3.3 Correlation Rules

Correlation Rules are created, modified, renamed, deployed/undeployed in the Correlation Rule Manager. Correlation Rules are organized into Rule Folders, which can also be managed in the Correlation Rule Manager.

NOTE:There is no limit to the number of users that can access Correlation Rules. When more than one user is editing the same rule, the last person to save overwrites all previous saves.

3.3.1 Opening the Correlation Rule Manager

To open the Correlation Rules Manager:

  1. Click Correlation tab.

  2. In the navigator, click Correlation Rules Manager. Alternatively, click Correlation Rules Manager button in the Tool Bar. The Correlation Rule Manager window displays.

3.3.2 Creating a Rule Folder

To create a Rule Folder:

  1. Open the Correlation Rules Manager window and click Manage Folder.

  2. Highlight and right-click a folder and select Add Folder.

  3. Specify Rule Folder name.

3.3.3 Renaming a Rule Folder

To rename a Rule Folder:

  1. Open the Correlation Rules Manager window and click Manage Folder.

  2. Select a folder and click Rename. Change the name of the folder.

To delete a Rule Folder:

  1. Open the Correlation Rules Manager window and click Manage Folder.

  2. Select a folder and click Delete. Click Yes when the system asks for confirmation.

3.3.4 Creating a Correlation Rule

To create a Correlation Rule:

  1. Open the Correlation Rules Manager window and select a folder from the Folder drop-down list to which this rule is added.

  2. Click Add button located on the top left corner of the screen.

  3. The Rule Wizard displays. Select one of the following rule types and follow the steps for that particular rule type:

    • Simple

    • Composite

    • Aggregate

    • Sequence

    • Custom/Freeform

  4. Define the update criteria for the rule. If you select Continue to perform actions every time this rule fires, the rule fires every time the criteria is met. If you select Do not perform actions every time this rule fires for the next (t) time the events fires only once as per user-defined time period. All the other events that match the correlation rule within the specified time are grouped together with this correlated event. This user-defined time period can be a certain number of seconds, minutes, or hours.

  5. Click Next.

  6. Provide the rule name. The syntax of the rule is checked at the time it is created.

  7. Under Namespace, select a correlation rule folder in which to store the rule.

  8. Type the description of the rule.

  9. Click Next. The rule is created and displays in the Correlation Rules Manager window.

  10. Select Yes if you want to create another rule or No if you do not want to create another rule. Click Next.

The rule types and the steps to create them are described below.

3.3.5 Creating Correlation Rules

Correlation rules can be defined in the Correlation Rule wizard by walking through the wizard or by choosing the Custom/Freeform option to write the rule in the proprietary RuleLG language. All rule definitions are stored in the database in RuleLG.

Correlation rules can be defined based on any populated event field.

NOTE:When creating a Rule, you can refer to a dynamic list to it. For more information, see Section 3.4.5, Using a Dynamic List in a Correlation Rule.

Simple Rule

A simple rule is defined by specifying which events can trigger the rule to fire (For example, firewall events, firewall events of severity 3 or higher). The filter criteria can be intersected (using the “all”option in the GUI or the “AND” operator in RuleLG) or the filter criteria can be unioned (using the “any” option in the GUI or the “OR” operator in RuleLG).

For example, a rule might be defined so that it fires anytime an event takes place on a server that is on the critical list. Another rule might be defined to fire anytime an event of severity 4 or greater takes place on a server that is on the critical list.

A simple rule requires only one event in order to fire.

NOTE:For users familiar with the correlation rule language (RuleLG), the defining operator for a simple rule is the “filter” operator. For more information about RuleLG, see Sentinel Correlation Engine RuleLG Language in the Sentinel 6.1 Reference Guide.

NOTE:In Sentinel 6, filter criteria must be defined in the correlation rule wizard. You cannot use existing public filters.

To create a simple rule:

  1. Open the Correlation Rules Manager window and select a folder from the drop-down list to which this rule is added.

  2. Click Add button located on the top left corner of the screen. The Correlation Rule window displays. Select Simple Rule.

  3. In the Simple Rule window, define a condition for this rule. Select the Property and Operator values from the drop-down lists and specify data in value field.

  4. Click Add to add additional definitions for this rule.

  5. You can preview the rule in the RuleLG preview window. For example, filter(e.sev=3). Click Next. The Update Criteria window displays.

  6. Enable the update criteria for the rule to fire and click Next. The General Description window displays.

  7. Provide a name to this rule. You have an option to modify the rule folder.

  8. Provide rule description and click Next.

  9. You have an option to create another rule from this wizard. Select your option and click Next.

Aggregate Rule

An aggregate rule is defined by specifying a subrule and the number of times the subrule must fire within a specific time window in order to trigger the aggregate rule. For example, an aggregate rule might require that a subrule fire 10 times within 5 minutes for the aggregate rule to fire.

Aggregate rules have an optional group by field, which can be any populated field from the events. For example, an aggregate rule might require that a subrule fire 10 times within 5 minutes where each of the 10 events has the same destination server.

NOTE:For users familiar with the correlation rule language (RuleLG), the defining operator for an aggregate rule is the “trigger” operator. The trigger clause might also use the “discriminator” operator to define the group by field. For more information about RuleLG, see the Sentinel Correlation Engine RuleLG Language in the Sentinel 6.1 Reference Guide.

To create an aggregate rule:

  1. Open the Correlation Rules Manager window and select a folder from the drop-down list to which this rule is added.

  2. Click Add button located on the top left corner of the screen. The Correlation Rule window displays. Select Aggregate Rule.

  3. In Aggregate Rule window, you can select a sub-rule to create an aggregate rule. To select a sub-rule, click Add Rule button. Add Rule window displays.

    NOTE:You can select only one sub-rule when creating an aggregate rule.

  4. Select a rule and click OK.

  5. Set parameters for the rule to fire.

  6. To group event tags according to the attributes, Click Add/Edit. The Attribute List window displays.

  7. Check the attribute as per your requirement. You can preview the rule in the RuleLG preview window. Click Next. The Update Criteria window displays.

  8. Update the criteria for the rule to fire and click Next. The General Description window displays.

  9. Provide a name to this rule. You have an option to modify the rule folder.

  10. Provide rule description and click Next.

  11. You have an option to create another rule from this wizard. Select your option and click Next.

Composite Rule

A composite rule is comprised of 2 or more subrules. A composite rule can be defined so that all or a specified number of the subrules must fire within the defined timeframe. Composite rules have an optional group by field, which can be any populated field from the events.

NOTE:When a subrule is used to create a composite rule, a copy of the subrule is added to the composite rule’s definition. Because a copy is added, changes to the original subrule do not affect the composite rule.

To create a composite rule:

  1. Open the Correlation Rules Manager window and select a folder from the drop-down list to which this rule is added.

  2. Click Add button located on the top left corner of the screen. The Correlation Rule window displays. Select Composite Rule.

  3. In Composite Rule window, you can select sub-rules to create a composite rule. To select a sub-rule, click Add Rule button. Add Rule window displays.

  4. Select a rule or a set of rules (hold control on your keyboard to select a set of rules) and click OK.

  5. Set parameters for the rule to fire.

  6. To group event tags according to the attributes, Click Add/Edit. The Attribute window displays.

  7. Check the attribute as per your requirement. You can preview the rule in RuleLg preview box. Click Next, the Update Criteria window displays.

  8. Update criteria for the rule to fire and click Next.

  9. Provide a name to this rule. You have an option to modify the rule folder.

  10. Provide rule description and click Next.

  11. You have an option to create another rule from this wizard. Select your option and click Next.

Sequence

A sequence rule is comprised of 2 or more subrules that must have been triggered in a specific order within the defined timeframe. Sequence rules have an optional group by field, which can be any populated field from the events.

NOTE:When a subrule is used to create a sequence rule, a copy of the subrule is added to the sequence rule’s definition. Because a copy is added, changes to the original subrule do not affect the sequence rule.

To create a sequence rule:

  1. Open the Correlation Rules Manager window and select a folder from the Folder drop-down list to which this rule is added.

  2. Click Add button located on the top left corner of the screen. The Correlation Rule window displays. Select Sequence Rule.

  3. In Sequence Rule window, you can select a sub-rule to create a sequence rule. To select a sub-rule, click Add Rule button. Add Rule window displays.

  4. Select a rule and click OK.

  5. Set parameters for the rule to fire. To group event tags according to the attributes, Click Add/Edit. The Attribute List window displays.

  6. Check the attribute as per your requirement. You can preview the rule in RuleLg preview box. Click Next, the Update Criteria window displays.

  7. Update criteria for the rule to fire and click Next.

  8. Provide a name to this rule. You have an option to modify the rule folder.

  9. Provide rule description and click Next.

  10. You have an option to create another rule from this wizard. Select your option and click Next.

Custom or Freeform Correlation Rules

The custom or freeform rule option is the most powerful option for creating a correlation rule. This allows the user to create any of the previous types of rules by typing the RuleLG correlation rule language directly into the Correlation Rule Wizard.

Freeform rules are the only way to include certain functionality in a correlation rule. Freeform rules give you the ability to do the following:

  • Nest operations using parentheses (to specify order of operations)

  • Use the inlist operator to refer to a dynamic list

  • Use the isnull operator to refer to unpopulated fields

  • Use the w. prefix for a field name in the window operation to compare an incoming event’s value to a set of previous events

HINT:You can select the Functions, Operators and Meta-Tags from the drop-down list selection. Type e. or w. in the Correlation Rule section to view the drop-down lists.

To create a custom or freeform rule:

  1. Open the Correlation Rules Manager window and select a folder from the Folder drop-down list to which this rule is added.

  2. Click the Add button located on the top left corner of the screen. The Correlation Rule window displays. Select Custom/Freeform Rule.

  3. In the Custom/Freeform Rule window, write the condition for the rule and click Validate to test the validity of the rule.

  4. After validation of the rule, click Next, the Update Criteria window displays.

    Update the criteria for the rule to fire and click Next.

  5. Provide a name to this rule. You have an option to modify the rule folder.

  6. Provide rule description and click Next.

  7. You have an option to create another rule from this wizard. Select your option and click Next.

3.3.6 Deploying/Undeploying Correlation Rules

Correlation rules can be deployed or undeployed from the Correlation Engine Manager or the Correlation Rule Manager. You can undeploy all rules or a single rule.

The rules can be associated with one or more actions. If no action is selected, a default Correlated Event is generated with the following values:

Table 3-2 Default Correlated Event Details

Field Name

Default Values

Severity

4

Event Name

Same as the event name for the trigger event

Message

Same as the message for the trigger event

Resource

Correlation

SubResource

<Rule Name>

Other types of actions can be configured in the Action Manager:

  • Configure a Correlated Event (replaces the default correlated event settings)

  • Add to Dynamic List (adds an element to a dynamic list)

  • Remove from Dynamic List (removes an element from a dynamic list)

  • Execute a Command (executes a shell or batch script)

  • Execute a Script (executes a script; only available for actions created in Sentinel 6.0)

  • Send an Email (using default Sentinel mail settings)

  • Create an Incident (creates a Sentinel incident)

  • Any Action configured in the Action Manager that was created from an Action plugin that takes a Correlated Event as input. For more information on Action Manager, see the Section 16.0, Actions and Integrator.

To deploy Correlation Rules (in Correlation Engine Manager):

  1. Open the Correlation Engine Manager window.

  2. Highlight and right-click the engine you want to deploy the rule on and select Deploy Rule.

  3. In the Rules tab, select the rule or rules you want to deploy.

  4. In the Actions tab, select the action or actions you want to associate with the rule.

  5. Click Deploy. Rules are deployed in an enabled state.

To deploy Correlation Rules (in Correlation Rule Manager):

  1. Open the Correlation Rule Manager window.

  2. Highlight a rule and click Deploy rules link. The Deploy Rule window displays.

  3. In the Deploy Rule window, select the Engine to deploy the rule from the drop-down list.

  4. [Optional] Select an action or add a new action.

    If nothing is selected, a Correlated Event with default values is created.

    Click Deploy.

To Undeploy a Single Rule:

  1. In the Correlation Engine Manager, right-click the rule and select Undeploy Rule.

  2. Alternatively, in the Correlation Rule Manager, highlight the rule and click Undeploy rule link.

To Undeploy All Correlation Rules:

  1. Open the Correlation Engine Manager window.

  2. Right-click the Correlation Engine and select Undeploy All Rules.

3.3.7 Enabling/Disabling Rules

To Enable/Disable Rule:

  1. Open the Correlation Engine Manager window.

  2. Highlight and right-click the rule or set of rules and select Enable Rule or Disable Rule.

3.3.8 Renaming and Deleting a Correlation Rule

To rename a Correlation Rule:

NOTE:You must undeploy a rule before you rename or delete the rule.

  1. Open the Correlation Rules Manager window and select the rule you want to rename.

  2. If the rule is deployed, click Undeploy Rule link to undeploy the rule.

  3. Click View/Edit link. In the General Description tab change the name of the Correlation Rule.

  4. Click OK.

To delete a Correlation Rule:

  1. Open the Correlation Rules Manager window and select the rule you want to delete.

  2. If the rule is deployed, click Undeploy Rule link to undeploy the rule.

  3. Click Delete link. Click Yes when the system prompts for confirmation.

3.3.9 Moving a Correlation Rule

To move a Correlation Rule:

  1. Open the Correlation Rules Manager window and click Manage Folder.

  2. Click and drag a correlation rule from one folder to another.

3.3.10 Importing a Correlation Rule

To Import a Correlation Rule:

  1. Open the Correlation Rules Manager window and click Import/Export Correlation Rule icon.

    The Import Export Rule window displays.

  2. Select the Import option from the Action pane. The Description in the Description pane changes to Import.

  3. Click Browse to select the Correlation Rule you want to import. Select the file and click Import. Click Next. The Import Rule window displays.

  4. Select the folder you want to import the Correlation rule into. Click Finish.

    NOTE:When importing a correlation rule in a folder, if the correlation rule with the same name exists, the system displays a message and does not import the file.

    IMPORTANT:If you import a correlation rule using the inlist operator, the dynamic list aligned to that rule must exist or you must create the dynamic list with the same name on the system to it is imported.

3.3.11 Exporting a Correlation Rule

To Export a Correlation Rule:

  1. Open the Correlation Rules Manager window and click Import/Export Correlation Rule icon. The Import Export Rule window displays.

  2. Select the Export option from the Action pane. The Description in the Description pane changes to Export.

  3. Click Browse to export the rule. Specify a file name and click Export. Click Next. The Export Rule window displays.

  4. Select the Correlation Rule you want to export. Click Finish.