Correlation Rule Operations Using Analytics Rule Syntax

Get Started with Threat Detection Management
Analytics Rules
Correlation Rules
Threat Scoring
- Tune Threat Scoring

Correlation Rule Operations Using Analytics Rule Syntax

Some analytics rules model a correlation rule. These expressions evaluate and retrieve the value of a correlation rule field from event context using analytics rule syntax.

Function	Description	Returned Value	Examples
`hascrrulefield("field")`	Checks if the event created when the correlation rule was triggered contains a correlation rule field `field`.	Boolean	`getcrrulefield(rule)` returns `true` if the event created when the correlation rule was triggered contains the correlation rule `rule` field.
`getcrrulefield("field")`	Retrieves the value of correlation rule field `field` from the event created when the correlation was triggered. If the field is not present, returns an empty string.	String	`getcrrulefield("rule_severity")` returns `"high"` if the event created when the correlation rule was triggered contains the correlation rule `rule_severity` field and the value of the field is high.

Function

Description

Returned Value

Examples

hascrrulefield("field")

Checks if the event created when the correlation rule was triggered contains a correlation rule field field.

Boolean

getcrrulefield(rule) returns true if the event created when the correlation rule was triggered contains the correlation rule rule field.

getcrrulefield("field")

Retrieves the value of correlation rule field field from the event created when the correlation was triggered.

If the field is not present, returns an empty string.

String

getcrrulefield("rule_severity") returns "high" if the event created when the correlation rule was triggered contains the correlation rule rule_severity field and the value of the field is high.

Threat Detection ManagementThreat Detection Management Guide

Table of ContentsTable of Contents

Correlation Rule Operations Using Analytics Rule Syntax