- Get Started with Threat Detection Management
- Analytics Rules
- Analytics Rule Classifications
- Create an Analytics Rule
- Manage Analytics Rules
- Tune Analytics Rules
- Share Analytics Rules
- Troubleshoot Analytics Rules
- Analytics Rules Syntax
- Advanced Analytics Rule Syntax vs. Analytics Rule Syntax
- Logical Expressions in Analytics Rule Syntax
- String Operations Using Analytics Rule Syntax
- Integer Operations Using Analytics Rule Syntax
- Time Operations Using Analytics Rule Syntax
- Network Operations Using Analytics Rule Syntax
- Context Operations Using Analytics Rule Syntax
- Entity Operations Using Analytics Rule Syntax
- Correlation Rule Operations Using Analytics Rule Syntax
- Analytics Engine Status
- Correlation Rules
- Threat Scoring
Create Correlation Rules
Create fact-based correlation rules to surface well-known, well-defined abnormal behaviour and events.
You can create a correlation rule from scratch, a template, or a Search query.
There are four steps to creating a correlation rule: you build sequences, designate the outcomes of the rule, finalize some rule details, then review and save the rule.
To build a sequence, you first define the events that trigger the rule by querying for them using an experience similar to Search. Then, you define the conditions those events must meet for the rule to trigger. To consolidate the query results into subsets of events so the rule evaluates its conditions against each subset, use the Group by Field functionality. You can also build a sequence that detects the absence of an event or field.
After you create your sequences, you can optionally designate what happens when the rule triggers. There are three possible outcomes: Threat Center creates a case; Correlation Rules sends an email notification; or Correlation Rules sends information to a Webhook. If you don't specify an outcome, an event is still automatically created every time the rule triggers and Threat Center may also automatically create an alert, depending on whether you're testing the rule.
Before you can review and save the rule, you must finalize a few details, like the rule name and severity. To prevent alert fatigue, you can suppress the rule from triggering repeatedly or even suppress the rule from triggering repeatedly on a specific field value. To ensure the rule evaluates late-arriving events, you can also delay the rule from evaluating events until all events have arrived.