The Logic Gate • Room 1

Understanding Correlation Searches

A **Correlation Search** continuously evaluates data against a set of predefined conditions. When the conditions are met, it triggers one or more actions (like creating a Notable Event or adding to a Risk score).

Unlike standard alerts, Correlation Searches are tightly integrated with the ES framework, automatically populating fields like urgency, risk object, and providing drill-down search capabilities.

Example: Brute Force Detection

| tstats count from datamodel=Authentication where Authentication.action="failure" by Authentication.user | where count > 10

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

❤️❤️❤️

Question 1 of 1

What is the primary output of a standard Correlation Search in ES?

AA summary index entry

BA Notable Event

CA PDF report

DA raw log file