Skip to main content

Correlation RulesCorrelation Rules Release Notes

Correlation Rules Features Introduced in 2025

June 2025

The following features were introduced in Correlation Rules in June 2025:

Feature

Description

New and Updated Correlation Rule Templates

You can now better identify insider threats with new and updated correlation templates.

New correlation rule templates include:

  • UBA: Large number of denied access events towards external domain – A large number of denied outbound requests to external domains were detected from a single IP address, which indicates potential command and control or network discovery

  • UBA: Account or Group or Privileges Modified – Indicates when a user account was affected by an action which changes the user’s effective privileges

  • UBA: Anonymous User Accessed a Resource – Detects an anonymous user accessing a resource

  • UBA: External User Failed Mailbox Login – Detects repeated failures to log in to mailbox from an external user

  • UBA: Failed to Set Mailbox Audit Logging Bypass – Detects when a user failed to correctly set mailbox audit logging bypass

  • UBA: Sharing Link Sent to Guest – Detects a sharing invitation being sent to a guest

  • UBA: Sharing Policy Changed or Shared External (SharePoint/OneDrive) – Detects when an item's sharing policy is changed to share with a guest user

  • UBA: User Added to a Group on SharePoint or OneDrive by Site Admin – Detects a user being added to a group in Sharepoint or OneDrive by a System Admin

  • UBA: User Failed to be Added to Role – Detects when an attempt to add a user to a role fails

  • UBA: DPAPI Backup Master Key Recovery Attempted – A recovery attempt of the DPAPI master key has been observed.

  • UBA: Possible Directory Services Enumeration – Detects reconnaissance attempts to Directory Service Enumeration.

  • UBA: Possible SMB Session Enumeration on a Domain Controller – 20 SMB access attempts have been observed from this user.

  • UBA: Malware Activity - Registry Modified In Bulk – Detects processes that create or modify the registry values in bulk within a shorter interval.

  • UBA: Volume Shadow Copy Created – Volume shadow copies have been created using vssadmin or wmic process

  • Large amount of failed mailbox login events for this user – 10 failed mailbox login events have been observed for a single user within 1 minute

  • Multiple failed VPN logins from a single IP address – 10 failed VPN logins have been observed from a single IP address within 1 minute

  • Multiple VPN logins from a single IP address – 10 successful VPN logins have been observed from a single IP address within 1 minute

  • Cross-site Scripting – Monitor for web requests containing suspicious input patterns which may indicate cross-site scripting attempts

  • Directory traversal – Identify requests attempting to access unauthorized directories using traversal sequences

  • SQL injection – Detect inbound HTTP requests that suggest SQL injection activity

  • Server-side request forgery – Identifies outbound HTTP requests from internal servers to internal IP ranges that may indicate SSRF exploitation

  • Security logging and monitoring failures Syslogd – Alert when syslogd logging services are stopped

  • Software and data integrity failures web root – Detect unauthorized changes to critical files, unsigned software updates, or tampering with CI/CD pipelines

  • Insecure design remote JMX access – Monitor for application behavior that exposes sensitive functionality without proper controls, such as debug endpoints or unprotected admin interfaces

  • MFA request generation: repeated OKTA push denies – Multi-Factor Authentication Request Generation

Updated correlation rule templates include:

  • UBA: Suspicious Improbable Travel – A user logs in from two or more geographically distant locations within a short timeframe, making it physically impossible to travel between those locations

  • UBA: Multiple failed VPN login attempts from a single IP – Multiple failed login attempts were detected from a single IP address within a specific time frame via VPN accounts, which indicates brute-force attack.

  • UBA: Multiple VPN logins from single IP – Multiple VPN accounts login attempts were detected from a single IP address within a specific time frame.

May 2025

The following features were introduced in Correlation Rules in May 2025:

Feature

Description

Correlation Rules Insights

To make informed decisions about authoring and tuning rules, you can now view insights about your correlation rules directly in Correlation Rules, including:

  • The total number of correlation rules in your environment and a pie chart of their statuses

    The Available Rules pie chart.
  • The number of created sequences

    The Rules Sequence Limit chart.
  • A line chart of the number of correlation rules triggered in enabled and testing statuses over the past 30 days

    The Rules Triggers in Last 30 Days by Status line graph.

April 2025

This release does not include new features for Correlation Rules.

March 2025

This release does not include new features for Correlation Rules.

February 2025

The following features were introduced in Correlation Rules in February 2025:

Feature

Description

Stopped and Testing Statuses

You can now better understand the state of a correlation rule with two new statuses: Stopped and Testing.

The Stopped status indicates that the rule has triggered more than 50 times in five minutes and has automatically been disabled.

The Testing status indicates that the rule is enabled in test mode and its outcomes are suppressed.

A correlation rule with Testing status.

You can also filter correlation rules by the new statuses.

The Status filters for correlation rules.

Select Outcomes Enhancements

When you create or edit a correlation rule, the step to Select Outcomes now clearly explains what happens when a rule triggers and the possible outcomes:

  • Designating outcomes for a rule is optional.

  • An event is created every time a rule triggers, even in test mode. If a rule triggers and isn't in test mode, the activity type of the event is rule-trigger. If a rule triggers in test mode, the activity type of the event is rule-trigger-test.

  • If you have a license that supports Threat Center, Threat Center may also create an alert when a rule triggers, depending on whether the rule is in test mode. If the rule triggers and isn't in test mode, Threat Center creates an alert. if the rule triggers and is in test mode, Threat Center doesn't create an alert.

Correlation Rule Details Severity Enhancement

When you view correlation rule details, you can now more quickly identify the rule severity:

The details of a correlation rule showing critical severity and a static risk score of 90.
  • The severity value is now positioned first in its section.

  • The severity is now color-coded according to its value: Critical, High, Medium, or Low.

Rule Evaluation Delay Explanation

When you create or edit a correlation rule, the step to configure a rule evaluation delay now clearly explains what rule evaluation delay is and that rules are delayed from evaluating events for seven minutes by default.

The option to edit the rule evaluation delay and an explanation of what rule evaluation delay is: Consider adjusting the rule evaluation delay if the rule relies heavily on the timely arrival of events and late-arriving events can significantly effect its accuracy.
The modal to edit the rule evaluation delay with information about checking the Log Delay dashboard to help determine the appropriate rule evaluation delay value.

Rule Description Enhancements

You can now add more information to a correlation rule with descriptions.

When you create or edit a correlation rule, you can now add a description about the rule.

The Review & Save step of creating or editing a correlation rule, with the Rule Description field highlighted with a red rectangle.

This description appears in the list of correlation rules and rule details.

A correlation rule in the list with the rule description highlighted with a red rectangle.
Details of a correlation rule with the rule description highlighted in a red rectangle.

If you use a correlation rule template, the correlation rule template description is automatically reused as the description of your new correlation rule.

Triggered Value to Search Navigation

To view all events related to a correlation rule, you can now navigate to Search using a link next to the number times a rule has been triggered. The query automatically entered in Search is rules.rule: "<rule name>".

The link appears in the list of correlation rules:

A correlation rule in the list with its link to Search highlighted with a red rectangle.

The link also appears when you view the correlation rule details:

Correlation rule details with the link to Search highlighted with a red rectangle.

Email Notification Address Change

Email notifications sent as an outcome are now sent from [email protected].

To ensure any rules for filtering emails or creating third-party tickets work properly, ensure they use the new email address.

New Region Support for the UK

Support for Correlation Rules now extends to the UK region. You can now access and use Correlation Rules in the UK.

January 2025

The following features were introduced in Correlation Rules in January 2025:

Feature

Description

Threat Center Outcomes Exclusions for Test Mode

To ensure you investigate and triage only real threats in Threat Center, correlation rules in test mode no longer create Threat Center cases or alerts. Events created from a triggered correlation rules in test mode have the activity type rule-trigger-test.