Correlation rules help you connect the dots between your data sources and events that could indicate a security threat or breach. Your Security Analytics account comes preconfigured with correlation rules for different types of attack types and security use cases.

You can create new correlation rules to supplement the built-in rules. You can also update any preconfigured correlation rule at any time, including adding a notification endpoint (like email or Slack) or changing trigger thresholds.

To create a new correlation rule

Query bar in the Research page

  1. In the Research page, type a query in the query bar, and press Enter. Review the results in the histogram and the document table, and make sure your query returned the expected results.

  2. Click Create Rule (to the right of the query bar). The Create Correlation Rule page is shown. Continue with To configure a correlation rule.

To configure a correlation rule

Configure correlation rule

  1. Type a Name and a detailed Description.

  2. If you need to, change your Query.

    If you use an invalid query, the correlation rule will be automatically disabled. Run your query in Kibana so you can be sure you’re getting the expected results.

  3. (Optional) If you want to group logs in the notification:

    Correlation rule group by settings

    1. Click Add group by to add up to 3 groups.

    2. In the Select Field list, choose a field to group by.

    3. To limit the available fields, choose a log type from the Filter by type list. To show fields for all log types, choose Clear filter.

  4. Set your threshold and severity levels in the Trigger section.

    Correlation rule trigger settings

  5. (Optional) If you want to receive notifications or emails when the rule is triggered, choose an endpoint. If you don’t choose an endpoint, events will still be logged:

    1. Choose the endpoints or email addresses to notify. If you need help adding a new endpoint, see Alert endpoints.

    2. Choose a time period to suppress notifications.

Click Save to save your correlation rule. If the threshold is passed and the rule is triggered, logs the event and sends the configured notifications.