- Get Started with Threat Detection Management
- Analytics Rules
- Analytics Rule Classifications
- Create an Analytics Rule
- Manage Analytics Rules
- Tune Analytics Rules
- Find Analytics Rules
- Share Analytics Rules
- Troubleshoot Analytics Rules
- Analytics Rules Syntax
- Advanced Analytics Rule Syntax vs. Analytics Rule Syntax
- Logical Expressions in Analytics Rule Syntax'
- String Operations Using Analytics Rule Syntax
- Integer Operations Using Analytics Rule Syntax
- Time Operations Using Analytics Rule Syntax
- Network Operations Using Analytics Rule Syntax
- Context Operations Using Analytics Rule Syntax
- Entity Operations Using Analytics Rule Syntax
- Correlation Rule Operations Using Analytics Rule Syntax
- Analytics Engine Status
- Correlation Rules
- Threat Scoring
Correlation Rules
Surface well-known, well-defined abnormal behaviour and events with fact-based correlation rules.
Correlation rules are rules that automatically correlate an event to a specific result. If an event meets specific conditions, the correlation rule triggers, which then takes a certain action. With the if-then logic of correlation rules, you can monitor known anomalies, detect signature-based threats, and identify compliance violations.
To create a correlation rule, you define the events that trigger your rule, specify conditions, then designate outcomes. After you create correlation rules, you can manage them—edit, enable or disable, delete, clone, filter, search for, and sort them.
To navigate to correlation rules in Threat Detection Management, click the Correlation Rules tab.
For each correlation rule, view:
Severity – The correlation rule severity: None, Low, Medium, High or Critical.
Name – The correlation rule name
Author – Who created the correlation rule
Created – The date and time the correlation rule was created
Last modified – The date and time the correlation rule was last modified
Last triggered – The date and time the correlation rule was last triggered
Triggered – The number of times the correlation rule has been triggered. To view the resulting rule trigger events in Search, click
.Use case – The Exabeam use case associated with the correlation rule
Schedules – The number of trigger schedules associated with the correlation rule
MITRE – The MITRE ATT&CK® tactic associated with the correlation rule
Status – The state of the correlation rule:
Enabled – The correlation rule is enabled.
Testing – The correlation rule is enabled in test mode and its outcomes are suppressed.
Disabled – The correlation rule is disabled.
Stopped – The correlation rule has automatically been disabled because: events have satisfied the conditions of a sequence more than 500 times in five minutes; the correlation rule has triggered more than 50 times in five minutes; or the sequence uses incorrect query syntax or references an empty context table.