- Get Started with Threat Detection Management
- Analytics Rules
- Analytics Rule Classifications
- Create an Analytics Rule
- 1. Define the analytics rule
- 2. Import the analytics rule
- 3. Enable the analytics rule
- 4. Apply the analytics rule to your environment
- factFeature Analytics Rule JSON Configuration
- profiledFeature Analytics Rule JSON Configurationh
- contextFeature Analytics Rule JSON Configuration
- numericCountProfiledFeature Analytics Rule JSON Configuration
- numericDistinctCountProfiledFeature Analytics Rule JSON Configuration
- numericSumProfiledFeature Analytics Rule JSON Configuration
- Manage Analytics Rules
- Tune Analytics Rules
- Share Analytics Rules
- Troubleshoot Analytics Rules
- Analytics Rules Syntax
- Advanced Analytics Rule Syntax vs. Analytics Rule Syntax
- Logical Expressions in Analytics Rule Syntax
- String Operations Using Analytics Rule Syntax
- Integer Operations Using Analytics Rule Syntax
- Time Operations Using Analytics Rule Syntax
- Network Operations Using Analytics Rule Syntax
- Context Operations Using Analytics Rule Syntax
- Entity Operations Using Analytics Rule Syntax
- Correlation Rule Operations Using Analytics Rule Syntax
- Monitor the Analytics Engine
- Correlation Rules
- Threat Scoring
Import Correlation Rules
After you export correlation rules, import them into another environment.
In Threat Detection Management, navigate to the Correlation Rules tab, then click Import rules
.Click Select File, then select a JSON file containing no more than 50 rules and no larger than 4 MB. Correlation Rules validates the correlation rules in the file to ensure you're not importing duplicate correlation rules that already exist in your environment.
If a rule you're importing has the same name as an existing rule in your environment, you must remove the rule from the import job. To remove the correlation from being imported, click
for the correlation rule.After the correlation rules are validated, click Import Rules.
Imported correlation rules are automatically disabled. The correlation rule author is the account that imported the rule. The correlation rule Created time is the date and time the rule was imported.