Correlation rules may be defined in the Correlation Rule Wizard by walking through the wizard or by choosing the Custom/Freeform option to write the rule in the proprietary RuleLG language. All rule definitions are stored in the database in RuleLG.
Correlation rules may be defined based on any populated event field.
NOTE: While creating a Rule, you may add a dynamic list to it. For more information, see "Associating Dynamic List with Correlation Rule".
A simple rule is defined by specifying which events can trigger the rule to fire (For example, firewall events, firewall events of severity 3 or higher). The filter criteria may be intersected (using the "all"option in the GUI or the "AND" operator in RuleLG) or the filter criteria may be unioned (using the "any" option in the GUI or the "OR" operator in RuleLG).
For example, a rule might be defined so that it fires anytime an event takes place on a server that is on the critical list. Another rule might be defined to fire anytime an event of severity 4 or greater takes place on a server that is on the critical list.
A simple rule requires only one event in order to fire.
NOTE: For users familiar with the correlation rule language (RuleLG), the defining operator for a simple rule is the "filter" operator. For more information about RuleLG, see the Sentinel Correlation Engine RuleLG Language.
NOTE: In Sentinel 6, filter criteria must be defined in the correlation rule wizard. You cannot use existing public filters.
To create a simple rule:
Open the Correlation Rules Manager window and select a folder from the drop-down list to which this rule is added.
Click Add button located on the top left corner of the screen. The Correlation Rule window displays. Select Simple Rule.
In the Simple Rule window, define a condition for this rule. Select the Property and Operator values from the drop-down lists and enter data in value field.
Click Add to add additional definitions for this rule.
You can preview the rule in the RuleLG preview window. For example, filter(e.sev=3). Click Next. The Update Criteria window displays.
Enable the update criteria for the rule to fire and click Next. The General Description window displays.
Enter a name to this rule. You have an option to modify the rule folder.
Enter rule description and click Next.
You have an option to create another rule from this wizard. Select your option and click Next.
An aggregate rule is defined by specifying a subrule and the number of times the subrule must fire within a specific time window in order to trigger the aggregate rule. For example, an aggregate rule may require that a subrule fire 10 times within 5 minutes for the aggregate rule to fire.
Aggregate rules have an optional group by field, which can be any populated field from the events. For example, an aggregate rule may require that a subrule fire 10 times within 5 minutes where each of the 10 events has the same destination server.
NOTE: For users familiar with the correlation rule language (RuleLG), the defining operator for an aggregate rule is the "trigger" operator. The trigger clause may also use the "discriminator" operator to define the group by field. For more information about RuleLG, see the Sentinel Correlation Engine RuleLG Language.
To create an aggregate rule:
Open the Correlation Rules Manager window and select a folder from the drop-down list to which this rule is added.
Click Add button located on the top left corner of the screen. The Correlation Rule window displays. Select Aggregate Rule.
In Aggregate Rule window, you may select a sub-rule to create an aggregate rule. To select a sub-rule, click Add Rule button. Add Rule window displays.
NOTE: You can select only one sub-rule when creating an aggregate rule.
Select a rule and click OK.
Set parameters for the rule to fire.
To group event tags according to the attributes, Click Add/Edit. The Attribute List Window displays.
Check the attribute as per your requirement. You can preview the rule in the RuleLG preview window. Click Next. The Update Criteria window displays.
Update the criteria for the rule to fire and click Next. The General Description window displays.
Enter a name to this rule. You have an option to modify the rule folder.
Enter rule description and click Next.
You have an option to create another rule from this wizard. Select your option and click Next.
A composite rule is comprised of 2 or more subrules. A composite rule may be defined so that all or a specified number of the subrules must fire within the defined timeframe. Composite rules have an optional group by field, which may be any populated field from the events.
NOTE: When a subrule is used to create a composite rule, a copy of the subrule is added to the composite rule's definition. Because a copy is added, changes to the original subrule do not affect the composite rule.
To create a composite rule:
Open the Correlation Rules Manager window and select a folder from the drop-down list to which this rule is added.
Click Add button located on the top left corner of the screen. The Correlation Rule window displays. Select Composite Rule.
In Composite Rule window, you may select sub-rules to create a composite rule. To select a sub-rule, click Add Rule button. Add Rule window displays.
Select a rule or a set of rules (hold control on your keyboard to select a set of rules) and click OK.
Set parameters for the rule to fire.
To group event tags according to the attributes, Click Add/Edit. The Attribute Window displays.
Check the attribute as per your requirement. You may preview the rule in RuleLg preview box. Click Next, the Update Criteria window displays.
Update criteria for the rule to fire and click Next.
Enter a name to this rule. You have an option to modify the rule folder.
Enter rule description and click Next.
You have an option to create another rule from this wizard. Select your option and click Next.
A sequence rule is comprised of 2 or more subrules that must have been triggered in a specific order within the defined timeframe. Sequence rules have an optional group by field, which may be any populated field from the events.
NOTE: When a subrule is used to create a sequence rule, a copy of the subrule is added to the sequence rule's definition. Because a copy is added, changes to the original subrule do not affect the sequence rule.
To create a sequence rule:
Open the Correlation Rules Manager window and select a folder from the Folder drop-down list to which this rule is added.
Click Add button located on the top left corner of the screen. The Correlation Rule window displays. Select Sequence Rule.
In Sequence rule window, you may select a sub-rule to create a sequence rule. To select a sub-rule, click Add Rule button. Add Rule window displays.
Select a rule and click OK.
Set parameters for the rule to fire. To group event tags according to the attributes, Click Add/Edit. The Attribute List Window displays.
Check the attribute as per your requirement. You may preview the rule in RuleLg preview box. Click Next, the Update Criteria window displays.
Update criteria for the rule to fire and click Next.
Enter a name to this rule. You have an option to modify the rule folder.
Enter rule description and click Next.
You have an option to create another rule from this wizard. Select your option and click Next.
The custom or freeform rule option is the most powerful option for creating a correlation rule. This allows the user to create any of the previous types of rules by typing the RuleLG correlation rule language directly into the Correlation Rule Wizard.
TIP:
You can select the Functions, Operators and Meta-Tags from the drop-down list selection. Enter e. or w. in the Correlation Rule section to view the drop-down lists.
To create a custom or freeform rule:
Open the Correlation Rules Manager window and select a folder from the Folder drop-down list to which this rule is added.
Click the Add button located on the top left corner of the screen. The Correlation Rule window displays. Select Custom/Freeform Rule.
In the Custom/Freeform Rule window, write the condition for the rule and click Validate to test the validity of the rule.
On successful validation of the rule, click Next, the Update Criteria window displays.
Update the criteria for the rule to fire and click Next.
Enter a name to this rule. You have an option to modify the rule folder.
Enter rule description and click Next.
You have an option to create another rule from this wizard. Select your option and click Next.