Novell SENTINEL RAPID DEPLOYMENT 6.1 - 12-2009 User Manual page 94

10 Provide rule description and click Next.
11 You have an option to create another rule from this wizard. Select your option and click Next.
Custom or Freeform Correlation Rules
The custom or freeform rule option is the most powerful option for creating a correlation rule. This
allows the user to create any of the previous types of rules by typing the RuleLG correlation rule
language directly into the Correlation Rule Wizard.
Freeform rules are the only way to include certain functionality in a correlation rule. Freeform rules
give you the ability to do the following:
Nest operations by using parentheses to specify order of operations
Use the
Use the
Use the
value to a set of previous events
TIP: You can select the functions, operators, and meta tags from the drop-down list selection. Type
or in the Correlation Rule section to view the drop-down lists.
e. w.
To create a custom or freeform rule:
1 Open the Correlation Rule Manager window and select a folder from the Folder drop-down list
to which this rule is added.
2 Click the Add button located on the top left corner of the screen. The Correlation Rule window
displays. Select Custom/Freeform Rule.
3 In the Custom/Freeform Rule window, write the condition for the rule and click Validate to test
the validity of the rule.
4 After validation of the rule, click Next. The Update Criteria window displays.
5 Update the criteria for the rule to fire and click Next.
6 Provide a name for this rule. You have an option to modify the rule folder.
7 Provide rule description and click Next.
8 You have an option to create another rule from this wizard. Select your option and click Next.
94 Sentinel 6.1 Rapid Deployment User Guide
operator to refer to a dynamic list
inlist
operator to refer to unpopulated fields
isnull
prefix for a field name in the window operation to compare an incoming event's
w.