Correlation Rule Reference
Construct YAML correlation rules in either the Console or the CLI workflow
Overview
Correlation rules are in open beta starting with Panther version 1.108, and are available to all customers. Please share any bug reports and feature requests with your Panther support team.
Correlation rules can be written in YAML locally, in the CLI workflow, or in a code editor in the Panther Console. See instructions for how to create a correlation rule on Correlation Rules.
Correlation rule syntax
Each correlation rule can be composed of the following fields, at the top level:
Detection key
Metadata keys
Alert keys (static)
Learn more about each of these keys, including which are required and optional, in the Correlation rule top-level fields reference, below.
Correlation rule writing tips
Use anchors and aliases. Anchors, defined with
&, let you identify an item in your YAML. That item can later be referenced with an alias, defined with*.Example:
&failed_login(anchor) and*failed_login(alias)
Correlation rule top-level fields
The table below contains all available keys for YAML detections. Required fields are in bold.
Field Name | Description | Expected Value |
| Indicates whether this analysis is a rule, scheduled_rule, policy, correlation_rule, or global |
|
| Whether this correlation_rule is enabled | Boolean |
| The unique identifier of the rule | String |
| Which severity an associated alert should have | One of the following strings: |
Correlation rule definition including sequence or group | See Detection fields | |
| Whether the correlation rule should create an alert or not (default: true) | Boolean |
| A brief description of the rule | String |
| A user-friendly name to show in the Panther Console and alerts. The | String |
| Static destination overrides. These will be used to determine how alerts from this rule are routed, taking priority over default routing based on severity. | List of strings |
| The reason this rule exists, often a link to documentation | String |
| A mapping of framework or report names to values this rule covers for that framework | Map of strings to list of strings |
| The actions to be carried out if this rule returns an alert, often a link to documentation | String |
| A list of fields that alerts should summarize. | List of strings |
| Tags used to categorize this rule | List of strings |
Defines unit tests for this detection. | See Tests fields |
Detection fields
Detection fields| Name | Type | Validation | Description |
|---|---|---|---|
Object | N/A | The scheduling of a correlation rule | |
| String | Accepted values:
|
If |
| Scalar |
Default: | Indicates how many minutes in the past a correlation rule should look to evaluate the group or sequence |
List |
Only one of | A list of rule references that define the group Learn more about groups on Correlation Rules | |
List | x ≥
Length must equal the length of Only can be used if | A mapping of MatchCriteria that defines the event fields the group should match on to pass | |
List |
Only one of | A list of rule references that define the sequence Learn more about Sequences on Correlation Rules | |
List | x ≥ Only can be used if | A list of transitions that defines the requirements to transition from one step of the sequence to the next. This can include event values to match on or a time frame. |
Schedule fields
Schedule fieldsEach correlation rule runs on a schedule. The Schedule field defines that interval.
| Name | Type | Validation | Description |
|---|---|---|---|
| String | Only one of | A cron expression to describe how often a correlation rule should run |
| Scalar | x ≥ 2
Only one of | The rate of minutes to describe how often a correlation rule should run |
| Scalar | x ≤ | The time frame in which a correlation rule can run. If a correlation rule takes longer than this period of time to evaluate, it will be cancelled for that time frame and a system health notification will be generated |
Group and Sequence fields (rule references)
Group and Sequence fields (rule references)Within Group and Sequence, include a list of references to the rules included in this correlation rule. Each rule reference can include the following fields:
| Name | Type | Validation | Description |
|---|---|---|---|
| String | Only required if using | A unique identifier to a rule being referenced in a sequence or group |
| String | The ruleID must exist in Panther beforehand | The id of the rule, scheduled rule, or correlation rule to include in the sequence or group |
| Scalar | x ≥ | The minimum number of signals required for this step in the sequence to pass |
| Scalar | x ≥ 0
x > | The maximum number of signals allowed for this step in the sequence to pass |
| Boolean | N/A | Whether the absence of a signal needs to be true for the step to pass |
MatchCriteria fields
MatchCriteria fieldsThe MatchCriteria key can be used alongside Group for more granular results. It indicates which event field each rule is matched on. There can only be one type of field matched on per correlation rule (e.g., all IP address fields or all email address fields).
The MatchCriteria field contains a key that is a unique label. That key contains a list of GroupID and Match pairings.
See examples of a Group with and without MatchCriteria on Correlation Rules.
| Name | Type | Validation | Description |
|---|---|---|---|
| String | The | |
| String |
| The field in the event for the rule referenced that should be matched on e.g., |
Transitions fields
Transitions fieldsThe Transitions key, used only alongside Sequence, defines how one step can traverse to another.
Transitions must be in the same order as the rules listed under Sequence.
Learn more about transitions on Correlation Rules.
| Name | Type | Validation | Description |
|---|---|---|---|
| String | N/A | A unique identifier to a transition in a sequence. |
| String | The | |
| String | The | |
| Scalar |
| The time frame in minutes within which two steps in a sequence (defined by |
List | len(x) = | Defines which event fields must match |
Match fields
Match fieldsMatch is a child field of Transitions, used with Sequence. These fields allow you to define which event fields, for each rule, scheduled rule, or correlation rule, must have matching values.
There can only be one type of field matched on per correlation rule (e.g., all IP address fields or all email address fields).
| Name | Key type | Validation | Description |
|---|---|---|---|
| String |
| The field in the event referenced by the |
| String |
| The field in the event referenced by the Used when the event fields' names don't exactly match, but should be grouped together. E.g., |
| String |
| The field in the event referenced by the Used when the event fields' names don't exactly match, but should be grouped together. E.g., |
Tests fields
Tests fields| Name | Key type | Description |
|---|---|---|
| String | Descriptive name for the test case. All test cases must have unique names. |
| Boolean | Whether the correlation rule should generate a match (i.e., return |
| Array< | A list of |
RuleOutput fields
RuleOutput fields| Name | Key type | Description |
|---|---|---|
| String | A reference to one of the steps in your correlation rule's |
| Object<String, | An object that represents the event fields and values that this step in a |
MatchValue fields
MatchValue fieldsA MatchValue object defines an event value that was matched on, and the times the match(es) occurred.
Currently, a correlation rule may only specify one event value to match on throughout, therefore this object may only contain a single key/value pair.
Example:
or
| Key | Key type | Description |
|---|---|---|
| Array<String> OR Array<Number> | The key is an arbitrary string that your rule matched on. The value is an array of timestamps where the timestamps can either be relative (to the time the test case is ran) or absolute:
A single test cannot mix relative and absolute timestamps. For example, if a test uses absolute timestamps for one |
Last updated