Table of Contents
Advertisement
4.5 Correlation Engine
Section 4.5.1, "Starting or Stopping a Correlation Engine," on page 102
Section 4.5.2, "Renaming a Correlation Engine," on page 102
4.5.1 Starting or Stopping a Correlation Engine
1 Open the Correlation Engine Manager window.
2 Right-click a correlation engine and select Start Engine or Stop Engine.
4.5.2 Renaming a Correlation Engine
A Sentinel system can have one or more correlation engines. You can rename the engines if desired.
1 Open the Correlation Engine Manager window.
2 Right-click the correlation engine and select Rename Engine.
3 Modify the name of the engine and click OK.
4.6 Correlation Actions
The Action Manager allows you to configure repeatable actions. There are several different types of
actions that can be configured and then associated with a correlation rule deployment:
Section 4.6.1, "Configuring a Correlated Event," on page 103
Section 4.6.2, "Adding to a Dynamic List," on page 104
Section 4.6.3, "Removing a Value from a Dynamic List," on page 105
Section 4.6.4, "Executing a Command," on page 106
Section 4.6.5, "Creating an Incident," on page 107
Section 4.6.6, "Sending an E-mail," on page 108
Section 4.6.7, "Imported JavaScript Action Plugins," on page 108
NOTE: Although all of these actions can be used in Correlation rule deployments, only the
JavaScript actions can be used in other areas of the Sentinel Control Center. For more information,
see
Chapter 15, "Action Manager and Integrator," on page
Actions associated with a Correlation rule are executed when the deployed Correlation rule fires
(with the frequency of the execution determined by settings on the Update Criteria window of the
Correlation Rule Wizard).
If no action is specifically selected when deploying a correlation rule, a correlated event with the
following default settings is created:
102 Sentinel 6.1 Rapid Deployment User Guide
341.
Advertisement
Table of Contents
