5.8 Viewing Correlated Events

Correlated events contain detailed information about the trigger events. To view correlated events, perform the following:

  1. Log in to the Sentinel Main or SSDM Main interface.

  2. In the navigation panel, click Correlation.

  3. In the Correlation panel, select any rule, then click .

    The events that match the rule criteria are displayed in the search results panel. The correlated events are displayed with the icon.

  4. (Optional) Click to see the correlated event fields and their values. For more information, see Table 5-3.

    You can use the event field IDs to create search queries to find specific correlated events. For example, if you want to search for the correlated events that were generated because of the correlation rule LoginUser, specify the following query in the Search field:

    st:C AND rt2:LoginUser

    For more information about searching for events, see Searching Events Indexed in Traditional Storage.

  5. (Optional) Click View triggers to view the events that generated the correlated event.