Correlation Tab; Understanding Correlation - Novell SENTINEL RAPID DEPLOYMENT 6.1 - 12-2009 User Manual

Correlation Tab

4
Sometimes, an event viewed in the system might not necessarily draw your attention. However,
when you correlate a set of similar or comparable events in a given period, it might lead you to a
significant event. Sentinel
the Correlation engine so you can take appropriate action to mitigate any alarming situation.
Section 4.1, "Understanding Correlation," on page 83
Section 4.2, "Introduction to the User Interface," on page 85
Section 4.3, "Correlation Rules," on page 85
Section 4.4, "Dynamic Lists," on page 98
Section 4.5, "Correlation Engine," on page 102
Section 4.6, "Correlation Actions," on page 102

4.1 Understanding Correlation

Correlation adds intelligence to security event management by automating analysis of the incoming
event stream to find patterns of interest. Correlation allows you to define rules that identify critical
threats and complex attack patterns so that you can prioritize events and initiate effective incident
management and response. Starting with Sentinel 6.0, the Correlation engine is built with a
pluggable framework, which allows the addition of new Correlation engines in the future.
Correlation rules define a pattern of events that should trigger, or fire, a rule. Using either the
Correlation Rule Wizard or the simple RuleLG language, you can create rules that range from
simple to extremely complex, for example:
High severity event from a finance server
High severity event from any server brought online in the past 10 days
Five failed logins in 2 minutes
Five failed logins in 2 minutes to the same server from the same username
Intrusion detection event targeting a server, followed by an attempted login to root originating
from that same server within 60 seconds
Two or more of these rules can be combined into one composite rule. The rule definition determines
the conditions under which the composite rule fires:
All subrules must fire
A specified number of subrules must fire
The subrules must fire in a particular sequence
After the rule is defined, it should be deployed to an active Correlation engine, and one or more
actions can be associated with it. After the rule is deployed, the Correlation engine processes events
from the real-time event stream to determine whether they should trigger any of the active rules.
NOTE: Events that are sent directly to the database or dropped by a global filter are not processed
by the Correlation engine.
helps you correlate such events with the rules you create and deploy in
TM
4
Correlation Tab 83