Skip to main content

Threat Detection ManagementThreat Detection Management Guide

Export Correlation Rules

Export correlation rules to share correlation rules with team members and other stakeholders or convert a correlation rule to a sigma rule.

You can export a single correlation rule or multiple correlation rules at once. All correlation rule information is exported, except:

  • The environment from which the rule was exported

  • The correlation rule author

  • Last modified time and last triggered time

  • The number of times the rule was triggered

  • Correlation rule outcomes

  • Correlation rule evaluation delay

  1. In Threat Detection Management, navigate to the Correlation Rules tab, then determine which correlation rules you're exporting:

    • To export a single correlation rule:

      Click the More menu The more menu; three vertical grey dots on a white background. for the correlation rule, then select Export.

      OR

      Right-click the correlation rule, then select Export.

      OR

      Select the correlation rule, then select Export.

      The action to export a single selected correlation rule highlighted in a red rectangle.

    • To export multiple correlation rules, narrow the selection of correlation rules by searching or filtering the list. You can also click the checkbox for specific correlation rule you're exporting. Click Export rules A partial rounded blue square from which emerges an arrow curving upwards and to the right, both of which are set inside a blue square..

  2. Edit the file name for the exported rules. By default, the name is Exabeam_correlation_rules--<current year>-<current month>-<current day>T<current UTC time>Z

  3. Select which rules you're exporting:

    • Selected – Export the rules whose checkboxes you selected.

    • Filtered – Export the rules remaining after using the column filters.

    • All – Export all existing rules.

  4. Click Export Rules. The selected correlation rules are exported to a JSON file and downloaded to your file system. You can now import the correlation rules into another environment.