Correlated events include specific event fields with some default values. For more information, see Table 5-3 in Section 5.4.1, Understanding the Correlated Event.
You can customize the default correlated event field values. For example, when a specific event pattern is detected and you want the rule to create correlated events with a high severity value, you can customize the Severity field of the correlated event. Similarly, if you want to allow a specific tenant to view correlated events specific to their tenant, you can set the TenantName field to the tenant associated with the rule.
You can customize the correlated event when performing either of the following:
Creating the correlation rule:
You can use the Customize correlated event option that allows you to customize almost all the correlated event fields except for the Sentinel internal fields.
Any customization in the correlated event field values is applicable only to the specific correlation rule.
Configuring the Generate Custom Correlation Event action:
When specifying the attribute values you can either reference to a correlated event field value or the last event that triggered the correlated event. However, you can customize only certain event fields.
You can associate the customizations made in the action to multiple correlation rules.
For more information, see Managing Actions
in the NetIQ Sentinel Administration Guide.
To customize correlated event field values:
In the Correlation panel, select the correlation rule, then click the Edit icon.
In the correlation rule builder, click Customize correlated event.
Drag the event fields you want to edit from the Available event fields section to the Selected event fields section.
Click the Edit icon to specify the value for the event field.
By default, the value is same as the event field value of the last event that triggered the correlated event. You can also reference other event field values in the Value field by enclosing the event field in $.
For example, for a login failure event, in the Message field you may want to refer to the InitiatorUserName, you can specify the Value as Login failure by $sun$.
Click OK.
After customizing the correlated event fields, click Set to save the correlated event.
Click Save Rule.
The customized correlated event values are applied only for correlated events generated after the customization.