Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Managing correlation rules

Written by
Updated at April 27, 2026

Note

This feature is in the Preview stage. To get access, contact tech support or your account manager.

This section describes how to create correlation rules, manage their settings, and perform basic operations with them.

Getting started

The Yandex SIEM section will appear in the Cloud Center interface as a Security Deck module after the access request is approved.

You need the ycem.editor role to use the service.

Creating a correlation rule

To create a correlation rule:

  1. Go to Security Deck.
  2. In the left-hand panel, select Yandex SIEM.
  3. Navigate to Correlation rules.
  4. Click New rule.
  5. In the Correlation condition field, enter your KQL query. Use templates, schema, or datasets as needed.
  6. Under Aggregation, specify the aggregation key and aggregation window.
  7. Under Actions on trigger, configure the new alert by setting its name, type, and classification.
  8. Under Parameters, fill in the required Name field, and, optionally, Description, Category, and Trigger severity.
  9. Click Save.

Editing a rule

To change edit a correlation rule:

  1. Go to Security Deck.
  2. In the left-hand panel, select Yandex SIEM.
  3. Navigate to Correlation rules.
  4. In the rule's row, click and select Edit.
  5. Edit the fields as needed.
  6. Click Save.

Disabling a rule

To disable a correlation rule:

  1. Go to Security Deck.
  2. In the left-hand panel, select Yandex SIEM.
  3. Navigate to Correlation rules.
  4. In the rule's row, click and select Disable.

A disabled rule changes its status to Inactive and stops processing events.

Resetting changes

To reset the changes you made to the rule to the last deployed version:

  1. Go to Security Deck.
  2. In the left-hand panel, select Yandex SIEM.
  3. Navigate to Correlation rules.
  4. In the rule's row, click and select Reset changes.

All unsaved changed will be canceled. The rule will reset to the last deployed configuration.

Deleting a rule

You can only delete custom rules. You cannot delete preset rules.

To delete a custom correlation rule:

  1. Go to Security Deck.
  2. In the left-hand panel, select Yandex SIEM.
  3. Navigate to Correlation rules.
  4. In the rule's row, click and select Delete.
  5. Confirm the deletion.

Warning

Deleting a rule is irreversible. All rule settings will be deleted.

See also

Previous
Overview
Next
Working with a list of rules