Skip to main content

Introduction

Aggregations and Correlations are the mechanisms that allow incoming alerts to relate to one another. Both are written using a custom expression language called AggQL. Aggregations group incoming Security Events into a single alert. When multiple events relate to the same underlying activity, aggregation rules consolidate them so you aren’t overwhelmed with duplicate alerts. Correlations identify connections between separate alerts. When different detection rules fire on related activity, correlation rules surface the relationship so analysts can see the bigger picture.

Common Use Cases

The most common scenario is reducing alert fatigue by grouping repeat events. For example, if a brute-force detection fires dozens of times against the same host, you can aggregate those events into one alert: 
// Group all events from the same host into a single alert
sameHost()
You can scope aggregations to a time window so that only recent events are grouped together, and older events create new alerts: 
// Group events from the same source IP, but only within a 1-hour window
sameField("src_ip") and window(3600)
To prevent aggregation onto alerts that have already been closed or resolved, add alertIsOpen(): 
// Only aggregate onto alerts that are still open
sameHost() and sameDetection() and alertIsOpen()
For correlations, a typical use case is linking alerts that share the same user account across different hosts — helping identify compromised credentials: 
// Correlate alerts involving the same user account
sameField("user") or sameField("username") or sameField("account_name")
Or finding alerts that share the same source-destination pair, which may indicate repeated attacker communication: 
// Correlate alerts with the same source and destination IP
(sameField("src_ip") or sameField("source_ip"))
    and (sameField("dest_ip") or sameField("destination_ip"))

Combining Expressions

Functions can be combined using logical operators to build more specific rules: 
// `and` — both conditions must be true
sameHost() and alertIsOpen()

// `or` — either condition can be true
sameField("src_ip") or sameField("dest_ip")

// `not` — negates a condition
sameHost() and not sameField("port")
These operators can be chained and grouped with parentheses for complex expressions: 
// Match events from the same host and user, but only on open alerts within 1 hour
sameHost()
    and (sameField("user") or sameField("username"))
    and alertIsOpen()
    and window(3600)

Built-in Correlation Rules

Sonar ships with a set of default correlation rules. These are ready to use out of the box and cover the most common analyst workflows: 
// Same Host
// Find alerts from the same host/hostname. Useful for identifying
// attack chains or repeated activity on a single system.
sameHost()

// Same Source IP
// Find alerts originating from the same attacker.
sameField("src_ip") or sameField("source_ip") or sameField("src")

// Same Destination IP
// Find alerts targeting the same destination. Useful for identifying
// coordinated attacks on a target.
sameField("dest_ip") or sameField("destination_ip") or sameField("dest")

// Same User
// Find alerts involving the same user account. Helps track
// compromised accounts or insider threats.
sameField("user") or sameField("username") or sameField("account_name")

// Same Detection Rule
// Find alerts triggered by the same detection rule. Useful for
// identifying patterns of similar threats.
sameDetection()

// Same Process
// Find alerts involving the same process or executable. Helps
// identify malware persistence or lateral movement.
sameField("process") or sameField("process_name") or sameField("image")

// Same Host and User
// Find alerts from the same host involving the same user. Provides
// context for user-specific activity on a system.
sameHost() and (sameField("user") or sameField("username"))

// Same Source and Destination
// Find alerts with the same source and destination pair. Identifies
// repeated communication patterns between two hosts.
(sameField("src_ip") or sameField("source_ip"))
    and (sameField("dest_ip") or sameField("destination_ip"))

// Recent Open Alerts — Same Host
// Find recent open alerts from the same host. Prioritizes active
// investigations within the last hour.
sameHost() and alertIsOpen() and window(3600)

// Same File Hash
// Find alerts involving the same file hash. Identifies the same
// malware across different systems.
sameField("file_hash") or sameField("md5") or sameField("sha1") or sameField("sha256")

Time Windows

Correlation rules support two time window settings that control how far back the engine looks for related alerts:
  • Alert Creation Window — The maximum time since the first event. Limits how old an alert can be and still be considered for correlation.
  • Last Event Window — The maximum time since the last event. Ensures only recently active alerts are matched.
These windows help focus correlations on relevant timeframes and improve query performance. Both values are specified in seconds. 
// Only correlate events that occurred within the last hour
window(3600)

// Only correlate events that occurred within the last 24 hours
window(86400)

// Only correlate events that occurred within the last 7 days
window(604800)

Available Functions

sameField

Matches events that share the same value for a given field name. This is the most flexible function — it works with any field present in your Security Events. 
// Match events with the same source IP
sameField("src_ip")

// Match events with the same username
sameField("username")

// Match events with the same file hash
sameField("sha256")
The field name must exactly match the key in the event data. If your SIEM uses different field names for the same concept (e.g. src_ip vs source_ip), combine multiple sameField calls with or: 
// Cover common source IP field name variations
sameField("src_ip") or sameField("source_ip") or sameField("src")

sameHost

Matches events originating from the same host. This is a convenience function that checks multiple common hostname fields automatically: host, hostname, and computer_name. 
// Group events from the same host
sameHost()

// Equivalent to writing:
sameField("host") or sameField("hostname") or sameField("computer_name")

sameDetection

Matches events that were triggered by the same detection rule. Useful for tracking how many times a specific rule fires across different events or systems. 
// Group events from the same detection rule
sameDetection()

// Combine with sameHost to find repeated detections on one system
sameDetection() and sameHost()

alertIsOpen

A filtering function that restricts matches to events belonging to alerts with an “open” status. Closed or resolved alerts are excluded. This is useful for aggregation rules where you only want to append events to active investigations. 
// Only aggregate onto alerts that are still open
alertIsOpen()

// Combine with other matchers
sameHost() and alertIsOpen()

window

A filtering function that restricts matches to events created within a specified time window, given in seconds. This prevents stale or unrelated events from being grouped together. 
// Match events within the last hour (3600 seconds)
window(3600)

// Match events within the last 24 hours
window(86400)

// Practical example: aggregate same-host events on open alerts within 1 hour
sameHost() and alertIsOpen() and window(3600)