5.4 Creating Correlation Rules

The procedure to create various types of Correlation rules is the same for all rule types, except for a few steps that are specific to each rule type. Events are evaluated by rules in the specified order until a match is made, so you should order subrules accordingly. More narrowly defined subrules and more important subrules should be placed at the beginning of the list. When creating correlation rules, you can also define what you want to see in the correlated event.

5.4.1 Understanding the Correlated Event

By default, correlated events display the event name and message as the rule name and description respectively.

The correlated event field values depend on the number of events that triggered the correlated event and whether any of the event fields are grouped.

  • In case of a single event triggering the correlated event, all the event field values are copied to the correlated event. If one or more event fields are grouped, only the grouped event fields are copied to the correlated event.

  • In case of multiple events triggering a correlated event, the grouped event field values are copied to the correlated event. If none of the event fields are grouped, no values are copied to the correlated event.

The following table describes the default event fields in a correlated event. You can also customize the event field values to suit your requirements. For more information, see Section 5.10, Customizing Correlated Event.

Table 5-3 Default Correlated Event Fields

Correlation Event Field

ID

Sample Value

Description

EventName

evt

LoginUser

The name of the correlation rule.

EventTime

dt

2014-02-10T05:21:29.047Z

The time when the last trigger event was fired.

Message

msg

Rule triggered for every successful login

The description in the correlation rule.

ObserverCategory

rv32

SIEM

For a correlated event, this event field is always set to SIEM.

ObserverServiceComponent

rv150

SessionServices

This value is same as that of the last trigger event.

ObserverTZ

estz

Asia/Kolkata

The time zone in which the correlation engine is located.

ObserverType

st

C

For a correlated event, the event field is always set to C.

SentinelProcessingComponent

rt2

LoginUser

The correlation rule name.

SentinelProcessingComponentID

rv123

CC72FBA4-711D-1031-8046-005056A56C5B

This is the ID of the correlation rule. The correlation rule ID remains the same even though the correlation rule name changes.

SentinelServiceComponentName

sres

LoginUser

It is the name of the correlation rule.

SentinelServiceName

res

Correlation

For a correlated event, this event field is always set to Correlation.

Severity

sev

4

For a correlated event, this event field is always set to 4.

XDASClass

xdasclass

2

This value is same as that of the last trigger event.

XDASDetail

xdasdetail

0

This value is same as that of the last trigger event.

XDASIdentifier

xdasid

0

This value is same as that of the last trigger event.

XDASOutcome

xdasoutcome

0

This value is same as that of the last trigger event.

XDASOutcomeName

xdasoutcomename

XDAS_OUT_SUCCESS

This value is same as that of the last trigger event.

XDASProvider

xdasprov

0

This value is same as that of the last trigger event.

XDASRegistry

xdasreg

0

This value is same as that of the last trigger event.

XDASTaxonomyName

xdastaxname

XDAS_AE_CREATE_SESSION

This value is same as that of the last trigger event.

For more information on correlated event fields, click Tips in the Sentinel Web Console. For more information on the event taxonomy and event fields, see Sentinel Taxonomy.

NOTE:By default, Sentinel correlates the correlated events received from remote Sentinel servers. If you do not want the correlation rules to consider remote correlated events, set the following property in the /etc/opt/novell/sentinel/config/server.xml file to false and restart the Sentinel server: 

<property name="correlateRemoteCorrelationEvents">false</property>

5.4.2 Creating a Simple Rule

A simple rule has just one subrule. You can specify additional criteria if you want the rule to fire when all or any of the specified criteria are met. You can also specify the number of times the event should occur for the rule to fire.

  1. Launch the Correlation Rule Builder.

    For more information, see Section 5.2, Accessing the Correlation User Interface.

  2. Click Create.

  3. In the Subrule window, click Create a new expression.

    The Expression Builder is displayed. For more information, see Expression Builder.

  4. Select the criteria for the rule, then click OK.

    The specified criteria are displayed in the subrule window.

  5. (Conditional) Specify additional expressions as necessary:

    1. Repeat Step 3 and Step 4.

    2. Select either of the following conditions:

      • AND: Use this condition if you want the subrule to fire when the conditions in all of the expressions are met.

      • OR: Use this condition if you want the subrule to fire when the condition in either of the expressions is met.

    3. (Conditional) You can group events based on the distinct values of event fields or group events by same values of event fields. Select the Group by drop-down list, drag and drop the desired event fields in the Group By Fields or Distinct Fields list depending on how you want to group the events.

    4. In the Count field, specify the number of times the expressions must meet the specified for the rule to fire. If the count is greater than 1, the Hr, Min, and Sec fields are enabled.

    5. Specify the time frame within which the subrule should fire.

    6. (Conditional) If the count is greater than one and if there are any grouped event fields, by default only the grouped event field values are copied to the correlated event. If you want to copy all the event field values from the last event that triggered the correlated event, deselect Copy only group by fields from the trigger events.

  6. (Optional) To associate one or more actions to the rule, click in the Actions panel.

    For more information on associating actions, see Section 5.5, Associating Actions to a Rule.

  7. (Optional) To test whether the rule works as expected, click Test Rule.

    For more information on testing the rule, see Section 5.6, Testing a Correlation Rule.

  8. Click Save As.

  9. Specify a name for the rule and an optional description, then click OK.

  10. Deploy the rule in the Correlation Engine so that events can be processed according to the rule.

    For more information, see Section 5.8, Deploying Rules in the Correlation Engine.

5.4.3 Creating a Sequence Rule

A sequence rule has two or more subrules that fire in sequence. You can use a sequence rule when you want the rule to fire if its subrules meet the specified criteria in the specified sequence within the defined time frame.

  1. Launch the Correlation Rule Builder.

    For more information, see Section 5.2, Accessing the Correlation User Interface.

  2. Click Create.

  3. In the Subrule window, click Create a new expression.

    The Expression Builder is displayed. For more information, see Expression Builder.

  4. Select the criteria for the rule, then click OK.

    The specified criteria are displayed in the subrule window.

  5. (Conditional) Specify additional expressions as necessary:

    1. Select either of the following conditions:

      • AND: Use this condition if you want the subrule to fire when the conditions in all of the expressions are met.

      • OR: Use this condition if you want the subrule to fire when the condition in either of the expressions is met.

    2. (Conditional) You can group events based on the distinct values of event fields or group events by same values of event fields. Select the Group by drop-down list, drag and drop the desired event fields in the Group By Fields or Distinct Fields list depending on how you want to group the events.

    3. In the Count field, specify the number of times the expressions must meet the specified criteria for the rule to fire. If the Count is greater than 1, the Hr, Min, and Sec fields are enabled.

    4. Specify the time frame within which the subrule should fire.

    5. (Conditional) If the count is greater than one and if there are any grouped event fields, by default only the grouped event field values are copied to the correlated event. If you want to copy all the event field values from the last event that triggered the correlated event, deselect Copy only group by fields from the trigger events.

  6. To add additional subrules, click Subrule, then repeat Step 3 through Step 5 to specify the subrule criteria.

  7. In the Rule Type drop-down list, select Sequence rule.

  8. Specify the time frame within which the rule should fire.

  9. (Optional) To associate one or more actions to the rule, click in the Actions panel.

    For more information on associating actions, see Section 5.5, Associating Actions to a Rule.

  10. (Optional) To test whether the rule is works as expected, click Test Rule.

    For more information on testing the rule, see Section 5.6, Testing a Correlation Rule.

  11. Click Save As.

  12. Specify a name for the rule and an optional description, then click Save.

  13. Deploy the rule in the Correlation Engine so that events can be processed according to the rule.

    For more information, see Section 5.8, Deploying Rules in the Correlation Engine.

5.4.4 Creating a Composite Rule

A composite rule has two or more subrules that fire according to the criteria you define.

  1. Launch the Correlation Rule Builder.

    For more information, see Section 5.2, Accessing the Correlation User Interface.

  2. Click Create.

  3. In the Subrule window, click Create a new expression.

    The Expression Builder is displayed. For more information, see Expression Builder.

  4. Select the criteria for the rule, then click OK.

    The specified criteria are displayed in the subrule window.

  5. (Conditional) Specify additional expressions as necessary:

    1. Select either of the following conditions:

      • AND: Use this condition if you want the subrule to fire when the conditions in all of the expressions are met.

      • OR: Use this condition if you want the subrule to fire when the condition in either of the expressions is met.

    2. (Conditional) You can group events based on the distinct values of event fields or group events by same values of event fields. Select the Group by drop-down list, drag and drop the desired event fields in the Group By Fields or Distinct Fields list depending on how you want to group the events.

    3. In the Count field, specify the number of times the expressions must meet the specified criteria for the rule to fire. If the Count is greater than 1, the Hr, Min, and Sec fields are enabled.

    4. Specify the time frame within which the subrule should fire.

    5. (Conditional) If the count is greater than one and if there are any grouped event fields, by default only the grouped event field values are copied to the correlated event. If you want to copy all the event field values from the last event that triggered the correlated event, deselect Copy only group by fields from the trigger events.

  6. Complete Step 1 through Step 5 in Section 5.4.2, Creating a Simple Rule.

  7. To add additional subrules, click Subrule, then repeat Step 3 through Step 5 to specify the subrule criteria.

  8. In the Rule Type drop-down list, select Composite rule.

  9. Select one of the following:

    • Composite Rule (AND): The rule fires if all the subrules meet the specified criteria within the defined time frame.

    • Composite Rule (OR): The rule fires if any of the subrules meets the specified criteria within the defined time frame.

  10. (Conditional) If you selected Composite Rule (OR), use the Count field to specify the number of subrules that should meet the specified criteria.

    The value in the Count field must be less than the number of subrules. For example, if there are 5 subrules and you specify the count as 3, the rule fires if 3 or more subrules meet the specified criteria.

  11. Specify the time frame within which the rule should fire.

  12. (Optional) To associate one or more actions to the rule, in the Actions panel, click .

    For more information on associating actions, see Section 5.5, Associating Actions to a Rule.

  13. (Optional) To test whether the rule is works as expected, click Test Rule.

    For more information on testing the rule, see Section 5.6, Testing a Correlation Rule.

  14. Click Save As.

  15. Specify an intuitive name for the rule and an optional description, then click Save.

  16. Deploy the rule in the Correlation Engine so that events can be processed according to the rule.

    For more information, see Section 5.8, Deploying Rules in the Correlation Engine.

5.4.5 Creating a Free-Form Rule

If you are familiar with the rule expression syntax, you can create correlation rules by manually specifying the rule expression. You can use free-form rules to create complex rules by using additional operators such as Window, Intersection, and Union.

  1. Launch the Correlation Rule Builder.

    For more information, see Section 5.2, Accessing the Correlation User Interface.

  2. Click Create.

  3. In the subrule window, click to switch to the free-form view.

  4. Specify the criteria for the rule.

    As you type the rule expression, the Free-form editor validates the rule expression syntax and indicates errors if the syntax is wrong.

    For more information on the rule expression syntax, see Section B.0, Correlation Rule Expression Syntax.

  5. (Optional) Click to view the rule in a structured format.

    Free-form expressions that include the Window operator or a combination of AND and OR operators are not supported in the structured view.

  6. (Optional) To associate one or more actions to the rule, in the Actions panel, click .

    For more information on associating actions, see Section 5.5, Associating Actions to a Rule.

  7. (Optional) To test whether the rule is works as expected, click Test Rule.

    For more information on testing the rule, see Section 5.6, Testing a Correlation Rule.

  8. Click Save As.

  9. Specify an intuitive name for the rule and an optional description, then click Save.

  10. Deploy the rule in the Correlation Engine so that events can be processed according to the rule.

    For more information, see Section 5.8, Deploying Rules in the Correlation Engine.

5.4.6 Creating Correlation Rules From Search Results

  1. In the search results panel, select the events from which you want to create a Correlation rule.

  2. In the Events Operations drop-down list, select one of the following:

    • Add to correlation rule: Adds the selected events to an existing rule.

    • Create correlation rule: Creates a new rule with the selected events.

  3. (Conditional) If you selected create correlation rule, the Correlation Rule Builder is displayed. The events that you selected to build the rule are displayed below the rule builder. Skip to Step 5.

  4. (Conditional) If you selected add to correlation rule, the Add events to an existing rule window is displayed that lists the rules in the system.

    Select a rule, then click OK.

    The Correlation Rule Builder is displayed. The events that you selected to build the rule are displayed below the rule builder.

  5. From the event list, drag the attributes that you want to add to the rule to the Subrule window.

  6. (Optional) To associate one or more actions to the rule, in the Actions panel, click .

    For more information on associating actions, see Section 5.5, Associating Actions to a Rule.

  7. (Optional) To test whether the rule is works as expected, click Test Rule.

    For more information on testing the rule, see Section 5.6, Testing a Correlation Rule.

  8. Click Save As.

  9. Specify an intuitive name for the rule and an optional description, then click Save.

  10. Deploy the rule in the Correlation Engine so that events can be processed according to the rule.

    For more information, see Section 5.8, Deploying Rules in the Correlation Engine.