Skip to main content

Correlation RulesCorrelation Rules Release Notes

Correlation Rules Features Introduced in 2025

February 2025

The following features were introduced in Correlation Rules in February 2025:

Feature

Description

Stopped and Testing Statuses

You can now better understand the state of a correlation rule with two new statuses: Stopped and Testing.

The Stopped status indicates that the rule has triggered more than 50 times in five minutes and has automatically been disabled.

The Testing status indicates that the rule is enabled in test mode and its outcomes are suppressed.

A correlation rule with Testing status.

You can also filter correlation rules by the new statuses.

The Status filters for correlation rules.

Select Outcomes Enhancements

When you create or edit a correlation rule, the step to Select Outcomes now clearly explains what happens when a rule triggers and the possible outcomes:

  • Designating outcomes for a rule is optional.

  • An event is created every time a rule triggers, even in test mode. If a rule triggers and isn't in test mode, the activity type of the event is rule-trigger. If a rule triggers in test mode, the activity type of the event is rule-trigger-test.

  • If you have a license that supports Threat Center, Threat Center may also create an alert when a rule triggers, depending on whether the rule is in test mode. If the rule triggers and isn't in test mode, Threat Center creates an alert. if the rule triggers and is in test mode, Threat Center doesn't create an alert.

Correlation Rule Details Severity Enhancement

When you view correlation rule details, you can now more quickly identify the rule severity:

The details of a correlation rule showing critical severity and a static risk score of 90.

  • The severity value is now positioned first in its section.

  • The severity is now color-coded according to its value: Critical, High, Medium, or Low.

Rule Evaluation Delay Explanation

When you create or edit a correlation rule, the step to configure a rule evaluation delay now clearly explains what rule evaluation delay is and that rules are delayed from evaluating events for seven minutes by default.

The option to edit the rule evaluation delay and an explanation of what rule evaluation delay is: Consider adjusting the rule evaluation delay if the rule relies heavily on the timely arrival of events and late-arriving events can significantly effect its accuracy.
The modal to edit the rule evaluation delay with information about checking the Log Delay dashboard to help determine the appropriate rule evaluation delay value.

Rule Description Enhancements

You can now add more information to a correlation rule with descriptions.

When you create or edit a correlation rule, you can now add a description about the rule.

The Review & Save step of creating or editing a correlation rule, with the Rule Description field highlighted with a red rectangle.

This description appears in the list of correlation rules and rule details.

A correlation rule in the list with the rule description highlighted with a red rectangle.
Details of a correlation rule with the rule description highlighted in a red rectangle.

If you use a correlation rule template, the correlation rule template description is automatically reused as the description of your new correlation rule.

Triggered Value to Search Navigation

To view all events related to a correlation rule, you can now navigate to Search using a link next to the number times a rule has been triggered. The query automatically entered in Search is rules.rule: "<rule name>".

The link appears in the list of correlation rules:

A correlation rule in the list with its link to Search highlighted with a red rectangle.

The link also appears when you view the correlation rule details:

Correlation rule details with the link to Search highlighted with a red rectangle.

Email Notification Address Change

Email notifications sent as an outcome are now sent from [email protected].

To ensure any rules for filtering emails or creating third-party tickets work properly, ensure they use the new email address.

New Region Support for the UK

Support for Correlation Rules now extends to the UK region. You can now access and use Correlation Rules in the UK.

January 2025

The following features were introduced in Correlation Rules in January 2025:

Feature

Description

Threat Center Outcomes Exclusions for Test Mode

To ensure you investigate and triage only real threats in Threat Center, correlation rules in test mode no longer create Threat Center cases or alerts. Events created from a triggered correlation rules in test mode have the activity type rule-trigger-test.