Using Derived Detections with Correlation Rules in Panther

Last updated: June 13, 2025

QUESTION

Do derived detections work with correlation rules? How can I tune correlation rules using derived detections?

ANSWER

While derived detections can technically be used within correlation rules, they do not automatically replace their parent detections in existing correlation rules. Here's how to properly implement derived detections with correlation rules:

Steps to Use Derived Detections in Correlation Rules

  1. Create your derived detection with the desired filtering logic

  2. Clone the existing correlation rule you want to modify

  3. Update the YAML configuration in your cloned correlation rule to explicitly reference your new derived detection in the rule sequence

  4. Disable the original correlation rule

  5. Deploy your new custom correlation rule version

Important Notes

  • Correlation rules will not automatically use derived detections - you must explicitly reference them

  • You cannot add filtering logic directly within correlation rules

  • When using derived detections for correlation rules, always disable the original correlation rule to avoid duplicate alerts

For optimal alert management, create derived detections with specific filtering logic before modifying correlation rules to use them.