Correlation is the process of analyzing security events to identify potential relationships between two or more events. Correlation allows quick association of priority attacks based on common elements of event data.
The following example is written for the Data Generator Connector that comes installed in Sentinel as a test event generator.
NOTE:Anytime the Data Generator Connector is running, it adds data into your database. Using a correlation rule that is associated with the Data Generator Connector also adds additional data to your database.
Click the
tab and select in the navigation bar.In the Correlation Rule Manager window, click
.Click
.Select
in the drop-down menu.Specify the following
SourcePort = 10025
DestinationPort = 25
Click
.To have this rule fire as many times as possible, select
.Click
.In the General Description window, specify a name. A name and description that indicates that this is tutorial rule that does not apply to the network.
Click
.Select not to create another rule, then click
.Click the
tab and select in the navigation bar.Click
.(Optional) In the Deploy Rule window, add an action. This allows you to:
Configure Correlated Event
Add to Dynamic List
Remove from Dynamic List
Execute a Command
Send Email
Create Incident
Click
. The rule indicates deployed by the color green.Right-click the correlated event.
Select
to see how many events triggered this correlation rule.