Support

Support for business applications

Kaspersky XDR Expert

Managing Kaspersky Unified Monitoring and Analysis Platform

User guide

KUMA resources

Correlation rules

Variables in correlators

Kaspersky Next XDR Expert
Online Help
FAQ Forum Contact support Recovery tools

Variables in correlators

May 15, 2024

ID 265143

Get as PDF

If tracking values in event fields, active lists, or dictionaries is not enough to cover some specific security scenarios, you can use global and local variables. You can use them to take various actions on the values received by the correlators by implementing complex logic for threat detection. Variables can be declared in the correlator (global variables) or in the correlation rule (local variables) by assigning a function to them, then querying them from correlation rules as if they were ordinary event fields and receiving the triggered function result in response.

Usage scope of variables:

  • When searching for grouping or unique field values in correlation rules.
  • In the correlation rule selectors, in the filters of the conditions under which the correlation rule should be triggered.
  • When enriching correlation events. Select Event as the source type.
  • When filling active lists with values.

Variables can be queried the same way as event fields by preceding their names with the $ character.

In this section

Local variables in identical and unique fields

Local variables in selector

Local Variables in event enrichment

Local variables in active list enrichment

Properties of variables

Requirements for variables

Functions of variables

Declaring variables

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.