14.5 Administrators
This section is about administrator actions.
14.5.1 Simple Correlation
Correlation is the process of analyzing security events to identify potential relationships between two or more events. Correlation allows quick association of priority attacks based on common elements of event data.
The following example is written for the Data Generator Connector that comes installed in Sentinel as a test event generator.
NOTE:Anytime the Data Generator Connector is running, it will be putting data into your database. Having a correlation rule fire that is associated with the Data Generator Connector will additional data to your database.
To Create a Simple Correlation Rule:
-
Click the Correlation tab and highlight Correlation Rule Manager in the navigation bar.
-
In the Correlation Rule Manager window, click Add.
-
Click Simple to create a simple rule.
-
Select Fire if All (in the drop-down menu).
-
Specify the following:
Click Next.
-
To have this rule fire as many times as possible, select Continue to perform actions every time this fires.
Click Next.
-
In the General Description window, specify a name. Recommend a name and description that indicates that this is tutorial rule and cannot be germane to the network.
Click Next.
-
Select not to create another rule, click Next.
To Deploy the Simple Correlation Rule:
-
Click the Correlation tab and highlight Correlation Rule Manager in the navigation bar.
-
Click Tutorial_SourcePort_DestinationPort (this is the name of the rule from the previous example) > Deploy Rule.
-
(optional) In the Deploy Rule window, you can add an action. This allows you to:
-
Configure Correlated Event
-
Add to Dynamic List
-
Remove from Dynamic List
-
Execute a Command
-
Send Email
-
Create Incident
Click Next. The rule indicates deployed by the color green.
-
To view what events triggered your correlated event
-
Right-click the correlated event and select View Trigger Events to see how many events (could be more than 1) triggered this correlation rule.
