The Sentinel Correlation Engine runs rules that are written in the Correlation RuleLg language. Rules are created in the Sentinel Control Center. Users can create rules using a wizard for the following rule types:
Simple Rule
Composite Rule
Aggregate Rule
Sequence Rule
These rules are converted to the Correlation RuleLg language when the rules are saved. The same rule types, plus even more complex rules, can be created in the Sentinel Control Center using the Custom/Freeform option. To use the Custom/Freeform option, the user must have a good understanding of the Correlation RuleLg language.
RuleLg uses several operations, operators, and event field short tags to define a rule. The Correlation Engine loads the rule definition and uses the rules to evaluate, filter, and store in memory events that meet the criteria specified by the rule. Depending on the rule definition, a correlation rule might fire based on
the value of one field or multiple fields
the comparison of an incoming event to past events
the number of occurrences of similar events within a defined time period
one or more subrules firing
one or more subrules firing in a particular order
Each of these constructs is represented by an operation in RuleLg.