previously present using the Less Than term in condition statements. When you detect missing events, fields, or values, you can also use context tables in the sequence query to identify events or fields of interest.
Improved Email Notification Outcome	You can now make more informed choices using the email notification outcome. Email notifications now detail the triggered rule sequences, common properties, and overall rule threshold.

Feature

Description

Unordered Sequences

You can now detect more complicated threats where behaviours occur around the same time, but not one after another. All sequences and their conditions can be satisfied in any order for the rule to trigger.

correlationrules-commonproperties-evaluatesequences.png

Event or Field Absence Detection

You can now identify whether you've stopped receiving a specific log, which may indicate there are issues with collecting or ingesting data from a specific machine. Detect missing events, fields, or values that were previously present using the Less Than term in condition statements.

When you detect missing events, fields, or values, you can also use context tables in the sequence query to identify events or fields of interest.

correlationrules-createrule-detectabsencecontexttable.png

Improved Email Notification Outcome

You can now make more informed choices using the email notification outcome. Email notifications now detail the triggered rule sequences, common properties, and overall rule threshold.

Correlation RulesCorrelation Rules Release Notes

Table of ContentsTable of Contents