Novell SENTINEL RAPID DEPLOYMENT 6.1 - 12-2009 User Manual page 90

8 Provide a name for this rule. You have an option to modify the rule folder.
9 Provide rule description and click Next.
10 You have an option to create another rule from this wizard. Select your option and click Next.
Aggregate Rule
An aggregate rule is defined by specifying a subrule and the number of times the subrule must fire
within a specific time window in order to trigger the aggregate rule. For example, an aggregate rule
might require that a subrule fire 10 times within 5 minutes for the aggregate rule to fire.
Aggregate rules have an optional group by field, which can be any populated field from the events.
For example, an aggregate rule might require that a subrule fire 10 times within 5 minutes where
each of the 10 events has the same destination server.
NOTE: For users familiar with the Correlation rule language (RuleLG), the defining operator for an
aggregate rule is the "trigger" operator. The trigger clause might also use the "discriminator"
operator to define the group by field. For more information about RuleLG, see
Deployment Correlation Engine RuleLG
Reference Guide.
To create an aggregate rule:
1 Open the Correlation Rule Manager window and select a folder from the drop-down list to
which this rule is added.
2 Click the Add button located on the top left corner of the screen. The Correlation Rule window
displays. Select Aggregate Rule.
90 Sentinel 6.1 Rapid Deployment User Guide
Language" in the Sentinel 6.1 Rapid Deployment
"Sentinel 6.1 Rapid