Alert enrichment and correlation properties

Alert enrichment and correlation rule properties include support rule formats and rule attributes.

Case candidate creation based on alert correlation is in beta mode. Alert enrichment and correlation rules work together to group similar alerts together into cases for security analysts to investigate. For more information, see Case creation and correlation.

Rule format

Property	Description
Correlation rule format	Used to combine multiple alerts into a case candidate to represent an entire attack. The correlation algorithm uses the severity scores to determine which artifacts an analyst would typically use to correlate and identify related alerts that are associated with the same attack. The correlation algorithm continuously identifies and correlates related alerts as they are streamed into the system. To change the default correlation conditions, use the following steps: From the table report, search for and click the link for the Correlation conditions rule. Depending on the size of the list of rules, search or scroll to find the rule. In the rule details page, set the relevant switches in the Correlation conditions section of the page to On or Off. By default, all correlation conditions are set to On.
Enrichment rule format	Provides context about the alert, and mimics the way that a security analyst typically works. For example, when an alert comes in, the analyst might look at the key features about the alert and then add their own knowledge or query external systems to gain extra insights. Context is primarily represented as a severity score, which is added to either an observable (also called artifact or evidence) or a parameter within the enriched alert (also called a finding).

Property

Description

Correlation rule format

Used to combine multiple alerts into a case candidate to represent an entire attack. The correlation algorithm uses the severity scores to determine which artifacts an analyst would typically use to correlate and identify related alerts that are associated with the same attack. The correlation algorithm continuously identifies and correlates related alerts as they are streamed into the system.

To change the default correlation conditions, use the following steps:

From the table report, search for and click the link for the Correlation conditions rule.
Depending on the size of the list of rules, search or scroll to find the rule.
In the rule details page, set the relevant switches in the Correlation conditions section of the page to On or Off.

By default, all correlation conditions are set to On.

Enrichment rule format

Provides context about the alert, and mimics the way that a security analyst typically works. For example, when an alert comes in, the analyst might look at the key features about the alert and then add their own knowledge or query external systems to gain extra insights. Context is primarily represented as a severity score, which is added to either an observable (also called artifact or evidence) or a parameter within the enriched alert (also called a finding).

Rule attributes

Property	Description
Rule name	Enter a specific rule name or search for it by using regular expressions.
Rule description	Filter the rule description by using regular expressions.
Rule enabled	See which rules are enabled or disabled to ensure that your system generates meaningful offenses for your environment.
Creation and modification dates	Use the date filters to see what changed during the last week, or to see rules that were modified. The modification date shows the rules that were modified but not the modified content of the rules.