Event operations evaluate, compare, and count events. They include the following operations:
Filter: Evaluates the current events to determine whether they can potentially trigger a rule to fire
Window: Compares the current event to past events that have been stored in memory
Trigger: Counts events to determine whether enough events have occurred to trigger a rule
Each operation works on a set of events, receiving a set of events as input and returning a set of events as output. The current event processed by a rule often has a special meaning for the semantic of the language. The current event is always part of the set of events in and out of an operation unless the set is empty. If an input set of an operation is empty, then the operation is not evaluated.
Filter consists of a Boolean expression that evaluates the current event from the real-time event stream. It compares event attributes to user-specified values using a wide set of operators
The Boolean expression is a composite of comparison and match instructions.
The syntax for filter is:
Filter <Boolean expression 1> [NOT|AND|OR <Boolean expression 2] […] [NOT|AND|OR <Boolean expression n>]
Where
<Boolean expressions 1…n> are expressions using one or more event field names and filter operators
For example, this rule detects whether the current event has a severity of 4 and the resource event field contains either “FW” or “Comm.”
filter(e.sev = 4 and (e.res match regex ("FW") or e.res match regex ("Comm")))
Filter expressions can be combined using the Boolean operators AND, OR and NOT. The filter boolean operator precedence (from highest [top] to lowest [bottom] precedence) is:
Table 3-1 Boolean Operators
|
Operator |
Meaning |
Operator Type |
Associativity |
|---|---|---|---|
|
Not |
logical not |
unary |
None |
|
And |
logical and |
binary |
left to right |
|
Or |
logical or |
binary |
left to right |
In addition to Boolean operators, filter supports the following operators.
Standard arithmetic operators can be used to build a condition that compares the value of a Sentinel metatag and a user-specified value (either a numeric value or a string field). The standard arithmetic operators in Sentinel are =, <, >, !=, <=, and >=.
Examples:
filter(e.Severity > 3) filter(e.BeginTime < 1179217665) filter(e.SourceUserName != “Administrator”)
The match regex operator can be used to build a condition where the value of a metatag matches a user-specified regular expression value specified in the rule. This operator is used only for string tags, and the user-specified values for this operator are case-sensitive.
Examples:
filter(e.Collector match regex ("IBM"))
filter(e.EventName match regex ("Attack"))
The match subnet operator can be used to build a condition where the value of a metatag matches a user-specified subnet specified in the rule in CIDR notation. This operator is used only for IP address fields.
Example:
filter(e.DestinationIP match subnet (10.0.0.1/22))
The inlist operator is used to perform a lookup on an existing dynamic list of string values, returning true if the value is present in the list. For more information on Dynamic Lists, see Correlation Tab
in Sentinel 6.1 Rapid Deployment User Guide.
For example, this filter expression is used to evaluate whether the Source IP of the current event is present on a dynamic list called MailServerList. If the Source IP is present in this list, the expression evaluates to TRUE.
filter(e.sip inlist MailServerList)
As another example, this filter expression combines the NOT and the INLIST operator. This expression evaluates to TRUE if the Source IP is not present in the dynamic list called MailServerList.
filter(not(e.sip inlist MailServerList))
This filter expression is used to evaluate whether the event name of the current event equals “File Access” and the Source User Name is also not present on a dynamic list called AuthorizedUsers. If both conditions are true for the current event, the expression evaluates to TRUE.
filter(e.evt="File Access" and not(e.sun inlist AuthorizedUsers))
The isnull operator returns true if the metatag value is equal to NULL.
Example:
Filter(isnull(e.SIP))
The output of a filter is either the empty set (if the Boolean expression evaluates to false) or a set containing the current event and all of the other events from the incoming set (if the Boolean expression evaluates to true).
If filter is the last or only operation of a correlation rule, then the output set of the filter is used to construct a correlated event. The trigger events are the filter operation output set of events with the current event first.
If filter is not the last operation of a correlation rule (that is, filter is followed by a flow operation), then the output set of a filter is used as the input set to other operations (through the flow operator).
The filter operator can be used to compare metatag values with other metatag values, for example:
e.SourceIP=e.DestinationIP
Window compares the current event to a set of past events that are stored in a “window.” The events in the window can be all past events for a certain time period, or they can be filtered.
The Boolean expression is a composite of comparison instructions and match instructions with the Boolean operators AND, OR and NOT.
The syntax for window is:
Window (<Boolean expression>[, <filter expression>, <evaluation period>)
Where
<Boolean expression> is an expression comparing a metatag value from the current event to a metatag value from a past event (or a user-specified constant) <filter expression> is optional and specifies filter criteria for the past events <evaluation period> specifies the duration for which past events matching the filter expression are maintained, specified in seconds (s), minutes (m), or hours (h). If no letter is specified, seconds are assumed.
For example, this rule detects whether the current event has a source IP address in the specified subnet (10.0.0.10/22) and matches an event(s) that happened within the past 60 seconds.
window(e.sip = w.sip, filter(e.sip match subnet (10.0.0.10/22),60)
As another example, this rule is a domino type of rule. An attacker exploits a vulnerable system and uses it as an attack platform.
window((e.sip = w.dip AND e.dp = w.dp AND e.evt = w.evt), 1h)
This rule identifies a potential security breach after a denial of service attack. The rule fires if the destination of a denial of service attack has a service stopped within 60 seconds of the attack.
filter(e.rv51="Service" and e.rv52="Stop" and e.st = "H") flow window (e.sip = w.dip, filter(e.rv52="Dos"), 60s) flow trigger(1,0))
If any past event evaluates to true with the current event for the simple boolean expression, the output set is the incoming event plus all matching past events.
If no events in the window match the current event for the simple boolean expression, the output set is empty.
If a window is the last or only operation of a correlation rule, then the output set of the window is used to construct a correlated event (the correlated events being the window operation output set of events with the current event first).
You must prepend a metatag name with "e." to specify the current event or with "w." to specify the past events
All window simple Boolean expressions must include a metatag in the form w.[metatag].
For more information about valid filter expressions, see Section 3.3.1, Filter Operation.
Every event coming in to the Correlation Engine that passes this filter is put into the window of past events
If no filter expression exists, then all events coming into the Correlation Engine are maintained by the window. With extremely high event rates or long durations, this might require a large amount of memory.
The current event is not placed into the window until after the current event window evaluation is complete
To minimize memory usage, only the relevant parts of the past events, not all metatag values, are maintained in memory.
Trigger is used to specify a number of events for a user-specified duration.
The syntax for trigger is:
Trigger (<number of events>, <evaluation period>[, discriminator (<list of tags>))
Where
<number of events> is an integer value specifying the number of matching events that are necessary for the rule to fire <evaluation period> specifies the duration for which past events matching the filter expression are maintained, specified in seconds (s), minutes (m), or hours (h). If no letter is specified, seconds are assumed. discriminator is a field to group by
For example, this rule detects if 5 events with the same source IP address happen within 10 seconds.
trigger(5,10,discriminator(e.sip))
If the specified count is reached within the specified duration, then a set of events containing all of the events maintained by the trigger is output; if not, the empty set is output.
When receiving a new input set of events, a trigger first discards the outdated events (events that have been maintained for more than the duration) and then inserts the current event. If the number of resulting events is greater than or equal to the specified count, then the trigger outputs a set containing all of the events.
If a trigger is the last operation (or the only operation) of a correlation rule, then the output set of the trigger is used to construct a correlated event (the correlated events being the trigger operation output set of events with the current event first).
If a trigger is not the last operation of a correlation rule (that is, it is followed by a flow operator), then the output set of a trigger is used as the input set to other operations (through the flow operator).
The discriminator (meta-tag list) is a comma-delimited list of meta-tags. A trigger operation keeps different counts for each distinct combination of the discriminator meta-tags.