Query Language
Both Aggregations and Correlations are written as a custom language we callAggQL. This language is designed to be simple to use, and easy to understand.
When we want new incoming Security Events to “aggregate” onto an already open Alert, we can create an aggregation rule to do this.
Available Functions
| Function | Description | Example |
|---|---|---|
sameField(field) | Matches events with the same value for the specified field | sameField("src_ip") |
sameHost() | Matches events from the same host (checks host, hostname, computer_name fields) | sameHost() |
sameDetection() | Matches events triggered by the same detection rule | sameDetection() |
alertIsOpen() | Only matches events belonging to alerts with “open” status | alertIsOpen() |
window(seconds) | Only matches events created within the specified time window | window(3600) |
Combining Functions
Functions can be combined using logical operators:and- Both conditions must be trueor- Either condition must be truenot- Negates a condition
Aggregations
Aggregation rules automatically group incoming Security Events into existing alerts when they match the rule expression. This reduces alert fatigue by consolidating related events.Common Aggregation Patterns
| Pattern | Expression | Use Case |
|---|---|---|
| Same Hostname | sameHost() | Group events from the same system |
| Same Event Type | sameField("event") | Group identical event types |
| Same Source | sameField("src_ip") | Group events from same attacker |
Correlations
Correlation rules help analysts find related alerts across different events. Unlike aggregations (which merge events into one alert), correlations identify connections between separate alerts.Built-in Correlation Rules
The following correlation rules are available by default:| Rule | Expression | Description |
|---|---|---|
| Same Host | sameHost() | Find alerts from the same host/hostname. Useful for identifying attack chains or repeated activity on a single system. |
| Same Source IP | sameField("src_ip") or sameField("source_ip") or sameField("src") | Find alerts with the same source IP address. Helps identify attacks originating from the same attacker. |
| Same Destination IP | sameField("dest_ip") or sameField("destination_ip") or sameField("dest") | Find alerts targeting the same destination IP. Useful for identifying coordinated attacks on a target. |
| Same User | sameField("user") or sameField("username") or sameField("account_name") | Find alerts involving the same user account. Helps track compromised accounts or insider threats. |
| Same Detection Rule | sameDetection() | Find alerts triggered by the same detection rule. Useful for identifying patterns of similar threats. |
| Same Process | sameField("process") or sameField("process_name") or sameField("image") | Find alerts involving the same process or executable. Helps identify malware persistence or lateral movement. |
| Same Host and User | sameHost() and (sameField("user") or sameField("username")) | Find alerts from the same host involving the same user. Provides context for user-specific activity on a system. |
| Same Source and Destination | (sameField("src_ip") or sameField("source_ip")) and (sameField("dest_ip") or sameField("destination_ip")) | Find alerts with the same source and destination pair. Identifies repeated communication patterns. |
| Recent Open Alerts - Same Host | sameHost() and alertIsOpen() and window(3600) | Find recent open alerts from the same host. Prioritizes active investigations. |
| Same File Hash | sameField("file_hash") or sameField("md5") or sameField("sha1") or sameField("sha256") | Find alerts involving the same file hash. Identifies the same malware across different systems. |
Time Windows
Correlation rules support two time window settings:- Last Event Window - How far back to look for related events (e.g., 24 hours, 7 days)
- Alert Creation Window - How recently the alert must have been created to be considered