Skip to main content

Data LakeData Lake Migration Guide

Table of Contents

Migrate Correlation Rules

migration-flow-corrrules.png

Expected Duration:

1 to 20 minutes per rule, depending on complexity (average = 10 minutes)

Access Required:

  • Data Lake > Settings > Correlation Rules

  • Correlation Rules

In Data Lake, correlation rules can be created using new or saved search queries. In the Exabeam Security Operations Platform, correlation rules can also be created based on existing queries saved in the Search application or by building new queries directly in the Correlation Rules application. The migration procedure outlined below works directly in Correlation Rules.

The following diagram provides a high level overview of the migration process.

migrate-correlation-rules.png

To migrate a correlation rule from Data Lake to the Correlation Rules application, follow the steps below.

  1. Log into Data Lake, navigate to Settings > Correlation Rules, and open a specific rule. The Rule Conditions page opens.

  2. In another tab, log into the Exabeam Security Operations Platform, navigate to Correlation Rules, and click New Rule. The Create New Rule page opens.

  3. Return to Data Lake and copy the Query located in the Search section.

  4. Return to Correlation Rules, click the Advanced Search icon SearchToggle.jpg to the left of the search bar, and paste the Data Lake query into the search bar.

  5. Adjust the query syntax as needed. For syntax information, see Adjust Query Syntax.

  6. Adjust the entity mapping in the query as needed. For mapping information, see Map to the Common Information Model.

  7. To test the query before proceeding further, click Test to the right of the search bar. The Search application opens in a new tab and runs the query.

  8. Return to Correlation Rules and click Next to open a page where you can add conditions to your rule. Configure the conditions to match the Rule Conditions section of the Data Lake rule. For more information about this process, see Create a New Correlation Rule in the Correlation Rules Feature Guide.

  9. In Correlation Rules, click Next to open a page where you can define the rule outcomes. The outcomes behavior you can configure in Correlation Rules is slightly different from the behavior that can be defined in the Rule Outcomes section of the Data Lake rule. In Correlation Rules, you can generate an alert or create a case, but not both. In combination with either option, you can also configure an email to be sent when the rule is triggered.

  10. In Correlation Rules, click Next to open a page where you can finalize the rule as follows:

    • Add a Rule Name.

    • Select a Use Case Category or a specific Use Case. This field is optional and did not exist in Data Lake.

    • Configure the Rule Severity to match the Alert Severity in the Data Lake rule.

    • Configure Suppress Repeating Triggers parameters to match the parameters in the Data Lake rule.

    • Review the Condition and Outcomes you have configured.

    • Configure the Rule Status. You can fully enable the rule or enable it in Test Mode so that outcomes will not be generated when the rule triggers.

    • Save the new correlation rule.