15.4 Correlation

Correlation is the process of analyzing security events to identify potential relationships between two or more events. Correlation allows quick association of priority attacks based on common elements of event data.

The following example is written for the Data Generator Connector that comes installed in Sentinel as a test event generator.

NOTE:Anytime the Data Generator Connector is running, it adds data into your database. Using a correlation rule that is associated with the Data Generator Connector also adds additional data to your database.

15.4.1 Creating a Simple Correlation Rule

  1. Click the Correlation tab and select Correlation Rule Manager in the navigation bar.

  2. In the Correlation Rule Manager window, click Add.

  3. Click Simple to create a simple rule.

  4. Select All in the Fire if drop-down menu.

  5. Specify the following

    • SourcePort = 10025

    • DestinationPort = 25

  6. Click Next.

  7. To have this rule fire as many times as possible, select Continue to perform actions every time this fires.

  8. Click Next.

  9. In the General Description window, specify a name. A name and description that indicates that this is tutorial rule that does not apply to the network.

  10. Click Next.

  11. Select not to create another rule, then click Next.

15.4.2 Deploying the Simple Correlation Rule

  1. Click the Correlation tab and select Correlation Rule Manager in the navigation bar.

  2. Click Tutorial_SourcePort_DestinationPort > Deploy Rule.

  3. (Optional) In the Deploy Rule window, add an action. This allows you to:

    • Configure Correlated Event

    • Add to Dynamic List

    • Remove from Dynamic List

    • Execute a Command

    • Send Email

    • Create Incident

  4. Click Next. The rule indicates deployed by the color green.

15.4.3 Viewing the Events that Triggered Your Correlated Event

  1. Right-click the correlated event.

  2. Select View Trigger Events to see how many events triggered this correlation rule.