Understanding Correlation

Sometimes, an event viewed in the system may not necessarily draw your attention. But, when you correlate a set of similar or comparable events in a given period, it may lead you to an alarming event. Sentinel helps you correlate such events with the rules you create and deploy in the Correlation engine and take appropriate action to mitigate any alarming situation.

Correlation adds intelligence to security event management by automating analysis of the incoming event stream to find patterns of interest. Correlation allows you to define rules that identify critical threats and complex attack patterns so that you can prioritize events and initiate effective incident management and response. Starting with Sentinel 6.0, the correlation engine is built with a pluggable framework, which will allow the addition of new correlation engines in the future.

Correlation rules define a pattern of events that should trigger, or fire, a rule. Using either the correlation rule wizard or the simple RuleLG language, you can create rules that range from simple to extremely complex, for example:

Two or more of these rules can be combined into one composite rule. The rule definition will determine the conditions under which the composite rule will fire:

After the rule is defined, it should be deployed to an active Correlation Engine, and one or more actions can be associated with it. Once the rule is deployed, the Correlation Engine will process events from the real-time event stream to determine whether they should trigger any of the active rules to fire.

NOTE: Events that are sent directly to the database or dropped by a Global Filter will not be processed by the Correlation Engine.

When a rule fires, a correlated event is sent to the Sentinel Control Center, where it can be viewed in the Active Views.

image\ebx_-1603809028.gif

The correlated event may also trigger actions, such as sending an email with the correlated event's details or creating an incident associated with an iTRAC workflow.