5.3 Creating Correlation Rules

The procedure to create various types of Correlation rules is the same for all rule types, except for a few steps that are specific to each rule type. Events are evaluated by rules in the specified order until a match is made, so you should order subrules accordingly. More narrowly defined subrules and more important subrules should be placed at the beginning of the list. When creating correlation rules, you can also define what you want to see in the correlated event.

NOTE:You must have the Manage correlation engine and rules permission to access the Correlation interface.

5.3.1 Understanding the Correlated Event

By default, correlated events display the event name and message as the rule name and rule description respectively.

The correlated event field values depend on the number of events that triggered the correlated event and whether any of the event fields are grouped.

  • In case of a single event triggering the correlated event, all the event field values are copied to the correlated event. If one or more event fields are grouped, only the grouped event fields are copied to the correlated event.

  • In case of multiple events triggering a correlated event, the grouped event field values are copied to the correlated event. If none of the event fields are grouped, no values are copied to the correlated event.

The following table describes the default event fields in a correlated event. You can also customize the event field values to suit your requirements. For more information, see Customizing Correlated Event.

Table 5-3 Default Correlated Event Fields

Correlation Event Field

ID

Sample Value

Description

EventName

evt

LoginUser

The name of the correlation rule.

EventTime

dt

2014-02-10T05:21:29.047Z

The time when the last trigger event was fired.

Message

msg

Rule triggered for every successful login

The description in the correlation rule.

ObserverCategory

rv32

SIEM

For a correlated event, this event field is always set to SIEM.

ObserverServiceComponent

rv150

SessionServices

This value is same as that of the last trigger event.

ObserverTZ

estz

Asia/Kolkata

The time zone in which the correlation engine is located.

ObserverType

st

C

For a correlated event, the event field is always set to C.

SentinelProcessingComponent

rt2

LoginUser

The correlation rule name.

SentinelProcessingComponentID

rv123

CC72FBA4-711D-1031-8046-005056A56C5B

This is the ID of the correlation rule. The correlation rule ID remains the same even though the correlation rule name changes.

SentinelServiceComponentName

sres

LoginUser

It is the name of the correlation rule.

SentinelServiceName

res

Correlation

For a correlated event, this event field is always set to Correlation.

Severity

sev

4

For a correlated event, this event field is always set to 4.

XDASClass

xdasclass

2

This value is same as that of the last trigger event.

XDASDetail

xdasdetail

0

This value is same as that of the last trigger event.

XDASIdentifier

xdasid

0

This value is same as that of the last trigger event.

XDASOutcome

xdasoutcome

0

This value is same as that of the last trigger event.

XDASOutcomeName

xdasoutcomename

XDAS_OUT_SUCCESS

This value is same as that of the last trigger event.

XDASProvider

xdasprov

0

This value is same as that of the last trigger event.

XDASRegistry

xdasreg

0

This value is same as that of the last trigger event.

XDASTaxonomyName

xdastaxname

XDAS_AE_CREATE_SESSION

This value is same as that of the last trigger event.

The following table describes the event fields, which are populated in case the correlation rule is associated with MITRE ID.

Table 5-4 Correlated Event Fields Associated with MITRE ID

Correlation Event Field

ID

Sample Value

Description

MitreAttackName

mitreattackname

Brute Force

The Mitre Attack technique name.

MitreID

mitreid

T1110

The Mitre Attack technique identifier.

For more information on correlated event fields, click Tips in the Sentinel Main interface. For more information on the event taxonomy and event fields, see Sentinel Taxonomy.

NOTE:By default, Sentinel correlates the correlated events received from remote Sentinel servers. If you do not want the correlation rules to consider remote correlated events, set the following property in the /etc/opt/novell/sentinel/config/server.xml file to false and restart the Sentinel server:

<property name="correlateRemoteCorrelationEvents">false</property>

5.3.2 Creating a Simple Rule

A simple rule has just one subrule. You can specify additional criteria if you want the rule to fire when all or any of the specified criteria are met. You can also specify the number of times the event should occur for the rule to fire.

  1. Log in to the Sentinel Main interface.

  2. In the navigation panel, click Correlation and click the Create a correlation rule icon.

  3. In the subrule window, click Create a new expression.

    The Expression Builder is displayed. For more information, see Expression Builder.

  4. Select the criteria for the subrule, then click OK.

    The specified criteria are displayed in the subrule window.

  5. (Conditional) Specify additional expressions as necessary:

    1. Repeat Step 3 and Step 4.

    2. Select either of the following conditions:

      • AND: Use this condition if you want the subrule to fire when the conditions in all of the expressions are met.

      • OR: Use this condition if you want the subrule to fire when the condition in either of the expressions is met.

    3. (Conditional) You can group events based on the distinct values of event fields or group events by same values of event fields. Select the Group by drop-down list, drag and drop the desired event fields in the Group By Fields or Distinct Fields list depending on how you want to group the events.

    4. In the Count field, specify the number of times the expressions must meet the specified for the rule to fire. If the count is greater than 1, the Hr, Min, and Sec fields are enabled.

    5. Specify the time frame within which the subrule should fire.

    6. (Conditional) If the count is greater than one and if there are any grouped event fields, by default only the grouped event field values are copied to the correlated event. If you want to copy all the event field values from the last event that triggered the correlated event, deselect Copy only group by fields from the trigger events.

  6. (Optional) To associate one or more actions to the rule, click in the Actions panel.

    For more information on associating actions, see Associating Actions to a Rule.

  7. (Optional) To test whether the rule works as expected, click Test Rule.

    For more information on testing the rule, see Testing a Correlation Rule.

  8. Click Save As.

  9. Specify a name for the rule, an optional description, and an optional MITRE ID then click OK.

  10. Deploy the rule in the Correlation Engine so that events can be processed according to the rule.

    For more information, see Deploying Rules in the Correlation Engine.

5.3.3 Creating a Sequence Rule

A Sequence rule has two or more subrules that fire in sequence. You can use a Sequence rule when you want the rule to fire if its subrules meet the specified criteria in the specified sequence within the defined time frame. Therefore, you need to order the subrules in the required sequence.

  1. Log in to the Sentinel Main interface.

  2. In the navigation panel, click Correlation and click the Create a correlation rule icon.

  3. In the Subrule window, click Create a new expression.

    The Expression Builder is displayed. For more information, see Expression Builder.

  4. Select the criteria for the subrule, then click OK.

    The specified criteria are displayed in the subrule window.

  5. (Conditional) Specify additional expressions as necessary:

    1. Select either of the following conditions:

      • AND: Use this condition if you want the subrule to fire when the conditions in all of the expressions are met.

      • OR: Use this condition if you want the subrule to fire when the condition in either of the expressions is met.

    2. (Conditional) You can group events based on the distinct values of event fields or group events by same values of event fields. Select the Group by drop-down list, drag and drop the desired event fields in the Group By Fields or Distinct Fields list depending on how you want to group the events.

    3. In the Count field, specify the number of times the expressions must meet the specified criteria for the rule to fire. If the Count is greater than 1, the Hr, Min, and Sec fields are enabled.

    4. Specify the time frame within which the subrule should fire.

    5. (Conditional) If the count is greater than one and if there are any grouped event fields, by default only the grouped event field values are copied to the correlated event. If you want to copy all the event field values from the last event that triggered the correlated event, deselect Copy only group by fields from the trigger events.

  6. To add additional subrules, click Add Subrule, then repeat Step 3 through Step 5 to specify the subrule criteria.

  7. In the rule type drop-down list, select Sequence rule.

  8. Specify the time frame within which the rule should fire.

  9. (Optional) To associate one or more actions to the rule, click in the Actions panel.

    For more information on associating actions, see Associating Actions to a Rule.

  10. (Optional) To test whether the rule is works as expected, click Test Rule.

    For more information on testing the rule, see Testing a Correlation Rule.

  11. Click Save As.

  12. Specify a name for the rule, an optional description, and an optional MITRE ID then click Save.

  13. Deploy the rule in the Correlation Engine so that events can be processed according to the rule.

    For more information, see Deploying Rules in the Correlation Engine.

5.3.4 Creating a Composite Rule

A Composite rule has two or more subrules that fire according to the criteria you define.

  1. Log in to the Sentinel Main interface.

  2. In the navigation panel, click Correlation and click the Create a correlation rule icon.

  3. In the Subrule window, click Create a new expression.

    The Expression Builder displayed. For more information, see Expression Builder.

  4. Select the criteria for the rule, then click OK.

    The specified criteria are displayed in the subrule window.

  5. (Conditional) Specify additional expressions as necessary:

    1. Select either of the following conditions:

      • AND: Use this condition if you want the subrule to fire when the conditions in all of the expressions are met.

      • OR: Use this condition if you want the subrule to fire when the condition in either of the expressions is met.

    2. (Conditional) You can group events based on the distinct values of event fields or group events by same values of event fields. Select the Group by drop-down list, drag and drop the desired event fields in the Group By Fields or Distinct Fields list depending on how you want to group the events.

    3. In the Count field, specify the number of times the expressions must meet the specified criteria for the rule to fire. If the Count is greater than 1, the Hr, Min, and Sec fields are enabled.

    4. Specify the time frame within which the subrule should fire.

    5. (Conditional) If the count is greater than one and if there are any grouped event fields, by default only the grouped event field values are copied to the correlated event. If you want to copy all the event field values from the last event that triggered the correlated event, deselect Copy only group by fields from the trigger events.

  6. Complete Step 1 through Step 5 in Creating a Simple Rule.

  7. To add additional subrules, click Add Subrule, then repeat Step 3 through Step 5 to specify the subrule criteria.

  8. In the rule type drop-down list, select Composite rule.

  9. Select one of the following:

    • Composite Rule (AND): The rule fires if all the subrules meet the specified criteria within the defined time frame.

    • Composite Rule (OR): The rule fires if any of the subrules meets the specified criteria within the defined time frame.

  10. (Conditional) If you selected Composite Rule (OR), use the Count field to specify the number of subrules that should meet the specified criteria.

    The value in the Count field must be less than the number of subrules. For example, if there are 5 subrules and you specify the count as 3, the rule fires if 3 or more subrules meet the specified criteria.

  11. Specify the time frame within which the rule should fire.

  12. (Optional) To associate one or more actions to the rule, click in the Actions panel.

    For more information on associating actions, see Associating Actions to a Rule.

  13. (Optional) To test whether the rule is works as expected, click Test Rule.

    For more information on testing the rule, see Testing a Correlation Rule.

  14. Click Save As.

  15. Specify an intuitive name for the rule, an optional description, and an optional MITRE ID then click Save.

  16. Deploy the rule in the Correlation Engine so that events can be processed according to the rule.

    For more information, see Deploying Rules in the Correlation Engine.

5.3.5 Creating a Sequence Timeout Rule

A Sequence Timeout rule fires when events that match the first subrule are not followed by events that match the second subrule in a specified time frame. For example, you can create a Sequence Timeout rule to detect a scenario where the server stopped but did not start again within an interval of 5 minutes. Similarly, you can also create a Sequence Timeout rule to detect a scenario where a firewall security update started but was not followed by successful installation of updates within the specified time interval. A Sequence Timeout rule has two subrules. You must order the subrules in the required sequence.

To create a Sequence Timeout rule, perform the following the steps:

  1. Log in to the Sentinel Main interface.

  2. In the navigation panel, click Correlation and click the Create a correlation rule icon.

  3. In the subrule window, click Create a new expression.

    For more information about using the Expression Builder, see Expression Builder.

  4. Select the criteria for the subrule, then click OK.

  5. (Conditional) Specify additional criteria as necessary for the subrule:

    1. Select either of the following conditions:

      • AND: Use this condition if you want the subrule to fire when the conditions in all of the expressions are met.

      • OR: Use this condition if you want the subrule to fire when the condition in either of the expressions is met.

    2. (Conditional) You can group events based on the distinct values of event fields or group events by the same values of event fields. Select the Group by drop-down list, and drag and drop the desired event fields in the Group By Fields or Distinct Fields list depending on how you want to group the events.

    3. In the Count field, specify the number of times the expressions must meet the specified criteria for the rule to fire. If Count is greater than 1, the Hr, Min, and Sec fields are enabled.

    4. Specify the time frame within which the subrule should fire.

    5. (Conditional) If the count is greater than one and if there are any grouped event fields, by default, only the grouped event field values are copied to the correlated event. If you want to copy all the event field values from the last event that triggered the correlated event, deselect Copy only group by fields from the trigger events.

  6. To add the second subrule, click Add Subrule, then repeat Step 2 through Step 4 to specify the criteria for the second subrule.

  7. In the Rule Type drop-down list, select Sequence Timeout.

  8. Specify the time frame after which the rule should fire if the second subrule conditions are not met.

  9. (Optional) To associate one or more actions to the rule, click in the Actions panel.

    For more information about associating actions, see Associating Actions to a Rule.

  10. (Optional) To test whether the rule works as expected, click Test Rule.

    For more information about testing the rule, see Testing a Correlation Rule.

  11. Click Save As.

  12. Specify a name for the rule, an optional description, and an optional MITRE ID then click Save.

  13. Deploy the rule in the Correlation Engine so that events can be processed according to the rule.

    For more information, see Deploying Rules in the Correlation Engine.

5.3.6 Creating a Free-Form Rule

If you are familiar with the rule expression syntax, you can create correlation rules by manually specifying the rule expression. You can use free-form rules to create complex rules by using additional operators such as Window, Intersection, and Union.

  1. Log in to the Sentinel Main interface.

  2. In the navigation panel, click Correlation and then click Create a correlation rule icon.

  3. (Conditional) Perform Step 2a to create a free-form rule using a single subrule otherwise, follow Step 2b if you want to create a free-form rule using multiple subrules:

    1. Using single subrule:

      1. Click Create.

      2. In the subrule window, click to switch to the free-form view.

      3. Specify the criteria for the rule.

      4. (Optional) Click to view the rule in a structured format.

        Free-form expressions that include the Window operator or a combination of AND, OR, Sequence and Sequence Timeout operators are not supported in the structured view.

    2. Using multiple subrules:

      1. Click Create.

      2. In the Subrule window, click Create a new expression.

        The Expression Builder is displayed. For more information, see Expression Builder.

      3. Select the criteria for the rule expression.

      4. (Conditional) Specify additional expressions as necessary:

        1. Select either of the following conditions:

          • AND: Use this condition if you want the subrule to fire when the conditions in all of the expressions are met.

          • OR: Use this condition if you want the subrule to fire when the condition in either of the expressions is met.

        2. (Conditional) You can group events based on the distinct values of event fields or group events by same values of event fields. Select the Group by drop-down list, drag and drop the desired event fields in the Group By Fields or Distinct Fields list depending on how you want to group the events.

        3. In the Count field, specify the number of times the expressions must meet the specified criteria for the rule to fire. If the Count is greater than 1, the Hr, Min, and Sec fields are enabled.

        4. Specify the time frame within which the subrule should fire.

        5. (Conditional) If the count is greater than one and if there are any grouped event fields, by default only the grouped event field values are copied to the correlated event. If you want to copy all the event field values from the last event that triggered the correlated event, deselect Copy only group by fields from the trigger events.

      5. Follow Step 2b1 through Step 2b4 to create multiple subrules in the structured format.

      6. Click Edit in Free-form view to view the combined free-form expression syntax of all the subrules in the structured format.

      7. Edit the free-form expression syntax further to suit your requirements.

    NOTE:As you type the rule expression, the Free-form editor validates the rule expression syntax and indicates errors if the syntax is wrong.

    For more information on the rule expression syntax, see Section B.0, Correlation Rule Expression Syntax.

  4. (Optional) To associate one or more actions to the rule, click in the Actions panel.

    For more information on associating actions, see Associating Actions to a Rule.

  5. (Optional) To test whether the rule works as expected, click Test Rule.

    For more information on testing the rule, see Testing a Correlation Rule.

  6. Click Save As.

  7. Specify an intuitive name for the rule, an optional description, and an optional MITRE ID then click Save.

  8. Deploy the rule in the Correlation Engine so that events can be processed according to the rule.

    For more information, see Deploying Rules in the Correlation Engine.

5.3.7 Creating a Combination Rule

You can create correlation rules with a combination of different rule types to detect complex scenarios. For example, a Sequence rule with a Composite rule or a Sequence Timeout rule with a Sequence rule, and so on. You can create a combination of different rule types either by using the free-form view or by using a combination of the structured view and the free-form view.

Consider a scenario where you want a correlation rule to fire when a system scan (Event A) detects a virus (Event B), but is not followed by a quarantine (Event C) in 30 seconds. The overall timeframe for the sequence of events is 1 hour. For this scenario, you can create a combination of Sequence and Sequence Timeout rules as follows:

Event A followed by (Event B not followed by Event C), which can also be represented as Event A -> (Event B ->x Event C),

To create a combination of different rule types for the above scenario:

  1. Create a Sequence Timeout rule for (Event B ->x Event C) in the structured view and specify the time frame as 30 seconds.

  2. Click Edit in Free-form View to combine the two subrules (Event B ->x Event C) into a single subrule in the free-form view.

  3. (Conditional) Perform Step 3a if you are familiar with the rule expression syntax. Otherwise, perform Step 3b.

    1. Using free-form expression:

      1. Edit the free-form rule expression further to add the Sequence operator such that the final expression is sequence(Event A, sequence_timeout(Event B, Event C, 30), 3600).

      2. Skip to Step 4.

    2. Using a combination of free-form and structured view:

      1. Click Add Subrule to add a new subrule for Event A.

      2. Add the rule criteria for Event A.

      3. Drag the subrule for Event A by the rule header and place it before the free-form subrule to reorder the subrules.

      4. Select Sequence from the Rule Type drop-down to create the rule as follows.

        Event A -> (Event B ->x Event C)

      5. Specify the overall time frame as 1 hour.

  4. (Optional) To associate one or more actions to the rule, click in the Actions panel.

    For more information about associating actions, see Associating Actions to a Rule.

  5. (Optional) To test whether the rule works as expected, click Test Rule.

    For more information about testing the rule, see Testing a Correlation Rule.

  6. Click Save As.

  7. Specify a name for the rule, an optional description, and an optional MITRE ID then click Save.

  8. Deploy the rule in the Correlation Engine so that events can be processed according to the rule.

    For more information, see Deploying Rules in the Correlation Engine.

5.3.8 Creating Correlation Rules From Search Results

  1. In the search results panel, select the events from which you want to create a Correlation rule.

  2. In the Events Operations drop-down list, select one of the following:

    • Add to correlation rule: Adds the selected events to an existing rule.

    • Create correlation rule: Creates a new rule with the selected events.

  3. (Conditional) If you selected create correlation rule, the Correlation Rule Builder is displayed. The events that you selected to build the rule are displayed below the rule builder. Skip to Step 5.

  4. (Conditional) If you selected add to correlation rule, the Add events to an existing rule window is displayed that lists the rules in the system.

    Select a rule, then click OK.

    The Correlation Rule Builder is displayed. The events that you selected to build the rule are displayed below the rule builder.

  5. From the event list, drag the attributes that you want to add to the rule to the Subrule window.

  6. (Optional) To associate one or more actions to the rule, in the Actions panel, click .

    For more information on associating actions, see Associating Actions to a Rule.

  7. (Optional) To test whether the rule is works as expected, click Test Rule.

    For more information on testing the rule, see Testing a Correlation Rule.

  8. Click Save As.

  9. Specify an intuitive name for the rule, an optional description, and an optional MITRE ID then click Save.

  10. Deploy the rule in the Correlation Engine so that events can be processed according to the rule.

    For more information, see Deploying Rules in the Correlation Engine.