LogoLogo
Knowledge BaseCommunityRelease NotesRequest Demo
  • Overview
  • Quick Start
    • Onboarding Guide
  • Data Sources & Transports
    • Supported Logs
      • 1Password Logs
      • Apache Logs
      • AppOmni Logs
      • Asana Logs
      • Atlassian Logs
      • Auditd Logs
      • Auth0 Logs
      • AWS Logs
        • AWS ALB
        • AWS Aurora
        • AWS CloudFront
        • AWS CloudTrail
        • AWS CloudWatch
        • AWS Config
        • AWS EKS
        • AWS GuardDuty
        • AWS Security Hub
        • Amazon Security Lake
        • AWS S3
        • AWS Transit Gateway
        • AWS VPC
        • AWS WAF
      • Azure Monitor Logs
      • Bitwarden Logs
      • Box Logs
      • Carbon Black Logs
      • Cisco Umbrella Logs
      • Cloudflare Logs
      • CrowdStrike Logs
        • CrowdStrike Falcon Data Replicator
        • CrowdStrike Event Streams
      • Docker Logs
      • Dropbox Logs
      • Duo Security Logs
      • Envoy Logs
      • Fastly Logs
      • Fluentd Logs
      • GCP Logs
      • GitHub Logs
      • GitLab Logs
      • Google Workspace Logs
      • Heroku Logs
      • Jamf Pro Logs
      • Juniper Logs
      • Lacework Logs
        • Lacework Alert Channel Webhook
        • Lacework Export
      • Material Security Logs
      • Microsoft 365 Logs
      • Microsoft Entra ID Audit Logs
      • Microsoft Graph Logs
      • MongoDB Atlas Logs
      • Netskope Logs
      • Nginx Logs
      • Notion Logs
      • Okta Logs
      • OneLogin Logs
      • Orca Security Logs (Beta)
      • Osquery Logs
      • OSSEC Logs
      • Proofpoint Logs
      • Push Security Logs
      • Rapid7 Logs
      • Salesforce Logs
      • SentinelOne Logs
      • Slack Logs
      • Snowflake Audit Logs (Beta)
      • Snyk Logs
      • Sophos Logs
      • Sublime Security Logs
      • Suricata Logs
      • Sysdig Logs
      • Syslog Logs
      • Tailscale Logs
      • Teleport Logs
      • Tenable Vulnerability Management Logs
      • Thinkst Canary Logs
      • Tines Logs
      • Tracebit Logs
      • Windows Event Logs
      • Wiz Logs
      • Zeek Logs
      • Zendesk Logs
      • Zoom Logs
      • Zscaler Logs
        • Zscaler ZIA
        • Zscaler ZPA
    • Custom Logs
      • Log Schema Reference
      • Transformations
      • Script Log Parser (Beta)
      • Fastmatch Log Parser
      • Regex Log Parser
      • CSV Log Parser
    • Data Transports
      • HTTP Source
      • AWS Sources
        • S3 Source
        • CloudWatch Logs Source
        • SQS Source
          • SNS Source
        • EventBridge
      • Google Cloud Sources
        • Cloud Storage (GCS) Source
        • Pub/Sub Source
      • Azure Blob Storage Source
    • Monitoring Log Sources
    • Ingestion Filters
      • Raw Event Filters
      • Normalized Event Filters (Beta)
    • Data Pipeline Tools
      • Chronosphere Onboarding Guide
      • Cribl Onboarding Guide
      • Fluent Bit Onboarding Guide
        • Fluent Bit Configuration Examples
      • Fluentd Onboarding Guide
        • General log forwarding via Fluentd
        • MacOS System Logs to S3 via Fluentd
        • Syslog to S3 via Fluentd
        • Windows Event Logs to S3 via Fluentd (Legacy)
        • GCP Audit to S3 via Fluentd
      • Observo Onboarding Guide
      • Tarsal Onboarding Guide
    • Tech Partner Log Source Integrations
  • Detections
    • Using Panther-managed Detections
      • Detection Packs
    • Rules and Scheduled Rules
      • Writing Python Detections
        • Python Rule Caching
        • Data Models
        • Global Helper Functions
      • Modifying Detections with Inline Filters (Beta)
      • Derived Detections (Beta)
        • Using Derived Detections to Avoid Merge Conflicts
      • Using the Simple Detection Builder
      • Writing Simple Detections
        • Simple Detection Match Expression Reference
        • Simple Detection Error Codes
    • Correlation Rules (Beta)
      • Correlation Rule Reference
    • PyPanther Detections (Beta)
      • Creating PyPanther Detections
      • Registering, Testing, and Uploading PyPanther Detections
      • Managing PyPanther Detections in the Panther Console
      • PyPanther Detections Style Guide
      • pypanther Library Reference
      • Using the pypanther Command Line Tool
    • Signals
    • Policies
    • Testing
      • Data Replay (Beta)
    • Framework Mapping and MITRE ATT&CK® Matrix
  • Cloud Security Scanning
    • Cloud Resource Attributes
      • AWS
        • ACM Certificate
        • CloudFormation Stack
        • CloudWatch Log Group
        • CloudTrail
        • CloudTrail Meta
        • Config Recorder
        • Config Recorder Meta
        • DynamoDB Table
        • EC2 AMI
        • EC2 Instance
        • EC2 Network ACL
        • EC2 SecurityGroup
        • EC2 Volume
        • EC2 VPC
        • ECS Cluster
        • EKS Cluster
        • ELBV2 Application Load Balancer
        • GuardDuty Detector
        • GuardDuty Detector Meta
        • IAM Group
        • IAM Policy
        • IAM Role
        • IAM Root User
        • IAM User
        • KMS Key
        • Lambda Function
        • Password Policy
        • RDS Instance
        • Redshift Cluster
        • Route 53 Domains
        • Route 53 Hosted Zone
        • S3 Bucket
        • WAF Web ACL
  • Alerts & Destinations
    • Alert Destinations
      • Amazon SNS Destination
      • Amazon SQS Destination
      • Asana Destination
      • Blink Ops Destination
      • Custom Webhook Destination
      • Discord Destination
      • GitHub Destination
      • Google Pub/Sub Destination (Beta)
      • Incident.io Destination
      • Jira Cloud Destination
      • Jira Data Center Destination (Beta)
      • Microsoft Teams Destination
      • Mindflow Destination
      • OpsGenie Destination
      • PagerDuty Destination
      • Rapid7 Destination
      • ServiceNow Destination (Custom Webhook)
      • Slack Bot Destination
      • Slack Destination (Webhook)
      • Splunk Destination (Beta)
      • Tines Destination
      • Torq Destination
    • Assigning and Managing Alerts
      • Managing Alerts in Slack
    • Alert Runbooks
      • Panther-managed Policies Runbooks
        • AWS CloudTrail Is Enabled In All Regions
        • AWS CloudTrail Sending To CloudWatch Logs
        • AWS KMS CMK Key Rotation Is Enabled
        • AWS Application Load Balancer Has Web ACL
        • AWS Access Keys Are Used Every 90 Days
        • AWS Access Keys are Rotated Every 90 Days
        • AWS ACM Certificate Is Not Expired
        • AWS Access Keys not Created During Account Creation
        • AWS CloudTrail Has Log Validation Enabled
        • AWS CloudTrail S3 Bucket Has Access Logging Enabled
        • AWS CloudTrail Logs S3 Bucket Not Publicly Accessible
        • AWS Config Is Enabled for Global Resources
        • AWS DynamoDB Table Has Autoscaling Targets Configured
        • AWS DynamoDB Table Has Autoscaling Enabled
        • AWS DynamoDB Table Has Encryption Enabled
        • AWS EC2 AMI Launched on Approved Host
        • AWS EC2 AMI Launched on Approved Instance Type
        • AWS EC2 AMI Launched With Approved Tenancy
        • AWS EC2 Instance Has Detailed Monitoring Enabled
        • AWS EC2 Instance Is EBS Optimized
        • AWS EC2 Instance Running on Approved AMI
        • AWS EC2 Instance Running on Approved Instance Type
        • AWS EC2 Instance Running in Approved VPC
        • AWS EC2 Instance Running On Approved Host
        • AWS EC2 Instance Running With Approved Tenancy
        • AWS EC2 Instance Volumes Are Encrypted
        • AWS EC2 Volume Is Encrypted
        • AWS GuardDuty is Logging to a Master Account
        • AWS GuardDuty Is Enabled
        • AWS IAM Group Has Users
        • AWS IAM Policy Blocklist Is Respected
        • AWS IAM Policy Does Not Grant Full Administrative Privileges
        • AWS IAM Policy Is Not Assigned Directly To User
        • AWS IAM Policy Role Mapping Is Respected
        • AWS IAM User Has MFA Enabled
        • AWS IAM Password Used Every 90 Days
        • AWS Password Policy Enforces Complexity Guidelines
        • AWS Password Policy Enforces Password Age Limit Of 90 Days Or Less
        • AWS Password Policy Prevents Password Reuse
        • AWS RDS Instance Is Not Publicly Accessible
        • AWS RDS Instance Snapshots Are Not Publicly Accessible
        • AWS RDS Instance Has Storage Encrypted
        • AWS RDS Instance Has Backups Enabled
        • AWS RDS Instance Has High Availability Configured
        • AWS Redshift Cluster Allows Version Upgrades
        • AWS Redshift Cluster Has Encryption Enabled
        • AWS Redshift Cluster Has Logging Enabled
        • AWS Redshift Cluster Has Correct Preferred Maintenance Window
        • AWS Redshift Cluster Has Sufficient Snapshot Retention Period
        • AWS Resource Has Minimum Number of Tags
        • AWS Resource Has Required Tags
        • AWS Root Account Has MFA Enabled
        • AWS Root Account Does Not Have Access Keys
        • AWS S3 Bucket Name Has No Periods
        • AWS S3 Bucket Not Publicly Readable
        • AWS S3 Bucket Not Publicly Writeable
        • AWS S3 Bucket Policy Does Not Use Allow With Not Principal
        • AWS S3 Bucket Policy Enforces Secure Access
        • AWS S3 Bucket Policy Restricts Allowed Actions
        • AWS S3 Bucket Policy Restricts Principal
        • AWS S3 Bucket Has Versioning Enabled
        • AWS S3 Bucket Has Encryption Enabled
        • AWS S3 Bucket Lifecycle Configuration Expires Data
        • AWS S3 Bucket Has Logging Enabled
        • AWS S3 Bucket Has MFA Delete Enabled
        • AWS S3 Bucket Has Public Access Block Enabled
        • AWS Security Group Restricts Ingress On Administrative Ports
        • AWS VPC Default Security Group Restricts All Traffic
        • AWS VPC Flow Logging Enabled
        • AWS WAF Has Correct Rule Ordering
        • AWS CloudTrail Logs Encrypted Using KMS CMK
      • Panther-managed Rules Runbooks
        • AWS CloudTrail Modified
        • AWS Config Service Modified
        • AWS Console Login Failed
        • AWS Console Login Without MFA
        • AWS EC2 Gateway Modified
        • AWS EC2 Network ACL Modified
        • AWS EC2 Route Table Modified
        • AWS EC2 SecurityGroup Modified
        • AWS EC2 VPC Modified
        • AWS IAM Policy Modified
        • AWS KMS CMK Loss
        • AWS Root Activity
        • AWS S3 Bucket Policy Modified
        • AWS Unauthorized API Call
    • Tech Partner Alert Destination Integrations
  • Investigations & Search
    • Search
      • Search Filter Operators
    • Data Explorer
      • Data Explorer SQL Search Examples
        • CloudTrail logs queries
        • GitHub Audit logs queries
        • GuardDuty logs queries
        • Nginx and ALB Access logs queries
        • Okta logs queries
        • S3 Access logs queries
        • VPC logs queries
    • Visualization and Dashboards
      • Custom Dashboards (Beta)
      • Panther-Managed Dashboards
    • Standard Fields
    • Saved and Scheduled Searches
      • Templated Searches
        • Behavioral Analytics and Anomaly Detection Template Macros (Beta)
      • Scheduled Search Examples
    • Search History
    • Data Lakes
      • Snowflake
        • Snowflake Configuration for Optimal Search Performance
      • Athena
  • PantherFlow (Beta)
    • PantherFlow Quick Reference
    • PantherFlow Statements
    • PantherFlow Operators
      • Datatable Operator
      • Extend Operator
      • Join Operator
      • Limit Operator
      • Project Operator
      • Range Operator
      • Sort Operator
      • Search Operator
      • Summarize Operator
      • Union Operator
      • Visualize Operator
      • Where Operator
    • PantherFlow Data Types
    • PantherFlow Expressions
    • PantherFlow Functions
      • Aggregation Functions
      • Date/time Functions
      • String Functions
      • Array Functions
      • Math Functions
      • Control Flow Functions
      • Regular Expression Functions
      • Snowflake Functions
      • Data Type Functions
      • Other Functions
    • PantherFlow Example Queries
      • PantherFlow Examples: Threat Hunting Scenarios
      • PantherFlow Examples: SOC Operations
      • PantherFlow Examples: Panther Audit Logs
  • Enrichment
    • Custom Lookup Tables
      • Creating a GreyNoise Lookup Table
      • Lookup Table Examples
        • Using Lookup Tables: 1Password UUIDs
      • Lookup Table Specification Reference
    • Identity Provider Profiles
      • Okta Profiles
      • Google Workspace Profiles
    • Anomali ThreatStream
    • IPinfo
    • Tor Exit Nodes
    • TrailDiscover (Beta)
  • Panther AI (Beta)
  • System Configuration
    • Role-Based Access Control
    • Identity & Access Integrations
      • Azure Active Directory SSO
      • Duo SSO
      • G Suite SSO
      • Okta SSO
        • Okta SCIM
      • OneLogin SSO
      • Generic SSO
    • Panther Audit Logs
      • Querying and Writing Detections for Panther Audit Logs
      • Panther Audit Log Actions
    • Notifications and Errors (Beta)
      • System Errors
    • Panther Deployment Types
      • SaaS
      • Cloud Connected
        • Configuring Snowflake for Cloud Connected
        • Configuring AWS for Cloud Connected
        • Pre-Deployment Tools
      • Legacy Configurations
        • Snowflake Connected (Legacy)
        • Customer-configured Snowflake Integration (Legacy)
        • Self-Hosted Deployments (Legacy)
          • Runtime Environment
  • Panther Developer Workflows
    • Panther Developer Workflows Overview
    • Using panther-analysis
      • Public Fork
      • Private Clone
      • Panther Analysis Tool
        • Install, Configure, and Authenticate with the Panther Analysis Tool
        • Panther Analysis Tool Commands
        • Managing Lookup Tables and Enrichment Providers with the Panther Analysis Tool
      • CI/CD for Panther Content
        • Deployment Workflows Using Panther Analysis Tool
          • Managing Panther Content via CircleCI
          • Managing Panther Content via GitHub Actions
        • Migrating to a CI/CD Workflow
    • Panther API
      • REST API (Beta)
        • Alerts
        • Alert Comments
        • API Tokens
        • Data Models
        • Globals
        • Log Sources
        • Queries
        • Roles
        • Rules
        • Scheduled Rules
        • Simple Rules
        • Policies
        • Users
      • GraphQL API
        • Alerts & Errors
        • Cloud Account Management
        • Data Lake Queries
        • Log Source Management
        • Metrics
        • Schemas
        • Token Rotation
        • User & Role Management
      • API Playground
    • Terraform
      • Managing AWS S3 Log Sources with Terraform
      • Managing HTTP Log Sources with Terraform
    • pantherlog Tool
    • Converting Sigma Rules
  • Resources
    • Help
      • Operations
      • Security and Privacy
        • Security Without AWS External ID
      • Glossary
      • Legal
    • Panther System Architecture
Powered by GitBook
On this page
  • Overview
  • Correlation rule syntax
  • Correlation rule writing tips
  • Correlation rule top-level fields
  • Detection fields
  • Schedule fields
  • Group and Sequence fields (rule references)
  • MatchCriteria fields
  • Transitions fields
  • Tests fields
  • RuleOutput fields
  • MatchValue fields

Was this helpful?

  1. Detections
  2. Correlation Rules (Beta)

Correlation Rule Reference

Construct YAML correlation rules in either the Console or the CLI workflow

PreviousCorrelation Rules (Beta)NextPyPanther Detections (Beta)

Last updated 1 month ago

Was this helpful?

Overview

Correlation rules are in open beta starting with Panther version 1.108, and are available to all customers. Please share any bug reports and feature requests with your Panther support team.

Correlation rules can be written in YAML locally, in the CLI workflow, or in a code editor in the Panther Console. See instructions for how to create a correlation rule on .

Correlation rule syntax

Each correlation rule can be composed of the following fields, at the top level:

  • Detection key

    Detection: 
  • Metadata keys

    AnalysisType: correlation_rule
    CreateAlert:
    Enabled: 
    RuleID:
    Reports: 
    Tags: 
    Tests: 
  • Alert keys (static)

    Severity:
    Description:
    DisplayName:
    OutputIds:
    Reference:
    Runbook:
    SummaryAttributes: 

Correlation rule writing tips

    • Example: &failed_login (anchor) and *failed_login (alias)

Correlation rule top-level fields

The table below contains all available keys for YAML detections. Required fields are in bold.

Field Name

Description

Expected Value

AnalysisType

Indicates whether this analysis is a rule, scheduled_rule, policy, correlation_rule, or global

correlation_rule

Enabled

Whether this correlation_rule is enabled

Boolean

RuleID

The unique identifier of the rule

String

Severity

One of the following strings: Info, Low, Medium, High, or Critical

Correlation rule definition including sequence or group

CreateAlert

Whether the correlation rule should create an alert or not (default: true)

Boolean

Description

A brief description of the rule

String

DisplayName

A user-friendly name to show in the Panther Console and alerts. The RuleID will be displayed if this field is not set.

String

OutputIds

Static destination overrides. These will be used to determine how alerts from this rule are routed, taking priority over default routing based on severity.

List of strings

Reference

The reason this rule exists, often a link to documentation

String

Reports

A mapping of framework or report names to values this rule covers for that framework

Map of strings to list of strings

Runbook

The actions to be carried out if this rule returns an alert, often a link to documentation

String

SummaryAttributes

A list of fields that alerts should summarize.

List of strings

Tags

Tags used to categorize this rule

List of strings

Defines unit tests for this detection.

Detection fields

Name
Type
Validation
Description

Object

N/A

The scheduling of a correlation rule

EventEvaluationOrder

String

Accepted values:

  • Chronological (default)

  • ReverseChronological

If Chronological, events are analyzed from oldest to newest. If ReverseChronological, events are analyzed from newest to oldest.

LookbackWindowMinutes

Scalar

15 ≤ x ≤ 21600 (15 days)

Default: 15

List

2 ≤ x ≤ 50

Only one of Group or Sequence is required/allowed

MinMatchCount

Scalar

Only can be used if Group is present

2 ≤ x < number of rules in Group

Cannot use when number of rules in Group is 2 or >8.

Cannot use when any rules in Group use Absence: true

List

Only can be used if Group is present

x ≥ 1

Length must equal the length of Group

A mapping of MatchCriteria that defines the event fields the group should match on to pass

List

2 ≤ x ≤ 50

Only one of Group or Sequence is required/allowed

List

Only can be used if Sequence is present

x ≥ 1

A list of transitions that defines the requirements to transition from one step of the sequence to the next. This can include event values to match on or a time frame.

Schedule fields

Name
Type
Validation
Description

CronExpression

String

Only one of CronExpression or RateMinutes is required/allowed

RateMinutes

Scalar

x ≥ 2 Only one of CronExpression or RateMinutes is required

The rate of minutes to describe how often a correlation rule should run

TimeoutMinutes

Scalar

x ≤ RateMinutes

The time frame in which a correlation rule can run. If a correlation rule takes longer than this period of time to evaluate, it will be cancelled for that time frame and a system health notification will be generated

Group and Sequence fields (rule references)

Within Group and Sequence, include a list of references to the rules included in this correlation rule. Each rule reference can include the following fields:

Name
Type
Validation
Description

ID

String

Only required if using Transitions or MatchCriteria

A unique identifier to a rule being referenced in a sequence or group

RuleID

String

The ruleID must exist in Panther beforehand

The id of the rule, scheduled rule, or correlation rule to include in the sequence or group

MinMatchCount

Scalar

x ≥ 1 Default: 1

The minimum number of signals required for this step in the sequence to pass

MaxMatchCount

Scalar

x ≥ 0 x > MinMatchCount (if set)

The maximum number of signals allowed for this step in the sequence to pass

Absence

Boolean

N/A

Whether the absence of a signal needs to be true for the step to pass

MatchCriteria fields

The MatchCriteria key can be used alongside Group for more granular results. It indicates which event field each rule is matched on. There can only be one type of field matched on per correlation rule (e.g., all IP address fields or all email address fields).

The MatchCriteria field contains a key that is a unique label. That key contains a list of GroupID and Match pairings.

Name
Type
Validation
Description

GroupID

String

Match

String

  • For rules associated to only one log type: any field is allowed

  • Validated based on the log schema. Cannot end on a field of type object or JSON. Anything within a JSON object is not validated.

  • Must be the same type as other Match values

The field in the event for the rule referenced that should be matched on

e.g., p_alert_context.username

Transitions fields

The Transitions key, used only alongside Sequence, defines how one step can traverse to another.

Transitions must be in the same order as the rules listed under Sequence.

Name
Type
Validation
Description

ID

String

N/A

A unique identifier to a transition in a sequence.

From

String

To

String

WithinTimeFrameMinutes

Scalar

1 ≤ x ≤ 1440 AND x ≤ LookbackWindowMinutes

The time frame in minutes within which two steps in a sequence (defined by From and To) must occur in order to pass.

List

len(x) = 1

Defines which event fields must match

Match fields

Match is a child field of Transitions, used with Sequence. These fields allow you to define which event fields, for each rule, scheduled rule, or correlation rule, must have matching values.

There can only be one type of field matched on per correlation rule (e.g., all IP address fields or all email address fields).

Example using same match values
Detection:
  - Sequence:
      - ID: Failed Login
        RuleID: Standard.BruteForceByIP
        MinMatchCount: 10
      - ID: Successful Login
        RuleID: Okta.Login.Success
    Transitions:
      - ID: Brute Force Login Success
        From: Failed Login
        To: Successful Login
        WithinTimeFrameMinutes: 10
        Match:
          - On: p_alert_context.ip     // these should be the same
      - ID: Gained Root Access
        From: Successful Login
        To: Root Login
        Match:
          - From: p_alert_context.ip  // these should be the same
            To: p_alert_context.sourceIPAddress
Name
Key type
Validation
Description

On

String

  • From and To must be empty

  • For rules associated to only one log type: any field is allowed

  • Validated based on the log schema. Cannot end on a field of type object or JSON. Anything within a JSON object is not validated.

From

String

  • On must be empty

  • For rules associated to only one log type: any field is allowed

  • Validated based on the log schema. Cannot end on a field of type object or JSON. Anything within a JSON object is not validated.

Used when the event fields' names don't exactly match, but should be grouped together. E.g., p_alert_context.username = p_alert_context.user

To

String

  • On must be empty

  • For rules associated to only one log type: any field is allowed

  • Validated based on the log schema. Cannot end on a field of type object or JSON. Anything within a JSON object is not validated.

Used when the event fields' names don't exactly match, but should be grouped together. E.g., p_alert_context.username = p_alert_context.user

Tests fields

Name
Key type
Description

Name

String

Descriptive name for the test case. All test cases must have unique names.

ExpectedResult

Boolean

Whether the correlation rule should generate a match (i.e., return True or False) for this test case. For example if the test specifies ExpectedResult: False and the correlation rule does generate a match (i.e., return True), the test will fail because the expectation does not match the actual behavior.

RuleOutputs

RuleOutput fields

Name
Key type
Description

ID

String

Matches

MatchValue fields

A MatchValue object defines an event value that was matched on, and the times the match(es) occurred.

Currently, a correlation rule may only specify one event value to match on throughout, therefore this object may only contain a single key/value pair.

Example:

Matches:
    p_any_emails: # String (field name matched on)
        ali.ford@example.net: [0, 1, 2] # MatchValue object (value using relative timestamps)

or

Matches:
    p_any_ip_addresses: # String (field name matched on)
        1.2.3.4: # MatchValue key
            - "2006-01-02T15:04:05Z" # MatchValue value (using absolute timestamps)
Key
Key type
Description

[Value matched on](String)

Array<String> OR Array<Number>

The key is an arbitrary string that your rule matched on. The value is an array of timestamps where the timestamps can either be relative (to the time the test case is ran) or absolute:

  • Relative timestamps: Represented as an array of numbers where the number is how many minutes the match occurred after the start of the test case scenario.

  • Absolute timestamps: Represented as an array of timestamps in RFC3339 format.

A single test cannot mix relative and absolute timestamps. For example, if a test uses absolute timestamps for one RuleOutput, it must use absolute timestamps for all RuleOutputs.

Learn more about each of these keys, including which are required and optional, in the .

Use . Anchors, defined with & , let you identify an item in your YAML. That item can later be referenced with an alias, defined with *.

Do not use anchors and aliases within Tests. Doing so can cause .

Which an associated alert should have

See

See

Indicates how many minutes in the past a correlation rule should look to evaluate the group or sequence.

A list of that define the group

MinMatchCount specifies the minimum number of individual rules, scheduled rules, or correlation rules (defined in Group) that must match in order for this correlation rule to match. Learn more about MinMatchCount .

A list of that define the sequence

Each correlation rule runs on a schedule. The Schedule field defines that interval. Learn more about setting Schedule .

A cron expression to describe how often a correlation rule should run. Learn more about CronExpression format in .

See examples of a Group with and without MatchCriteria on .

The ID defined in . Used to link the rule reference to the field that should be matched on

For rules associated to multiple log types, scheduled rules, or correlation rules: only are allowed

Must use

Learn more about transitions .

The ID in the section of a sequence that indicates the starting step.

The ID in the section of a sequence that indicates the ending step.

For rules associated to multiple log types, scheduled rules, or correlation rules: only are allowed

Must use

The field in the event referenced by the From and To that should be matched on. Used when the event fields' names match exactly. E.g., p_udm.x or p_any_usernames

For rules associated to multiple log types, scheduled rules, or correlation rules: only are allowed

Must use

The field in the event referenced by the From and To that should be matched on.

For rules associated to multiple log types, scheduled rules, or correlation rules: only are allowed

Must use

The field in the event referenced by the From and To that should be matched on.

Do not use within Tests. Doing so can cause .

Array<>

A list of objects. Each represents mock generated from a particular rule referenced in your correlation rule definition, including definitions for which event fields/values matched.

A reference to one of the steps in your correlation rule's Group or Sequence field. If the items in your or have IDs defined, this value must match that ID. If the items in your Group or Sequence do not IDs defined, this value must match the RuleID associated with that Group or Sequence item.

Object<String, >

An object that represents the event fields and values that this step in a Group or Sequence matched on. The key is the field name matched on (subfields can be specified using JSON path notation, e.g.,p_alert_context.username)—and the value is a object.

anchors and aliases
Correlation rule top-level fields reference, below
p_ fields
Kusto Query Language (KQL) syntax
p_ fields
KQL syntax
p_ fields
KQL syntax
p_ fields
KQL syntax
Detection
Detection fields
Tests
Tests fields
Schedule
Group
MatchCriteria
Sequence
rule references
Transitions
Group
rule references
rule references
Match
Transitions
Transitions
Transitions
RuleOutput
signal(s)
RuleOutput
RuleOutput
Group
Sequence
MatchValue
MatchValue
anchors and aliases
rule references
severity
Correlation Rules
errors
on Correlation Rules
Correlation Rules
on Correlation Rules
errors
Learn more about LookbackWindowMinutes on Correlation Rules
Learn more about groups on Correlation Rules
on Correlation Rules
Learn more about sequences on Correlation Rules
How to use the Scheduled Search crontab