4.1 Overview

Correlation adds intelligence to security event management by automating analysis of the incoming event stream to find patterns of interest. Correlation allows you to define rules that identify critical threats and complex attack patterns so that you can prioritize events and initiate effective incident management and response.

4.1.1 How Correlation Works

The following illustration shows how Correlation works:

Figure 4-1 Correlation Workflow

  1. A user creates a Correlation rule.

  2. The user associates one or more actions to the Correlation rule.

  3. The user deploys the rule in the Correlation Engine.

  4. The Correlation Engine processes events from the real-time event stream to determine whether they should trigger any of the active rules to fire the associated actions.

  5. If events match the rule criteria, correlation events are generated and associated actions are executed.

Sentinel’s correlation is near real-time and depends on the time stamp of the individual events. When an event arrives at the Correlation Engine, the engine reorders the events in a buffer based on the event time stamp (dt) field so that the events are evaluated in time order. This is done partly to evaluate sequence rules in which the rule only fires if events occur in a specific order.

The buffer is 30 seconds long, so if the event time stamp (dt) is more than 30 seconds older than the Collector Manager time stamp, the event is not evaluated. To minimize false time differences, you must use an NTP (Network Time Protocol) server to synchronize the time settings on the relevant machines. For more information, see Configuring Time in the NetIQ Sentinel 7.0.1 Installation and Configuration Guide.

4.1.2 Correlation Rules

Correlation rules define a pattern of events that should trigger a rule. You can create rules that range from simple to extremely complex. For example:

  • High severity event from a finance server

  • High severity event from any server brought online in the past 10 days

  • Five failed logins in 2 minutes

  • Five failed logins to the same server from the same username in 2 minutes

  • Intrusion detection event targeting a server, followed by an attempted login to root originating from the same server within 60 seconds

A rule can have one or more subrules:

Simple Rule

A simple rule has just one subrule. You can specify additional criteria if you want the rule to fire when all or any of the specified criteria are met. You can also specify the number of times the event should occur for the rule to fire. For example, to monitor a situation with five failed logins within a minute on a finance server, you can define a simple rule, as shown in the following figure:

Figure 4-2 Simple Rule

For information on creating a simple rule, see Section 4.4.1, Creating a Simple Rule.

Sequence Rule

A sequence rule has two or more subrules that fire in sequence. You can use a sequence rule when you want the rule to fire if its subrules meet the specified criteria in the specified sequence within the defined time frame. For example, to monitor a situation where there has been a successful login after three failed logins by the same user within five minutes, you can define the rule as shown in the following figure:

Figure 4-3 Sequence Rule

For information on creating a sequence rule, see Section 4.4.2, Creating a Sequence Rule.

Composite Rule

A composite rule has two or more subrules that fire according to the criteria you define. There are two types of composite rules:

  • Composite (AND): Indicates that all subrules must fire.

  • Composite (OR): Indicates that a specified number of subrules must fire.

For example, to monitor a situation where there have been failed logins on a finance server and a database server within two minutes, you can create a composite (AND) rule, as shown in the following figure:

Figure 4-4 Composite (AND) Rule

Similarly, for example, if you have three or more subrules and you want the rule to fire if a maximum of two subrules meet the specified criteria, you can create a composite (OR) rule, as shown in the following figure:

Figure 4-5 Composite (OR) Rule

For information on creating a composite rule, see Section 4.4.3, Creating a Composite Rule.

Free-form Rule

If you are familiar with the rule expression syntax, you can create Correlation rules by manually specifying the rule expression. You can use free-form rules to create complex rules by using additional operators such as Window, Intersection, and Union.

For information on the rule expression syntax, see Section B.0, Correlation Rule Expression Syntax.

For more information on creating a free-form rule, see Section 4.4.4, Creating a Free-Form Rule.

4.1.3 Correlation Engine

To monitor events according to the Correlation rules, you must deploy the rules in the Correlation Engine. When an event occurs that satisfies the rule criteria, the Correlation Engine generates a correlation event describing the pattern.

NOTE:Events that are sent directly to the event store or dropped by event routing rules are not processed by the Correlation Engine.

The Sentinel Correlation Engine provides specific advantages over database-centric Correlation Engines.

  • By relying on in-memory processing rather than database inserts and reads, the Correlation Engine performs during high steady-state volumes as well as during event spikes when under attack, which is the time when correlation performance is most critical.

  • The correlation volume does not slow down other system components, so the user interface remains responsive, especially with high event volumes.

  • The Correlation Engine can add events to incidents after an incident has been created.

  • You can deploy multiple Correlation Engines, each on its own server, without the need to replicate configurations or add databases. The Correlation Engine is built with a pluggable framework that allows the addition of new Correlation Engines. Independent scaling of components provides cost-effective scalability and performance.

    NOTE:You cannot install more than one Correlation Engine on a single system. You can install additional Correlation Engines on remote systems, and then connect them to the Sentinel server.

    For more information on installing the Correlation Engine, see Installing Additional Correlation Engines in the NetIQ Sentinel 7.0.1 Installation and Configuration Guide.