- Get Started with Threat Detection Management
- Analytics Rules
- Analytics Rule Classifications
- Create an Analytics Rule
- 1. Define the analytics rule
- 2. Import the analytics rule
- 3. Enable the analytics rule
- 4. Apply the analytics rule to your environment
- factFeature Analytics Rule JSON Configuration
- profiledFeature Analytics Rule JSON Configurationh
- contextFeature Analytics Rule JSON Configuration
- numericCountProfiledFeature Analytics Rule JSON Configuration
- numericDistinctCountProfiledFeature Analytics Rule JSON Configuration
- numericSumProfiledFeature Analytics Rule JSON Configuration
- Manage Analytics Rules
- Tune Analytics Rules
- Share Analytics Rules
- Troubleshoot Analytics Rules
- Analytics Rules Syntax
- Advanced Analytics Rule Syntax vs. Analytics Rule Syntax
- Logical Expressions in Analytics Rule Syntax
- String Operations Using Analytics Rule Syntax
- Integer Operations Using Analytics Rule Syntax
- Time Operations Using Analytics Rule Syntax
- Network Operations Using Analytics Rule Syntax
- Context Operations Using Analytics Rule Syntax
- Entity Operations Using Analytics Rule Syntax
- Correlation Rule Operations Using Analytics Rule Syntax
- Monitor the Analytics Engine
- Correlation Rules
- Threat Scoring
Correlation Rules Templates
If you don't want to create a correlation rule from scratch, use a pre-built template.
Correlation Rules templates are correlation rules with a predefined search query and condition. You use them as a starting point for creating your own correlation rule.
To view correlation rules templates, in the Threat Detection Management Correlation Rules tab, click Templates. To sort the templates, click a column header. You can sort correlation rule templates by any column except DESCRIPTION. To filter correlation rule templates by use case or MITRE ATT&CK® tactic, click the filter . To view the details of a template, click Details.
Some correlation rule templates duplicate existing Advanced Analytics fact-based rules. Find the latest list of Correlation Rule templates in the CIM Library. When you use these templates to create a rule, it's best that you customize the rule. If you enable the rule as is, one event triggers two rules and results in two outcomes: one from Advanced Analytics and another from Correlation Rules.