Gate Operation

The gate operation is used to create a composite rule which is used in identifying complex situations from the occurrence of simple situations.

The composite rule is made up of one or more nested subrules and can be configured to fire if some, any or all of the subrules fire within a specified time window. The subrules may be a simple rule or another composite rule. For more information on Composite Rule, refer to Correlation Tab in Sentinel Control Center User Guide.

The syntax for gate is:

Gate(<subrule 1 rulelg>, <subrule 2 rulelg>…<subrule n ruleLg>, <mode>, <evaluation period>, discriminator(<list of metatags>))

Where

Subrule Rulelgs are the rulelg definitions for 1 to n subrules

mode = all | any | 1 | 2 | … | n, which is the number of subrules that must be triggered in order for the gate rule to trigger

<evaluation period> specifies the duration for which past events matching the filter expression are maintained, specified in seconds (s), minutes (m), or hours (h). If no letter is specified, seconds are assumed.

discriminator is a field to group by

For example, this rule is a typical perimeter security IDS inside/outside rule

filter(e.sev > 3) flow gate(filter(e.sn = "in"), filter(e.sn = "out"), all, 60s, discriminator(e.dip, e.evt))