Creating Correlation Rules - Novell SENTINEL 6.1 SP2 - 02-2010 User Manual

Aggregate

Sequence

Custom/Freeform

4 Define the update criteria for the rule. If you select Continue to perform actions every time this
rule fires, the rule fires every time the criteria is met. If you select Do not perform actions every
time this rule fires for the next (t) time the events fires only once as per user-defined time
period. All the other events that match the correlation rule within the specified time are grouped
together with this correlated event. This user-defined time period can be a certain number of
seconds, minutes, or hours.
5 Click Next.
6 Provide the rule name. The syntax of the rule is checked at the time it is created.
7 Under Namespace, select a correlation rule folder in which to store the rule.
8 Type the description of the rule.
9 Click Next. The rule is created and displays in the Correlation Rules Manager window.
10 Select Yes if you want to create another rule or No if you do not want to create another rule.
Click Next.
The rule types and the steps to create them are described below.

3.3.5 Creating Correlation Rules

Correlation rules can be defined in the Correlation Rule wizard by walking through the wizard or by
choosing the Custom/Freeform option to write the rule in the proprietary RuleLG language. All rule
definitions are stored in the database in RuleLG.
Correlation rules can be defined based on any populated event field.
NOTE: When creating a Rule, you can refer to a dynamic list to it. For more information, see
Section 3.4.5, "Using a Dynamic List in a Correlation Rule," on page
Simple Rule
A simple rule is defined by specifying which events can trigger the rule to fire (For example,
firewall events, firewall events of severity 3 or higher). The filter criteria can be intersected (using
the "all"option in the GUI or the "AND" operator in RuleLG) or the filter criteria can be unioned
(using the "any" option in the GUI or the "OR" operator in RuleLG).
For example, a rule might be defined so that it fires anytime an event takes place on a server that is
on the critical list. Another rule might be defined to fire anytime an event of severity 4 or greater
takes place on a server that is on the critical list.
A simple rule requires only one event in order to fire.
NOTE: For users familiar with the correlation rule language (RuleLG), the defining operator for a
simple rule is the "filter" operator. For more information about RuleLG, see
Engine RuleLG Language" in the Sentinel 6.1 Reference Guide.
84.
"Sentinel Correlation
Correlation Tab 69