6.8 Viewing Correlated Events

Correlated events contain detailed information about the trigger events. To view correlated events, perform the following:

  1. Log in to the Sentinel Main interface.

  2. In the navigation panel, click Correlation.

  3. In the Correlation panel, select any rule, then click .

    The events that match the rule criteria are displayed in the search results panel. The correlated events are displayed with the icon.

  4. (Optional) Click to see the correlated event fields and their values. For more information, see Table 6-3.

    You can use the event field IDs to create search queries to find specific correlated events. For example, if you want to search for the correlated events that were generated because of the correlation rule LoginUser, specify the following query in the Search field:

    st:C AND rt2:LoginUser 

    For more information about searching for events, see Searching Events Indexed in Traditional Storage.

  5. Select the correlated events by clicking the checkbox.

  6. Navigate to Event operations > Create correlation rule, correlation rules window appears.

  7. Drag the correlated events in the Create a new expression field.

  8. Click Save As.

  9. Specify a name for the rule, an optional description, and an optional MITRE ID.

  10. Click OK.

  11. Click Rule Deployment.

  12. Select a correlation engine and click Deploy to add the rule. Rule Health Statistics dashboard appears.

  13. Rule Health Statistics dashboard enables you to monitor the health of a rule. It shows the fire count, process count, status duration of the rule.

  14. (Optional) Click View triggers to view the events that generated the correlated event.