Novell SENTINEL RAPID DEPLOYMENT 6.1 - 12-2009 User Manual page 88

Simple Rule
A simple rule is defined by specifying the events that can trigger the rule to fire (For example,
firewall events, firewall events of severity 3 or higher). The filter criteria can be intersected (using
the "all"option in the GUI or the "AND" operator in RuleLG) or the filter criteria can be unioned
(using the "any" option in the GUI or the "OR" operator in RuleLG).
For example, a rule might be defined so that it fires anytime an event takes place on a server that is
on the critical list. Another rule might be defined to fire anytime an event of severity 4 or greater
takes place on a server that is on the critical list.
A simple rule requires only one event in order to fire.
For users familiar with the Correlation rule language (RuleLG), the defining operator for a simple
rule is the "filter" operator. For more information about RuleLG, see
Deployment Correlation Engine RuleLG
Reference Guide.
In Sentinel 6, filter criteria must be defined in the Correlation Rule Wizard. You cannot use existing
public filters.
To create a simple rule:
1 Open the Correlation Rule Manager window and select a folder from the drop-down list to
which this rule is added.
2 Click the Add button located on the top left corner of the screen. The Correlation Rule window
displays. Select Simple Rule.
3 In the Simple Rule window, define a condition for this rule. Select the Property and Operator
values from the drop-down lists and specify data in the value field.
88 Sentinel 6.1 Rapid Deployment User Guide
Language" in the Sentinel 6.1 Rapid Deployment
"Sentinel 6.1 Rapid