There are several new functionalities updated / included in 6.0 to widen the usage of Correlation to meet user’s requirements and for the ease-of-use.
Gate Operation: This is new in 6.0.
Sequence Operation: This is new in 6.0.
Inlist Operator and Dynamic Lists: These are new in 6.0.
Isnull Operator: This is new in 6.0. For metatag values equal to null, Sentinel 5.x supported the following syntax which is replaced by the ISNull operator in Sentinel 6.0
e.SIP= “ ”
Update Window: This is new in Sentinel 6.0
Sentinel 6.0 merges the C (Correlated Events) and W (watchlist events) SensorTypes. All events generated by the Correlation Engine are now labeled C in the SensorType field.
Correlation Actions and Correlation Rules: Correlation Actions and Correlation Rules are decoupled in Sentinel 6.0
Although the filter operation supported AND and OR Boolean expressions in Sentinel 5.x, the window operation supports Boolean expressions for the first time in Sentinel 6.0. For example:
OR: window(e.dip=w.dip OR e.sip=w.sip, filter(e.sev>2),60) AND: window(e.evt=w.evt AND e.sun=w.sun, filter(e.sev>2),60)
Sentinel 6.0 no longer has the GUI option to create a rule from a PUBLIC filter. The filter criteria must be defined in the correlation wizard or language.
The update functionality for a rule that is triggered more than once is configurable in Sentinel 6.0. In Sentinel 5.1.3, updates to a rule were based on a sliding window based on the trigger time period. In Sentinel 6.0, the update functionality can be set when the rule is deployed; the rule actions might happen every time the rule is triggered, or they can be set to occur once and then wait for some period of time before the action occurs again. This prevents multiple notifications on a single, ongoing event.
The in, not in, and difference operators are deprecated in Sentinel 6.0. Correlation rules using these operators must be modified before running them in Sentinel 6.0.
The e.all metatag has been deprecated. Correlation rules using this operator should be updated to use specific short tags before running them in Sentinel 6.0.