Correlation engine APIs

Correlation engine APIs allow you to create new correlation rules, view findings and correlations within a certain time window, and perform other tasks.

Create correlation rules between log types

This API is used to create correlation rules:

  1. POST /_plugins/_security_analytics/correlation/rules

Request fields

FieldTypeDescription
indexStringThe name of the index used as the log source.
queryStringThe query used to filter security logs for correlation.
categoryStringThe log type associated with the log source.

Example request

  1. POST /_plugins/_security_analytics/correlation/rules
  2. {
  3.   "correlate": [
  4.     {
  5.       "index": "vpc_flow",
  6.       "query": "dstaddr:4.5.6.7 or dstaddr:4.5.6.6",
  7.       "category": "network"
  8.     },
  9.     {
  10.       "index": "windows",
  11.       "query": "winlog.event_data.SubjectDomainName:NTAUTHORI*",
  12.       "category": "windows"
  13.     },
  14.     {
  15.       "index": "ad_logs",
  16.       "query": "ResultType:50126",
  17.       "category": "ad_ldap"
  18.     },
  19.     {
  20.       "index": "app_logs",
  21.       "query": "endpoint:/customer_records.txt",
  22.       "category": "others_application"
  23.     }
  24.   ]
  25. }

copy

Example response

  1. {
  2.   "_id": "DxKEUIkBpIjg64IK4nXg",
  3.   "_version": 1,
  4.   "rule": {
  5.     "name": null,
  6.     "correlate": [
  7.       {
  8.         "index": "vpc_flow",
  9.         "query": "dstaddr:4.5.6.7 or dstaddr:4.5.6.6",
  10.         "category": "network"
  11.       },
  12.       {
  13.         "index": "windows",
  14.         "query": "winlog.event_data.SubjectDomainName:NTAUTHORI*",
  15.         "category": "windows"
  16.       },
  17.       {
  18.         "index": "ad_logs",
  19.         "query": "ResultType:50126",
  20.         "category": "ad_ldap"
  21.       },
  22.       {
  23.         "index": "app_logs",
  24.         "query": "endpoint:/customer_records.txt",
  25.         "category": "others_application"
  26.       }
  27.     ]
  28.   }
  29. }

Response fields

FieldTypeDescription
_idStringThe Id for the new rule.

List all findings and their correlations within a time window

This API provides a list of all findings and their correlations within a specified time window:

  1. GET /_plugins/_security_analytics/correlations?start_timestamp=<start time in milliseconds>&end_timestamp=<end time in milliseconds>

Query parameters

ParameterTypeDescription
start_timestampNumberStart time for the time window, in milliseconds.
end_timestampNumberEnd time for the time window, in milliseconds.

Example request

  1. GET /_plugins/_security_analytics/correlations?start_timestamp=1689289210000&end_timestamp=1689300010000

copy

Example response

  1. {
  2.   "findings": [
  3.     {
  4.       "finding1": "931de5f0-a276-45d5-9cdb-83e1045a3630",
  5.       "logType1": "network",
  6.       "finding2": "1e6f6a12-83f1-4a38-9bb8-648f196859cc",
  7.       "logType2": "test_windows",
  8.       "rules": [
  9.         "nqI2TokBgL5wWFPZ6Gfu"
  10.       ]
  11.     }
  12.   ]
  13. }

Response fields

FieldTypeDescription
finding1StringThe Id for a first finding in the correlation.
logType1StringThe log type associated with the first finding.
finding2StringThe Id for a second finding in the correlation.
logType2StringThe log type associated with the second finding.
rulesArrayA list of correlation rule IDs associated with the correlated findings.

List correlations for a finding belonging to a log type

This API is used to list correlations for specific findings and the log types associated with them:

  1. GET /_plugins/_security_analytics/findings/correlate?finding=425dce0b-f5ee-4889-b0c0-7d15669f0871&detector_type=ad_ldap&nearby_findings=20&time_window=10m

Query parameters

ParameterTypeDescription
findingStringThe finding ID.
detector_typeStringThe log type for the detector.
nearby_findingsNumberThe number of nearby findings with respect to the given finding Id.
time_windowStringSets a time window in which all of the correlations must have occurred together.

Example request

  1. GET /_plugins/_security_analytics/findings/correlate?finding=425dce0b-f5ee-4889-b0c0-7d15669f0871&detector_type=ad_ldap&nearby_findings=20&time_window=10m

copy

Example response

  1. {
  2.   "findings": [
  3.     {
  4.       "finding": "5c661104-aaa9-484b-a91f-9cad4ae6d5f5",
  5.       "detector_type": "others_application",
  6.       "score": 0.000015182109564193524
  7.     },
  8.     {
  9.       "finding": "2485b623-6573-42f4-a055-9b927e38a65f",
  10.       "detector_type": "ad_ldap",
  11.       "score": 0.000001615897872397909
  12.     },
  13.     {
  14.       "finding": "051e00ad-5996-4c41-be20-f992451d1331",
  15.       "detector_type": "windows",
  16.       "score": 0.000016230604160227813
  17.     },
  18.     {
  19.       "finding": "f11ca8a3-50d7-4074-a951-51439aa9e67b",
  20.       "detector_type": "s3",
  21.       "score": 0.000001759401811796124
  22.     },
  23.     {
  24.       "finding": "9b86980e-5fb7-4c5a-bd1b-879a1e3baf12",
  25.       "detector_type": "network",
  26.       "score": 0.0000016306962606904563
  27.     },
  28.     {
  29.       "finding": "e7dea5a1-164f-48f9-880e-4ba33e508713",
  30.       "detector_type": "network",
  31.       "score": 0.00001632626481296029
  32.     }
  33.   ]
  34. }

Response fields

FieldTypeDescription
findingStringThe finding ID.
detector_typeStringThe log type associated with the finding.
scoreNumberThe correlation score for the correlated finding. The score is based on the proximity of relevant findings in the threat scenario defined by the correlation rule.