Correlated events include specific event fields with some default values. For more information, see Table 5-3 in Understanding the Correlated Event.
You can customize the default correlated event field values. For example, when a specific event pattern is detected and you want the rule to create correlated events with a high severity value, you can customize the Severity field of the correlated event. Similarly, if you want to allow a specific tenant to view correlated events specific to their tenant, you can set either the TenantID field or the TenantName field to the tenant associated with the rule.
You can customize the correlated event when creating the correlation rule. You can use the Customize correlated event option that allows you to customize almost all the correlated event fields except for the Sentinel internal fields. Any customization in the correlated event field values is applicable only to the specific correlation rule.
To customize correlated event field values:
In the Correlation panel, select the correlation rule, then click the Edit icon.
In the correlation rule builder, click Customize correlated event.
Drag the event fields you want to edit from the Available event fields section to the Selected event fields section.
Click the Edit icon to specify the value for the event field.
By default, the value is same as the event field value of the last event that triggered the correlated event. You can also reference other event field values in the Value field by enclosing the event field in $.
For example, for a login failure event, in the Message field you may want to refer to the InitiatorUserName, you can specify the Value as Login failure by $sun$.
Click OK.
After customizing the correlated event fields, click Set to save the correlated event.
Click Save Rule.
The customized correlated event values are applied only for correlated events generated after the customization.