An aggregate rule is defined by specifying a subrule and the number of times the subrule must fire within a specific time window in order to trigger the aggregate rule. For example, an aggregate rule may require that a subrule fire 10 times within 5 minutes for the aggregate rule to fire.
Aggregate rules have an optional group by field, which can be any populated field from the events. For example, an aggregate rule may require that a subrule fire 10 times within 5 minutes where each of the 10 events has the same destination server.
NOTE: For users familiar with the correlation rule language (RuleLG), the defining operator for an aggregate rule is the "trigger" operator. The trigger clause may also use the "discriminator" operator to define the group by field. For more information about RuleLG, see the Sentinel Correlation Engine RuleLG Language in Sentinel 6.0 User Reference Guide.
To create an aggregate rule:
Open the Correlation Rules window and select a folder from the drop-down list to which this rule will be added.
Click the Add button located on the top left corner of the screen. The Correlation Rule window will display. Select Aggregate Rule.
In Aggregate Rule window, you may select a sub-rule to create an aggregate rule. To select a sub-rule, click Add Rule button. Add Rule window will display.
NOTE: You can select only one sub-rule when creating an aggregate rule.
Select a rule and click OK.
Set parameters for the rule to fire.
To group event tags according to the attributes, Click Add/Edit. The Attribute Window will open.
Check the attribute as per your requirement. You can preview the rule in the RuleLG preview window. Click Next. The Update Criteria window will display.
Update the criteria for the rule to fire and click Next. The General Description window will display.
Enter a name to this rule. You have an option to modify the rule folder.
Enter rule description and click Next.
You have an option to create another rule from this wizard. Select your option and click Next.