Table of Contents
Advertisement
Sentinel 6.1 Rapid Deployment
3
Correlation Engine RuleLG
Language
This section has the following information about Sentinel
Section 3.1, "Correlation RuleLG Language Overview," on page 37
Section 3.2, "Event Fields," on page 38
Section 3.3, "Event Operations," on page 38
Section 3.4, "Rule Operations," on page 42
Section 3.5, "Operators," on page 44
Section 3.6, "Order of Operators," on page 45
Section 3.7, "Differences between Correlation in 5.x and 6.x," on page 45
3.1 Correlation RuleLG Language Overview
The Sentinel Correlation Engine runs rules that are written in the Correlation RuleLg language.
Rules are created in the Sentinel Control Center. Users can create rules using a wizard for the
following rule types:
Simple Rule
Composite Rule
Aggregate Rule
Sequence Rule
These rules are converted to the Correlation RuleLg language when the rules are saved. The same
rule types, plus even more complex rules, can be created in the Sentinel Control Center using the
Custom/Freeform option. To use the Custom/Freeform option, the user must have a good
understanding of the Correlation RuleLg language.
RuleLg uses several operations, operators, and event field short tags to define a rule. The Correlation
Engine loads the rule definition and uses the rules to evaluate, filter, and store in memory events that
meet the criteria specified by the rule. Depending on the rule definition, a correlation rule might fire
based on
the value of one field or multiple fields
the comparison of an incoming event to past events
the number of occurrences of similar events within a defined time period
one or more subrules firing
one or more subrules firing in a particular order
Each of these constructs is represented by an operation in RuleLg.
TM
Sentinel 6.1 Rapid Deployment Correlation Engine RuleLG Language
correlation engine Rule LG language.
3
37
Advertisement
Table of Contents
