Point > Click > Detect

- Our community of security experts are sharing cutting-edge correlations and making their companies more secure.

New Content Added Daily

Content is added daily by our vast community of security professionals. All content is reviewed and rated by members like you, allowing you to easily locate the highest rated and most popular correlation rules and dashboards.

Advanced Search Features

The granular search capabilities of the CorrelationX platform will allow you to quickly locate the rules and dashboards that you need to fill the gaps in your current SIEM deployment.

Simple Integration with a Click

Your membership allows you to download content with the click of a button. Most correlation rules and dashboards will be ready to go out-of-the-box or with minimal adjustments to fit your data formats. You will be using your new rules in dashboards in minutes.

Our Latest Content Additions

New content is being added every day by experts and bounty hunters. Below are the latest additions to Correlation{X}.

Hunting for CobaltStrike beacon injection (SYSMON)

This rule looks for CobaltStrike beacon injection, the address for the remote thread created during the injection process is static for the default configuration. Some of the maleable configuration allows you to customize this which would then throw off the rule but the configurable portion is the addition of new bytes meaning we can still look for the default along with a small range to look for common uses.

Data Source: Operating System Logs - Windows Sysmon;
Tags: APT, Code Injection, Fileless Attack Method;
Type: Hunting Dashboard Search

O365 Rule created from a suspicious source country

A search to identify new rules created for mailboxes from suspicious country locations.

Data Source: Email - Office 365;
Tags: Account Takeover, Insider Threat, APT;
Type: Hunting Dashboard Search

O365 Phishing attempt similar domains

The rule identifies email messages similar to your own domain name. Please change the string "YOUR_DOMAIN.COM" to your own personal email domain for most accurate results.

Data Source: Email - Office 365;
Tags: Malware, Phishing, Reconnaissance;
Type: Correlation

Suspicious hardlink creation in tasks folder by System (WINSEC)

This rule looks for hard links created in the windows tasks folder by the SYSTEM user, this could be an indicator of a privilege escalation via Advanced Local Procedure Call (ALPC) or generally malicious or very suspicious activity.

Data Source: Operating System Logs - Windows Security Logs;
Tags: Privilege Escalation;
Type: Hunting Dashboard Search

Privilege Escalation via ALPC 0 day

This rule looks for indicators that the Proof of Concept code that was released for the privilege escalation via Advanced Local Procedure Call (ALPC). For Windows 10 systems the POC involved spoolsv.exe and for the released windows 7 POC the code used infocard.exe.

Data Source: Endpoint (EDR) - Carbon Black, Operating System Logs - Windows Security Logs, Operating System Logs - Windows Sysmon;
Tags: Privilege Escalation;
Type: Hunting Dashboard Search

163

Organizations

50

Data Sources

603

Security Searches

24

Threat Categories