Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term SIEM Correlation Rule

Training Camp • Cybersecurity Glossary

What is SIEM Correlation Rule?

Logic in a SIEM that ties together events from multiple sources — like failed logins then a success then data transfer — to flag a threat single events would miss.

Glossary > Security Operations > SIEM Correlation Rule

SIEM Correlation Rule — Logic in a SIEM that ties together events from multiple sources — like failed logins then a success

Understanding SIEM Correlation Rule

A SIEM correlation rule is a defined set of conditions and logic that a Security Information and Event Management platform applies across events from many sources to detect threats that no single event would reveal. By linking related activity — across time, hosts, users, and log sources — it turns scattered raw events into actionable, prioritized alerts.

Correlation rules operate on normalized log data ingested from firewalls, servers, endpoints, identity systems, and applications. A rule specifies matching criteria, relationships, and thresholds — such as a sequence of events, a count within a time window, or a cross-source pattern. When incoming events satisfy the logic, the SIEM raises an alert, often enriched with context and risk scoring. Rules range from simple thresholds (many failed logins) to stateful, multi-stage logic that tracks an attack progressing through several phases.

Correlation rules matter because individual log entries are usually ambiguous, while the relationships between them expose attacks. They cut through alert noise by elevating meaningful patterns, reduce mean time to detect, and map activity to frameworks like MITRE ATT&CK. Poorly tuned rules, however, generate false positives that cause analyst fatigue, or false negatives that miss real intrusions — so rule quality, tuning, and maintenance are central to SOC effectiveness.

For example, a correlation rule might fire when the SIEM observes, for the same account within five minutes: multiple failed authentications, followed by a successful login from a new geographic location, followed by access to a sensitive file share and an outbound data transfer. Each event alone is unremarkable, but correlated together they match a credential-compromise-and-exfiltration pattern, so the SIEM raises a high-severity alert for the SOC to investigate.

Learn More About SIEM Correlation Rule:

Ready to Get Certified?

SIEM Correlation Rule is one of the topics you'll master in the Security+ Boot Camp.

Security+ Boot Camp →