Event Operations; Filter Operation - Novell SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010 Reference Manual

Hide thumbs Also See for SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010:
Table of Contents

Advertisement

WARNING: If you rename the label of a metatag, do not use the original label name when creating
a correlation rule.

4.3 Event Operations

Event operations evaluate, compare, and count events. They include the following operations:
Filter: Evaluates the current to determine whether they could potentially trigger a rule to fire
Window: Compares the current event to past events that have been stored in memory
Trigger: Counts events to determine whether enough events have occurred to trigger a rule
Each operation works on a set of events, receiving a set of events as input and returning a set of
events as output. The current event processed by a rule often has a special meaning for the semantic
of the language. The current event is always part of the set of events in and out of an operation
unless the set is empty. If an input set of an operation is empty, then the operation is not evaluated.

4.3.1 Filter Operation

Filter consists of a Boolean expression that evaluates the current event from the real-time event
stream. It compares event attributes to user-specified values using a wide set of operators
The Boolean expression is a composite of comparison and match instructions.
The syntax for filter is:
Filter <Boolean expression 1> [NOT|AND|OR <Boolean expression 2] [...]
[NOT|AND|OR <Boolean expression n>]
Where
<Boolean expressions 1...n> are expressions using one or more event field names
and filter operators
For example, this rule detects whether the current event has a severity of 4 and the resource event
field contains either "FW" or "Comm."
filter(e.sev = 4 and (e.res match regex ("FW") or e.res match regex ("Comm")))
Boolean Operators
Filter expressions can be combined using the Boolean operators AND, OR and NOT. The filter
boolean operator precedence (from highest [top] to lowest [bottom] precedence) is:
Boolean Operators
Table 4-1
Operator
Not
And
Or
42
Sentinel 6.1 Reference Guide
Meaning
logical not
logical and
logical or
Operator Type
unary
binary
binary
Associativity
None
left to right
left to right

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010 and is the answer not in the manual?

This manual is also suitable for:

Sentinel 6.1 sp2

Table of Contents