Troubleshooting Correlation Rules in Panther

QUESTION

I see alerts for my individual rules, but my correlation rule didn’t trigger. How do I troubleshoot this?

ANSWER

Resolve any rule errors you've encountered

• Simple Detections error code: You have used incorrect syntax to construct a correlation rule

• Detection error: Execution of your correlation rule has failed

• System error: Your correlation rule has timed out (likely due to a too-large LookbackWindowMinutes value)

To determine why a correlation rule didn’t alert when it should have, verify the following information:

1. Whether the events would actually satisfy the signal rules.

2. Whether the alerts would satisfy the match criteria for transitions.

3. Whether the events were processed in time for the correlation rule to match.

Ensure your alerts are happening within the “lookback window” that you’ve defined in your correlation rule

• To do this, review the timestamps for the alerts/signals generated by the associated rules.

Ensure the correct signals were generated by the associated rules

• The panther_signals.public database and the correlation_signals table is where all rules, scheduled rules, and correlation rules write matches to. The purpose of this is to allow correlation rules to search in one place for matches. Therefore, these rules should create signals here.

• Each alert should have generated a signal with a correlation_rule_matches field with your MatchCriteria key in it that has the matching value.
   

• To do this using Data Explorer:

  • Run the following query - be sure to replace the placeholders with the rule id of your associated rule, and your own time range.

SELECT * 
FROM panther_signals.public.correlation_signals
WHERE p_rule_id = 'YOUR-ASSOCIATED-RULE-ID' AND p_occurs_between('2024-07-17', '2024-07-19')
LIMIT 100;

• To do this using Search tool:

  • In the “Logs” dropdown, unselect Logs and selectSignals. In the “All tables” dropdown, select Correlation Signals.

  • Use the time picker to select a reasonable time frame.

  • Then, add a search like: RuleID is YOUR_ASSOCIATED_RULE_ID and click Search.

• If the correct signals exist: There is an issue with the correlation rule logic or implementation.

• If the correct signals don’t exist: There is an issue with the associated rule and subsequent signals implementation.

Unit testing

• Use the unit testing feature to evaluate whether, given certain conditions, a match on your correlation rule would be generated.

• Please refer to Panther's documentation on Testing Correlation Rules for more information and examples of unit tests.

Limitations of correlation rules

• When creating your correlation rule, please also be aware of the limitations listed in our documentation.
  

If your correlation rule still doesn't trigger after trying the troubleshooting steps above, please contact Panther’s Support team and provide the following information:

• Correlation rule YAML and your configured “alert settings”

• Individual rule code for the associated rules

• Timestamps of the events: log event times, log parse times

• The output results from your Data Explorer query or Search for signals (as mentioned above).