1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. SENTINEL RAPID DEPLOYMENT 6.1 - 06-15-2009
  6. Reference manual

Window Operation - Novell SENTINEL RAPID DEPLOYMENT 6.1 - REFERENCE GUIDE 06-15-2009 Reference Manual

Hide thumbs
Table of Contents

Advertisement

For example, this filter expression is used to evaluate whether the Source IP of the current event is
present on a dynamic list called MailServerList. If the Source IP is present in this list, the expression
evaluates to TRUE.
filter(e.sip inlist MailServerList)
As another example, this filter expression combines the NOT and the INLIST operator. This
expression evaluates to TRUE if the Source IP is not present in the dynamic list called
MailServerList.
filter(not (e.sip inlist MailServerList))
This filter expression is used to evaluate whether the event name of the current event equals "File
Access" and the Source User Name is also not present on a dynamic list called AuthorizedUsers. If
both conditions are true for the current event, the expression evaluates to TRUE.
filter(e.evt="File Access" and not(e.sun inlist AuthorizedUsers))
ISNULL Operator
The isnull operator returns true if the metatag value is equal to NULL.
Example:
Filter(isnull(e.SIP))
Output Sets
The output of a filter is either the empty set (if the Boolean expression evaluates to false) or a
set containing the current event and all of the other events from the incoming set (if the
Boolean expression evaluates to true).
If filter is the last or only operation of a correlation rule, then the output set of the filter is used
to construct a correlated event. The trigger events are the filter operation output set of events
with the current event first.
If filter is not the last operation of a correlation rule (that is, filter is followed by a flow
operatior), then the output set of a filter is used as the input set to other operations (through the
flow operator).
Additional Information
The filter operator can be used to compare metatag values with other metatag values, for
example:
e.SourceIP=e.DestinationIP

3.3.2 Window Operation

Window compares the current event to a set of past events that are stored in a "window." The events
in the window can be all past events for a certain time period, or they can be filtered.
The Boolean expression is a composite of comparison instructions and match instructions with the
Boolean operators AND, OR and NOT.
The syntax for window is:
40
Sentinel 6.1 Rapid Deployment Reference Guide

Advertisement

Table of Contents
loading

Related Manuals for Novell SENTINEL RAPID DEPLOYMENT 6.1 - REFERENCE GUIDE 06-15-2009

Related Content for Novell SENTINEL RAPID DEPLOYMENT 6.1 - REFERENCE GUIDE 06-15-2009

This manual is also suitable for:

Sentinel rapid deployment 6.1

Table of Contents