Table of Contents
Advertisement
3.5.4 Discriminator Operator
The discriminator operator allows users to group by event fields within other event operations.
Discriminator can be used within the trigger, gate, or sequence operations. This is the last operation
when executing a condition. The input for this operator will generally be the output of other
operations, if any.
For example, this filter expression is used to identify five severity 5 events within 60s that all have
the same Source IP. Note that the attribute (SIP in this example) can be any value, even a NULL, but
it must be the same for all five events in order for the rule to fire.
filter(e.sev=5 ) flow trigger(5, 60s, discriminator(e.sip)
3.6 Order of Operators
The operator precedence (from highest (top) to lowest (bottom)) are:
Operator Precedence
Table 3-2
Operator
Meaning
flow
Output set becomes input set
intersection
Set intersection (remove duplicates)
union
Set union (remove duplicates)
3.7 Differences between Correlation in 5.x and
6.x
There are several new functionalities updated / included in 6.x to widen the usage of Correlation to
meet user's requirements and for the ease-of-use.
Comaprison Table
Table 3-3
Features
Gate Operation
Sequence Operation
Inlist Operator and Dynamic Lists Not available
Isnull Operator
Update Window
Correlation in Sentinel 5.x
Not available
Not available
For metatag values equal to null,
Sentinel 5.x supported the
following syntax which is replaced
by the ISNull operator in Sentinel
6.0
e.SIP= " "
Sentinel 6.1 Rapid Deployment Correlation Engine RuleLG Language
Operator Type
Associativity
binary
left to right
binary
left to right
binary
left to right
Correlation in Sentinel 6.1RD
This is new in 6.x
This is new in 6.x
These are new in 6.x
This is new in 6.x. Uses ISNull
operator.
This is new in Sentinel 6.x
45
Advertisement
Table of Contents
