Variables in correlators

If tracking values in event fields, active lists, or dictionaries is not enough to cover some specific security scenarios, you can use global and local variables. You can use them to take various actions on the values received by the correlators by implementing complex logic for threat detection. Variables can be declared in the correlator (global variables) or in the correlation rule (local variables) by assigning a function to them, then querying them from correlation rules as if they were ordinary event fields and receiving the triggered function result in response.

Usage scope of variables:

• When searching for grouping or unique field values in correlation rules.
• In the correlation rule selectors, in the filters of the conditions under which the correlation rule should be triggered.
• When enriching correlation events. Select Event as the source type.
• When filling active lists with values.

Variables can be queried the same way as event fields by preceding their names with the $ character.

In this section Properties of variables Requirements for variables Functions of variables Declaring variables

Page top