Support

Support for business applications

Kaspersky Unified Monitoring and Analysis Platform

User guide

KUMA resources

Correlation rules

Variables in correlators

Variables in correlators

April 8, 2024

ID 234114

If tracking values in event fields, active lists, or dictionaries is not enough to cover some specific security scenarios, you can use global and local variables. You can use them to take various actions on the values received by the correlators by implementing complex logic for threat detection. Variables can be declared in the correlator (global variables) or in the correlation rule (local variables) by assigning a function to them, then querying them from correlation rules as if they were ordinary event fields and receiving the triggered function result in response.

Usage scope of variables:

When searching for identical or unique field values in correlation rules.
In the correlation rule selectors, in the filters of the conditions under which the correlation rule must be triggered.
When enriching correlation events. Select Event as the source type.
When populating active lists with values.

Variables can be queried the same way as event fields by preceding their names with the $ character.

You can use extended event schema fields in correlation rules, local variables, and global variables.

In this section

Local variables in identical and unique fields

Local variables in selector

Local Variables in event enrichment

Local variables in active list enrichment

Properties of variables

Requirements for variables

Functions of variables

Declaring variables

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.

Thank you for your feedback! You're helping us improve.

Join us on Telegram

Release info, latest updates in the support lifecycle and new articles

QR code for opening Kaspersky Technical Support channel on Telegram