Differences Between Correlation In 5.X And 6.X - Novell SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010 Reference Manual

Hide thumbs Also See for SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010:

Installation manual (176 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

page of 232

/ 232
Contents
Table of Contents
Bookmarks

Table of Contents

Operator Precedence

Table 4-2

Operator

Meaning

flow

Output set becomes input set

intersection

Set intersection (remove duplicates)

union

Set union (remove duplicates)

4.7 Differences between Correlation in 5.x and

6.x

There are several new functionalities updated / included in 6.0 to widen the usage of Correlation to

meet user's requirements and for the ease-of-use.



Gate Operation: This is new in 6.0.

Sequence Operation: This is new in 6.0.



Inlist Operator and Dynamic Lists: These are new in 6.0.



Isnull Operator: This is new in 6.0. For metatag values equal to null, Sentinel 5.x supported the

following syntax which is replaced by the ISNull operator in Sentinel 6.0

e.SIP= " "

Update Window: This is new in Sentinel 6.0



Sentinel 6.0 merges the C (Correlated Events) and W (watchlist events) SensorTypes. All



events generated by the Correlation Engine are now labeled C in the SensorType field.

Correlation Actions and Correlation Rules: Correlation Actions and Correlation Rules are



decoupled in Sentinel 6.0

Although the filter operation supported AND and OR Boolean expressions in Sentinel 5.x, the



window operation supports Boolean expressions for the first time in Sentinel 6.0. For example:

OR: window(e.dip=w.dip OR e.sip=w.sip, filter(e.sev>2),60)

AND: window(e.evt=w.evt AND e.sun=w.sun, filter(e.sev>2),60)

Sentinel 6.0 no longer has the GUI option to create a rule from a PUBLIC filter. The filter



criteria must be defined in the correlation wizard or language.



The update functionality for a rule that is triggered more than once is configurable in Sentinel

6.0. In Sentinel 5.1.3, updates to a rule were based on a sliding window based on the trigger

time period. In Sentinel 6.0, the update functionality can be set when the rule is deployed; the

rule actions might happen every time the rule is triggered, or they can be set to occur once and

then wait for some period of time before the action occurs again. This prevents multiple

notifications on a single, ongoing event.



The in, not in, and difference operators are deprecated in Sentinel 6.0. Correlation rules using

these operators must be modified before running them in Sentinel 6.0.



The e.all metatag has been deprecated. Correlation rules using this operator should be updated

to use specific short tags before running them in Sentinel 6.0.

Operator Type

Associativity

binary

left to right

binary

left to right

binary

left to right

Sentinel Correlation Engine RuleLG Language

Table of Contents

Chapters

Table of Contents

This manual is also suitable for:

Sentinel 6.1 sp2

Differences Between Correlation In 5.X And 6.X - Novell SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010 Reference Manual

Chapters

Related Manuals for Novell SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010

Related Content for Novell SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010

This manual is also suitable for:

Table of Contents