5.6 Sample Correlation Rules

This section provides a few examples on how you can create correlation rules. For more examples, see Section B.0, Correlation Rule Expression Syntax.

5.6.1 Detecting Critical Events from an Intrusion Detection System

This example identifies critical events from an intrusion detection system and sends an e-mail to the Administrator.

  • Launch the Correlation Rule Builder. In the Correlation panel, click Create.

  • In the Subrule window, click Create a new expression.

  • Specify that the events must be from an intrusion detection system (IDS):

    • In the Expression Builder > Event Fields, select ObserverCategory.

    • Ensure that the “=” operator is selected.

    • In the Value field, specify IDS, then click OK.

  • Identify critical events:

    • Add another expression. In the Subrule window, click Create a new expression.

    • In the Expression Builder > Event Fields, select Severity.

    • Select >= as the operator.

    • In the Value field, select 4, then click OK.

  • If events are found, send an e-mail to the administrator:

    • In the Actions panel, click to associate the action with the rule.

    • Select Send E-mail.

    • Click to update the action execution criteria.

    • Select Perform actions everytime the rule fires, then click OK.

  • Click Save Rule.

  • Deploy the rule in the Correlation Engine.

    For more information, see Deploying Rules in the Correlation Engine.

  • Search events that match the rule criteria.

    For more information, see Viewing Correlated Events.

5.6.2 Detecting a Spreading Attack

This example creates a Correlation rule that indicates whether the source of an attack was previously the destination of an attack (within 15 minutes.) Because this involves comparing a current event set with a past event set, it uses the window operation.

  • In the Subrule window, click to switch to the free-form editor.

  • Specify the expression as follows:

    filter(e.TaxonomyLevel1="Attack") flow window(w.dip=e.sip, filter(e.rv51="Attack"), 15m)

  • Click Save Rule.

  • Deploy the rule in the Correlation Engine.

    For more information, see Deploying Rules in the Correlation Engine.

  • Search events that match the rule criteria.

    For more information, see Viewing Correlated Events.

5.6.3 Detecting an Attack that Came from Outside the Firewall

This example creates a Correlation rule that checks whether an intrusion detection system attack event seen inside your network came through your firewall in the last 10 seconds.

  • In the Subrule window, click to switch to the free-form editor.

  • Specify the expression as follows:

    filter(e.TaxonomyLevel1="Attack") flow window(w.dip=e.sip, filter(e.rv32="FW"), 10)

  • Click Save Rule.

  • Deploy the rule in the Correlation Engine.

    For more information, see Deploying Rules in the Correlation Engine.

  • Search events that match the rule criteria.

    For more information, see Viewing Correlated Events.