4.3 Understanding the Correlation Interface

The Correlation interface includes the following:

4.3.1 Correlation Panel

The Correlation panel lists the rules and the Correlation Engines installed on your system.

The Correlation panel includes the following options:

Search Field

The Search field allows you to search for the specified rule in your system.

Create Link

The Create link launches the Correlation Rule Builder that helps you to create correlation rules.

More Link

The More link allows you to select multiple rules to delete them.

Rules

The Rules section lists all the available rules in the system. The icon next to the rule indicates the status of the rule:

  • Enabled : The rule is deployed in the Correlation Engine and is enabled to process events.

  • Disabled : The rule is deployed in the Correlation Engine, but the rule is disabled and is not processing events.

  • No icon: The rule is not deployed in the Correlation Engine.

To view the details of any rule, click the rule. When you select or click any rule, the following icons are displayed:

  • Search : Searches for the events that meet the rule criteria. The events are displayed in the search results panel.

  • Edit : Allows you to edit the rule.

  • Delete : Allows you to delete the rule.

Engines

The Engines section lists the Correlation Engines installed in the system. The icon next to the Correlation Engine indicates the status of the Correlation Engine.

  • Start : The Correlation Engine is started and is processing the deployed correlation rules.

  • Stop : The Correlation Engine is stopped. When the Correlation Engine is stopped, all in-memory data is preserved and no new correlation events are generated.

  • Offline : The remote Correlation Engine is off.

Click any engine to view the details, such as the rules deployed in this engine and information about the engine. For more information, see Section 4.11.1, Using the Correlation Engine Dashboard.

4.3.2 Correlation Rule Builder

The Correlation Rule Builder helps you to create correlation rules and includes the following:

Command Buttons

The following command buttons are available:

  • Subrule: Adds a subrule window in the rule builder. You can add additional subrules to create a sequence or composite rule.

  • View Rule Expression/Hide Rule Expression: Displays or hides the expression of the rule. This is a toggle button.

  • Save Rule: Saves the rule in the Sentinel database.

  • Save As: Allows you to save the rule with another name.

  • Test Rule: Tests the rule against the events in your system. For more information, see Section 4.6, Testing a Correlation Rule.

Rule Builder Elements

Table 4-1 Common Rule Builder Elements

Element

Description

Action

edit

Allows you to edit the rule name

Click the edit link.

Rule type

Lists the types of rules:

  • Sequence

  • Composite (AND)

  • Composite (OR)

This list is displayed only if there is more than one subrule.

Select an appropriate rule type for the rule you want to create.

Count

This field is enabled only for composite (OR) rules and if there are more than 2 subrules.

It indicates the maximum number of subrules that should meet the specified criteria for the rule to fire. For example, if you have 5 subrules and you specify the Count as 3, the rule fires if one, two, or three subrules meet the specified criteria.

Specify a number or use the up/down arrow keys to select a number.

NOTE:The value should always be less than the number of subrules in the rule.

Group by

Lists the attributes you can use to group the correlation events.

The Group by list is enabled if there are two or more subrules.

Select one or more attributes. For example, to group events by username, select initusername.

Time frame

Hr: Min: Sec

Indicates the time within which the specified criteria in the subrules should be satisfied for the rule to fire.

Specify the time in hours, minutes, or seconds.

Subrule Window

The subrule window allows you to specify the expressions (criteria) for the rule and lists the various expressions that you have created for a subrule.

Table 4-2 Subrule Window Elements

Element

Description

Action

Toggle icons

Toggles between a structured rule and a free-form rule.

Click the icon to toggle to the free-form or structured view.

Group by

Lists the attributes you can use to group the correlation events.

The Group by list is enabled only if the Count is greater than 1.

Select one or more attributes. For example, to group events by username, select initusername.

Count

Indicates the number of times the expressions must meet the specified criteria for the subrule/rule to fire.

Specify a number or use the up/down arrow keys to select the number.

Close icon

Closes the subrule window.

Click the icon to close the subrule window.

Time frame

Hr: Min: Sec

Indicates the time within which the specified criteria in the subrule should be satisfied for the rule to fire.

Specify the time in hours, minutes, or seconds. For example, if you want the rule to fire within 2 minutes, specify 2 in the Min field.

Condition: AND OR

Determines whether the subrule should fire when all or any of the conditions in the expression are met, according to the selection.

These option buttons are enabled only if there are two or more expressions in a subrule.

Select one of the conditions.

Create a new expression

Allows you to create a new expression.

Displays the Expression Builder. For more information, see Expression Builder.

Click the link to create a new expression.

Delete expression

Deletes the expression.

Click the icon to delete the expression.

Expression Builder

The Expression Builder allows you to select various parameters required to create an expression for the rule. The various parameters include Attributes, Operator, and Value. These parameters are interdependent, and changing one of them affects the validity of others.

Figure 4-6 Expression Builder

Attribute: Displays a categorized list of possible event fields that can be used to create a Correlation rule. Each category can be expanded to display the set of fields in that category. If you know the name of the field you want, specify the name in the Search field. The event category list adjusts to present only matching fields.

For information on the various event fields, click Tips located at the top right corner.

Operator: Lists the various operators. The list varies depending on the selected attribute type. For example:

  • For all attributes, the =, <, >, !=, <=, >=, inlist, isnull, not inlist, and not isnull operators are available.

  • For string attributes, the match regex operator is available.

  • For IP attributes, the match subnet operator is available.

  • For tag attributes, the contains operator is available.

For more information on using the operators, see Filter Operation in Section B.0, Correlation Rule Expression Syntax.

Value: This field varies, depending on the attribute and operator. For example:

  • For the isnull and not isnull operators, no value can be chosen.

  • For the inlist and not inlist operators, the available dynamic lists are displayed. You can also create a new dynamic list if necessary. For more information on dynamic lists, see Section 6.1, Creating a Dynamic List.

  • For the Severity attribute, the severity list is displayed.

  • For date attributes, a date-time calendar is displayed.

  • For xdas taxonomy attributes, the taxonomy builder is displayed.

  • For numeric attributes, only numbers are accepted.

  • For the Sensor type attribute, the list of sensor types is displayed.

  • For the Tags (rv145) attribute, the list of available tags is displayed.

  • For Collector fields, a list of Collectors is displayed.

You can also select one or more event attributes as the value by using the Show Attributes option.

Actions Panel

The Actions panel lists the actions associated with the rule, allows you to associate actions to the rule, and allows you to define when the action should execute.

The Actions panel includes the following icons:

  • Action execution criteria : Allows you to specify when the rule should initiate the action. When you click this icon, the Action Execution Criteria dialog box is displayed:

    You can select one of the following options:

    • Perform actions every time the rule fires: The action executes each time the rule criteria are met.

    • Perform actions at most every: The action executes at most every specified time interval. By default, this option is selected and the time interval is set to 1 hour. This is to ensure that the rule does not fire continually and overutilize resources.

  • Add action : Allows you to associate actions to the rule. When you click this icon, a list of actions is displayed. Select one or more actions that you want to associate to the rule.

For more information on associating actions to a rule, see Section 4.5, Associating Actions to a Rule.