6.6 Sample Correlation Rules

6.6.1 Detecting Critical Events from an Intrusion Detection System

This example identifies critical events from an intrusion detection system and sends an e-mail to the Administrator.

  • Launch the Correlation Rule Builder. In the Correlation panel, click Create.

  • In the Subrule window, click Create a new expression.

  • Specify that the events must be from an intrusion detection system (IDS):

    • In the Expression Builder > Event Fields, select ObserverCategory.

    • Ensure that the “=” operator is selected.

    • In the Value field, specify IDS, then click OK.

  • Identify critical events:

    • Add another expression. In the Subrule window, click Create a new expression.

    • In the Expression Builder > Event Fields, select Severity.

    • Select >= as the operator.

    • In the Value field, select 4, then click OK.

  • If events are found, send an e-mail to the administrator:

    • In the Actions panel, click to associate the action with the rule.

    • Select Send E-mail.

    • Click to update the action execution criteria.

    • Select Perform actions everytime the rule fires, then click OK.

  • Click Save Rule.

  • Deploy the rule in the Correlation Engine.

    For more information, see Deploying Rules in the Correlation Engine.

  • Search events that match the rule criteria.

    For more information, see Viewing Correlated Events.

6.6.2 Detecting a Spreading Attack

This example creates a Correlation rule that indicates whether the source of an attack was previously the destination of an attack (within 15 minutes.) Because this involves comparing a current event set with a past event set, it uses the window operation.

  • In the Subrule window, click to switch to the free-form editor.

  • Specify the expression as follows:

    filter(e.TaxonomyLevel1="Attack") flow window(w.dip=e.sip, filter(e.rv51="Attack"), 15m)
  • Click Save Rule.

  • Deploy the rule in the Correlation Engine.

    For more information, see Deploying Rules in the Correlation Engine.

  • Search events that match the rule criteria.

    For more information, see Viewing Correlated Events.

6.6.3 Detecting an Attack that Came from Outside the Firewall

This example creates a Correlation rule that checks whether an intrusion detection system attack event seen inside your network came through your firewall in the last 10 seconds.

  • In the Subrule window, click to switch to the free-form editor.

  • Specify the expression as follows:

    filter(e.TaxonomyLevel1="Attack") flow window(w.dip=e.sip, filter(e.rv32="FW"), 10)
  • Click Save Rule.

  • Deploy the rule in the Correlation Engine.

    For more information, see Deploying Rules in the Correlation Engine.

  • Search events that match the rule criteria.

    For more information, see Viewing Correlated Events.