Correlation Rules
Create query-based rules that, when triggered, generate custom detections and cases. Build rules from scratch using CQL queries or apply rule templates provided by CrowdStrike and third-party developers.
Requirements
Section titled “Requirements”| Requirement | Detail |
|---|---|
| Subscription | Falcon Next-Gen SIEM or Falcon Next-Gen SIEM 10GB |
| Default roles | Falcon Administrator, NG SIEM Administrator, NG SIEM Analyst, NG SIEM Analyst - Read Only |
| CrowdStrike clouds | Available in all clouds |
Users with NG SIEM roles can only view rules they created themselves by default. To view rules created by other users, a role with the View scheduled reports (all types) permission is required.
Understanding rules
Section titled “Understanding rules”Correlation rules
Section titled “Correlation rules”When you create a correlation rule, you configure a recurring schedule that determines when and how often the associated search query runs.
Behavioral rules
Section titled “Behavioral rules”Behavioral rules use the LogScale correlate() function. This function connects multiple arguments and returns multiple detections, surfacing patterns of events linked with specified behavioral keys.
Important: The
correlate()function cannot be combined with other aggregation functions in the same query.
For more info about the correlate() function, its syntax, query nodes, output formation, and the behavioral options that comprise behavioral detection rules, see correlate().
Sensor rules
Section titled “Sensor rules”The Rules tab also displays sensor rules — built-in rules that trigger sensor detections. You cannot create, edit, or delete sensor rules.
Rule version states
Section titled “Rule version states”Rule versions provide flexibility in creating and managing correlation rules.
- Draft — Use drafts to save work in progress.
- Unpublished — Set the status to unpublished to facilitate review and testing.
- Published — When ready, set the status to Published. You cannot delete a published version; publish a different version first.
Rule states
Section titled “Rule states”- Active — Continues to execute searches and generate detections and cases.
- Inactive — All further searches stop. The configured rule remains available for 365 days. After 365 days, the deactivated rule is deleted permanently.
Frequency and timing
Section titled “Frequency and timing”When you create a rule, you specify a search frequency and a search window. The search frequency determines how often the Falcon platform runs the search. The search window determines the period of time that’s searched.
To ensure that all relevant data is searched, configure a search window that’s at least as long as the search frequency. Overlapping searches help to ensure that all data is included, regardless of when logs are uploaded.
If a running search hasn’t completed after 60 minutes, it times out.
Create a rule from scratch
Section titled “Create a rule from scratch”- Go to Next-Gen SIEM > Monitor and investigate > Rules.
- Click Add rule > Create new rule.
- Enter a name for the rule.
- In the Search query field, enter the CQL query. Use Advanced event search to help build and verify your query — when your query is complete, select Create Rule and your query will be automatically added.
- Click Test query to validate.
- Select an event timestamp: Ingested (
@ingesttimestamp) for cloud-received time, or Created (@timestamp) for locally-generated time. - Click Next.
- Optional: Select Create case containing detection to automatically create a case.
- Select a trigger type: Verbose (1 detection per result, 50 detection limit) or Summary (single detection for all results, default).
- Select a severity for the rule.
- Optional: Assign MITRE ATT&CK tactics and techniques (up to 10 each).
- Configure the schedule: start date/time, optional end date/time, search frequency, and search window.
- Configure notifications.
- Click Finish.
Create a rule from a template
Section titled “Create a rule from a template”- Go to Next-Gen SIEM > Monitor and investigate > Rules.
- Click the Templates tab.
- For the template to use, click Create rule.
- Modify the pre-populated values as needed.
- Click Finish.
To create rules based on templates, Next-Gen SIEM capabilities must be enabled on your CID.
Limitations and considerations
Section titled “Limitations and considerations”| Constraint | Limit |
|---|---|
| Maximum active rules (including scheduled searches) | 750 |
| Maximum concurrent scheduled searches and rules | 30 |
| Maximum search runtime | 60 minutes |
| Maximum detections per correlation rule execution | 50 |
Notification delivery options
Section titled “Notification delivery options”| Method | Description |
|---|---|
| Send to specified email addresses (up to 10 per rule). | |
| Slack | Send to integrated Slack channels. Requires CrowdStrike Store integration. |
| PagerDuty | Open incidents in PagerDuty. Requires CrowdStrike Store integration. |
| Microsoft Teams | Send to integrated Teams channels. Requires CrowdStrike Store integration. |
| WebHook | Distribute to other applications. Requires CrowdStrike Store integration. |
Detection coverage management
Section titled “Detection coverage management”The Detection coverage dashboard displays MITRE ATT&CK techniques with rule coverage across the Falcon platform. Coverage levels:
- High — One or more active rules associated with the technique
- Low — Inactive rules or available templates not yet associated with rules
- None — No rules or templates associated with the technique