Correlation rules of the 'standard' type

Kaspersky

Online Help

Kaspersky Unified Monitoring and Analysis Platform

Support Send link Get as PDF

User guide > KUMA resources > Correlation rules > Correlation rules of the 'standard' type

Correlation rules of the 'standard' type

Expand all | Collapse all

Correlation rules of the standard type are used for identifying complex patterns in processed events.

The search for patterns is conducted by using buckets

Settings for a correlation rule of the standard type are described in the following tables.

General tab

This tab lets you specify the general settings of the correlation rule.

Setting	Description
Name	Unique name of the resource. The maximum length of the name is 128 Unicode characters. Required setting.
Tenant	The name of the tenant that owns the resource. Required setting.
Type	Correlation rule type: standard. Required setting.
Tags
Identical fields	Event fields that must be grouped in a Bucket. The hash of the values of the selected event fields is used as the Bucket key. If one of the selectors specified on the Selectors tab is triggered, the selected event fields are copied to the correlation event. If different selectors of the correlation rule use event fields that have different meanings in the events, do not specify such event fields in the Identical fields drop-down list. You can specify local variables. To refer to a local variable, its name must be preceded with the `$` character. For an example of using local variables, refer to the rule provided with KUMA: R403_Access to malicious resources from a host with disabled protection or an out-of-date anti-virus database. Required setting.
Window, sec	Bucket lifetime in seconds. The time starts counting when the bucket is created, when the bucket receives the first event. When the bucket lifetime expires, the trigger specified on the Actions → On timeout tab is triggered, and the container is deleted. Triggers specified on the Actions → On every threshold and On subsequent thresholds tabs can trigger more than once during the lifetime of the bucket. Required setting.
Unique fields	Unique event fields to be sent to the bucket. If you specify unique event fields, only these event fields will be sent to the container. The hash of values of the selected fields is used as the Bucket key. You can specify local variables. To refer to a local variable, its name must be preceded with the `$` character. For an example of using local variables, refer to the rule provided with KUMA: R403_Access to malicious resources from a host with disabled protection or an out-of-date anti-virus database.
Rate limit	Maximum number of times a correlation rule can be triggered per second. The default value is `0`. If correlation rules employing complex logic for pattern detection are not triggered, this may be due to the way rule triggers are counted in KUMA. In this case, we recommend increasing the Rate limit, for example, to `1000000`.
Base events keep policy	This drop-down list lets you select base events that you want to put in the correlation event: first—this option is used to store the first base event of the event collection that triggered creation of the correlation event. This value is selected by default. last—this option is used to store the last base event of the event collection that triggered creation of the correlation event. all—this option is used to store all base events of the event collection that triggered creation of the correlation event.
Severity	Base coefficient used to determine the importance of a correlation rule: Critical High Medium Low (default)
Order by	Event field to be used by selectors of the correlation rule to track the evolution of the situation. This can be useful, for example, if you want to configure a correlation rule to be triggered when several types of events occur in a sequence.
Description	Description of the resource. The maximum length of the description is 4000 Unicode characters.
MITRE techniques	Downloaded MITRE ATT&CK techniques for analyzing the security coverage status using the MITRE ATT&CK matrix.
Use unique field mapping

Selectors tab

This tab is used to define the conditions that the processed events must fulfill to trigger the correlation rule. To add a selector, click the + Add selector button. You can add multiple selectors, reorder selectors, or remove selectors. To reorder selectors, use the reorder DragIcon icons. To remove a selector, click the delete cross-black icon next to it.

Each selector has a Settings tab and a Local variables tab.

The settings available on the Settings tab are described in the table below.

Setting	Description
Name	Unique name of the resource. The maximum length of the name is 128 Unicode characters. Required setting.
Selector threshold (event count)	The number of events that must be received for the selector to trigger. The default value is `1`. Required setting.
Recovery	This toggle switch lets the correlation rule not trigger when the selector receives the number of events specified in the Selector threshold (event count) field. This toggle switch is turned off by default.
Filter	The filter that defines criteria for identifying events that trigger the selector when received. You can select an existing filter or create a new filter. To create a new filter, select Create new. If you want to edit the settings of an existing filter, click the pencil icon next to it. How to create a filter? To create a filter: In the Filter drop-down list, select Create new. If you want to keep the filter as a separate resource, select the Save filter check box. In this case, you will be able to use the created filter in various services. This check box is cleared by default. If you selected the Save filter check box, enter a name for the created filter resource in the Name field. Maximum length of the name: 128 Unicode characters. Under Conditions, specify the conditions that the events must meet: Click the Add condition button. In the Left operand and Right operand drop-down lists, specify the search parameters. Depending on the data source selected in the Right operand field, fields of additional parameters for identifying the value to be passed to the filter may be displayed. For example, when you select active list, you must specify the name of the active list, the entry key, and the entry key field. In the operator drop-down list, select an operator. Filter operators =—the left operand equals the right operand. <—the left operand is less than the right operand. <=—the left operand is less than or equal to the right operand. >—the left operand is greater than the right operand. >=—the left operand is greater than or equal to the right operand. inSubnet—the left operand (IP address) is in the subnet of the right operand (subnet). contains—the left operand contains values of the right operand. startsWith—the left operand starts with one of the values of the right operand. endsWith—the left operand ends with one of the values of the right operand. match—the left operand matches the regular expression of the right operand. The RE2 regular expressions are used. hasBit—checks whether the left operand (string or number) contains bits whose positions are listed in the right operand (in a constant or in a list). The value to be checked is converted to binary and processed right to left. Chars are checked whose index is specified as a constant or a list. If the value being checked is a string, then an attempt is made to convert it to integer and process it in the way described above. If the string cannot be converted to a number, the filter returns `False`. hasVulnerability—checks whether the left operand contains an asset with the vulnerability and vulnerability severity specified in the right operand. If you do not specify the ID and severity of the vulnerability, the filter is triggered if the asset in the event being checked has any vulnerability. inActiveList—this operator has only one operand. Its values are selected in the Key fields field and are compared with the entries in the active list selected from the Active List drop-down list. inDictionary—checks whether the specified dictionary contains an entry defined by the key composed with the concatenated values of the selected event fields. inCategory—the asset in the left operand is assigned at least one of the asset categories of the right operand. inActiveDirectoryGroup—the Active Directory account in the left operand belongs to one of the Active Directory groups in the right operand. TIDetect—this operator is used to find events using CyberTrace Threat Intelligence (TI) data. This operator can be used only on events that have completed enrichment with data from CyberTrace Threat Intelligence. In other words, it can only be used in collectors at the destination selection stage and in correlators. inContextTable—presence of the entry in the specified context table. intersect—presence in the left operand of the list items specified in the right operand. If you want the operator to be case-insensitive, select the do not match case check box. The selection of this check box does not apply to the InSubnet, InActiveList, InCategory or InActiveDirectoryGroup operators. This check box is cleared by default. If you want to add a negative condition, select If not from the If drop-down list. You can add multiple conditions or a group of conditions. If you have added multiple conditions or groups of conditions, choose a selection condition (and, or, not) by clicking the AND button. If you want to add existing filters that are selected from the Select filter drop-down list, click the Add filter button. You can view the nested filter settings by clicking the button. Filtering based on data from the Extra event field Conditions for filters based on data from the `Extra` event field: Condition—If. Left operand—event field. In this event field, you can specify one of the following values: `Extra` field. Value from the `Extra` field in the following format: `Extra.<field name>` For example, `Extra.app`. You must specify the value manually. Value from the array written to the `Extra` field in the following format: `Extra.<field name>.<array element>` For example, `Extra.array.0`. The values in the array are numbered starting from 0. You must specify the value manually. To work with a value in the `Extra` field at a depth of 3 and lower, you must use backticks ``, for example, `Extra.lev1.lev2.lev3`. Operator – =. Right operand—constant. Value—the value by which you need to filter events. The order of conditions specified in the selector filter of the correlation rule is significant and affects system performance. We recommend putting the most unique condition in the first place in the selector filter. Consider two examples of selector filters that select successful authentication events in Microsoft Windows. Selector filter 1: Condition 1: `DeviceProduct = Microsoft Windows`. Condition 2: `DeviceEventClassID = 4624`. Selector filter 2: Condition 1: `DeviceEventClassID = 4624`. Condition 2: `DeviceProduct = Microsoft Windows`. The order of conditions specified in selector filter 2 is preferable because it places less load on the system.

On the Local variables tab, you can add variables that will be valid inside the correlation rule. To add a variable, click the + Add button, then specify the variable and its value. You can add multiple variables or delete variables. To delete a variable, select the check box next to it and click the Delete button.

In the selector of the correlation rule, you can use regular expressions conforming to the RE2 standard. Using regular expressions in correlation rules is computationally intensive compared to other operations. When designing correlation rules, we recommend limiting the use of regular expressions to the necessary minimum and using other available operations.

To use a regular expression, you must use the match operator. The regular expression must be placed in a constant. The use of capture groups in regular expressions is optional. For the correlation rule to trigger, the field text matched against the regexp must exactly match the regular expression.

For a primer on the syntax and examples of correlation rules that use regular expressions in their selectors, refer to the following rules that are provided with KUMA:

R105_04_Suspicious PowerShell commands. Suspected obfuscation.
R333_Suspicious creation of files in the autorun folder.

Actions tab

You can use this tab to configure the triggers of the correlation rule. You can configure triggers on the following tabs:

On first threshold triggers when the Bucket registers the first triggering of the selector during the lifetime of the Bucket.
On subsequent thresholds triggers when the Bucket registers the second and all subsequent triggering of the selector during the lifetime of the Bucket.
On every threshold triggers every time the Bucket registers the triggering of the selector.
On timeout triggers when the lifetime of the Bucket ends, and is used together with a selector that has the Recovery check box selected in its settings. Thus, this trigger activates if the situation detected by the correlation rule is not resolved within the specified lifetime.

Available trigger settings are listed in the table below.

Setting

Description

Output

This check box enables the sending of correlation events for post-processing, that is, for external enrichment outside the correlation rule, for response, and to destinations. By default, this check box is cleared.

Loop to correlator

This check box enables the processing of the created correlation event by the rule chain of the current correlator. This makes hierarchical correlation possible. By default, this check box is cleared.

If the Output and Loop to correlator check boxes are selected, the correlation rule is sent to post-processing first, and then to the selectors of the current correlation rule.

No alert

The check box disables the creation of alerts when the correlation rule is triggered. By default, this check box is cleared.

If you do not want to create an alert when a correlation rule is triggered, but you still want to send a correlation event to the storage, select the Output and No alert check boxes. If you select only the No alert check box, a correlation event is not saved in the storage.

Enrichment

Enrichment rules for modifying the values of correlation event fields. Enrichment rules are stored in the correlation rule where they were created. To create an enrichment rule, click the + Add enrichment button.

Available enrichment rule settings:

Original type is the type of the enrichment. When you select some enrichment types, additional settings may become available that you must specify.

Available types of enrichment:

constant

dictionary

table

event
This type of enrichment is used when you need to write a value from another event field to the current event field. Available enrichment type settings are listed in the table below.

Available enrichment type settings

Setting

Description

Target field

The KUMA event field that you want to populate with the data.

Source field

The event field whose value is written to the target field.

Clicking opens the Conversion window, in which you can click Add conversion to create rules for modifying the source data before writing them to the KUMA event fields. You can reorder and delete created rules. To change the position of a rule, click next to it. To delete a rule, click next to it.

Available conversions
Conversions are modifications that are applied to a value before it is written to the event field. You can select one of the following conversion types from the drop-down list:
- entropy is used for converting the value of the source field using the information entropy calculation function and placing the conversion result in the target field of the float type. The result of the conversion is a number. Calculating the information entropy allows detecting DNS tunnels or compromised passwords, for example, when a user enters the password instead of the login and the password gets logged in plain text.
- lower—is used to make all characters of the value lowercase
- upper—is used to make all characters of the value uppercase
- regexp – used to convert a value using a specified RE2 regular expression. When you select this type of conversion, a field is displayed in which you must specify the RE2 regular expression.
- substring is used to extract characters in a specified range of positions. When you select this type of conversion, the Start and End fields are displayed, in which you must specify the range of positions.
- replace—is used to replace specified character sequence with the other character sequence. When you select this type of conversion, the following fields are displayed:
  - Replace chars specifies the sequence of characters to be replaced.
  - With chars is the character sequence to be used instead of the character sequence being replaced.
- trim removes the specified characters from the beginning and from the end of the event field value. When you select this type of conversion, the Chars field is displayed in which you must specify the characters. For example, if a trim conversion with the Micromon value is applied to Microsoft-Windows-Sysmon, the new value is soft-Windows-Sys.
- append appends the specified characters to the end of the event field value. When you select this type of conversion, the Constant field is displayed in which you must specify the characters.
- prepend prepends the specified characters to the beginning of the event field value. When you select this type of conversion, the Constant field is displayed in which you must specify the characters.
- replace with regexp is used to replace RE2 regular expression results with the specified character sequence. When you select this type of conversion, the following fields are displayed:
  - Expression is the RE2 regular expression whose results you want to replace.
  - With chars is the character sequence to be used instead of the character sequence being replaced.
- Converting encoded strings to text:
  - decodeHexString—used to convert a HEX string to text.
  - decodeBase64String—used to convert a Base64 string to text.
  - decodeBase64URLString—used to convert a Base64url string to text.
  When converting a corrupted string or if conversion error occur, corrupted data may be written to the event field.
  
  During event enrichment, if the length of the encoded string exceeds the size of the field of the normalized event, the string is truncated and is not decoded.
  
  If the length of the decoded string exceeds the size of the event field into which the decoded value is to be written, the string is truncated to fit the size of the event field.
Conversions when using the extended event schema

Whether or not a conversion can be used depends on the type of extended event schema field being used:
- For an additional field of the "String" type, all types of conversions are available.
- For fields of the "Number" and "Float" types, the following types of conversions are available: regexp, substring, replace, trim, append, prepend, replaceWithRegexp, decodeHexString, decodeBase64String, and decodeBase64URLString.
- For fields of "Array of strings", "Array of numbers", and "Array of floats" types, the following types of conversions are available: append and prepend.
When using enrichment of events that have event selected as the Source kind and the extended event schema fields are used as arguments, the following special considerations apply:
- If the source extended event schema field has the "Array of strings" type, and the target extended event schema field has the "String" type, the values are written to the target extended event schema field in TSV format.
  Example: The SA.StringArray extended event schema field contains values: "string1", "string2", "string3". An event enrichment operation is performed. The result of the event enrichment operation is written to the DeviceCustomString1 extended event schema field. The DeviceCustomString1 extended event schema field contains values: ["string1", "string2", "string3"].
- If the source and target extended event schema fields have the "Array of strings" type, values of the source extended event schema field are added to the values of the target extended event schema field, and the "," character is used as the delimiter character.
  Example: The SA.StringArrayOne field of the extended event scheme contains the ["string1", "string2", "string3"] values, and the SA.StringArrayTwo field of the extended event scheme contains the ["string4", "string5", "string6"] values. An event enrichment operation is performed. The result of the event enrichment operation is written to the SA.StringArrayTwo field of the extended event scheme. The SA.StringArrayTwo extended event schema field contains values: ["string4", "string5", "string6", "string1", "string2", "string3"].

template

Required setting.

The Debug toggle switch enables resource logging. This toggle switch is turned off by default.
Tags

You can create multiple enrichment rules, reorder enrichment rules, or delete enrichment rules. To reorder enrichment rules, use the reorder DragIcon icons. To delete an enrichment rule, click the delete cross-black icon next to it.

Categorization

Categorization rules for assets involved in the event. Using categorization rules, you can link and unlink only reactive categories to and from assets. To create an enrichment rule, click the + Add categorization button.

Available categorization rule settings:

Action is the operation applied to the category:
- Add: Link the category to the asset.
- Delete: Unlink the category from the asset.
Required setting.
Event field is the field of the event that contains the asset to which the operation will be applied.
Required setting.
Category ID is the category to which the operation will be applied.
Required setting.

You can create multiple categorization rules, reorder categorization rules, or delete categorization rules. To reorder categorization rules, use the reorder DragIcon icons. To delete a categorization rule, click the delete cross-black icon next to it.

Active lists update

Operations with active lists. To create an operation with an active list, click the + Add active list action button.

Available parameters of an active list operation:

Name specifies the active list to which the operation is applied. If you want to edit the settings of an active list, click the pencil icon next to it.
Required setting.
Operation is the operation that is applied to the active list:
- Sum—add a constant, the value of a correlation event field, or the value of a local variable to the value of the active list.
- Set—write the values of the selected fields of the correlation event into the Active list by creating a new or updating an existing Active list entry. When the Active list entry is updated, the data is merged and only the specified fields are overwritten.
- Get—get the Active list entry and write the values of the selected fields into the correlation event.
- Delete—delete the Active list entry.
Required setting.
Key fields are event fields that are used to create an active list entry. The specified event fields are also used as the key of the active list entry.
The active list entry key depends on the available event fields and does not depend on the order in which they are displayed in the KUMA web interface.

Required setting.
Mapping: Rules for mapping active list fields to event fields. You can use mapping rules if in the Operation drop-down list, you selected Get or Set. To create a mapping rule, click the + Add button.
Available mapping rule settings:
- Active list field is the active list field that is mapped to the event field. The field must not contain special characters or numbers only.
- KUMA field is the event field to which the active list field is mapped.
- Constant is a constant that is assigned to the active list field. You need to specify a constant if in the Operation drop-down list, you selected Set.
You can create multiple mapping rules or delete mapping rules. To delete a mapping rule, select the check box next to it and click Delete.

You can create multiple operations with active lists, reorder operations with active lists, or delete operations with active lists. To reorder operations with active lists, use the reorder DragIcon icons. To delete an operation with an active list, click the delete cross-black icon next to it.

Updating context tables

Operations with context tables. To create an operation with a context table, click the + Add context table action button.

Available parameters of a context table operation:

Name specifies the context table to which the operation is applied. If you want to edit the settings of a context table, click the pencil icon next to it.
Required setting.
Operation is the operation that is applied to the context table:
- Sum—add a constant, the value of a correlation event field, or the value of a local variable to the value of the context table. This operation is used only for fields of Number and Float types.
- Set—write the values of the selected fields of the correlation event into the context table by creating a new or updating an existing context table entry. When the context table entry is updated, the data is merged and only the specified fields are overwritten.
- Merge—append the value of a correlation event field, local variable, or constant to the current value of a field of the context table.
- Get—get the fields of the context table and write the values of the specified fields into the correlation event. Table fields of the boolean type and lists of boolean values are excluded from mapping because the event does not contain boolean fields.
- Delete—delete the context table entry.
Required setting.
Mapping: Rules for mapping context table fields to event fields or variables. You can use mapping rules if in the Operation drop-down list, you selected something other than Delete. To create a mapping rule, click the + Add button.
Available mapping rule settings:
- Context table field is the context table field that is mapped to an event field. You cannot specify a context table field that is already used in a mapping. You can specify tabulation characters, special characters, or just numbers. The maximum length of a context table field name is 128 characters. A context table field name cannot begin with an underscore.
- KUMA field is the event field or local variable to which the context table field is mapped.
- Constant is a constant that is assigned to the context table field. You need to specify a constant if in the Operation drop-down list, you selected Set, Merge, or Sum. The maximum length of a constant is 1024 characters.
You can create multiple mapping rules or delete mapping rules. To delete a mapping rule, select the check box next to it and click Delete.

You can create multiple operations with context tables, reorder operations with context tables, or delete operations with context tables. To reorder operations with context tables, use the reorder DragIcon icons. To delete an operation with a context tables, click the delete cross-black icon next to it.

Correlators tab

This tab is displayed only when you edit the settings of the created correlation rule; on this tab, you can link correlators to the correlation rule.

To add correlators, click the + Add button, specify one or more correlators in the displayed window, and click OK. The correlation rule is linked to the specified correlators and added to the end of the execution queue in the correlator settings. If you want to change the position of a correlation rule in the execution queue, go to the Resources → Correlator section, click the correlator, and in the displayed window, go to the Correlation section, select the check box next to the correlation rule, and change the position of the correlation rule by clicking the Move up and Move down buttons.

You can add multiple correlators or delete correlators. To delete a correlator, select the check box next to it and click Delete.

Article ID: 221197, Last review: Apr 23, 2025

Page top