Novell Doc: Sentinel 6.1 Rapid Deployment SP1 Reference Guide - Differences between Correlation in 5.x and 6.x

3.7 Differences between Correlation in 5.x and 6.x

There are several new functionalities updated / included in 6.x to widen the usage of Correlation to meet user’s requirements and for the ease-of-use.

Table 3-3 Comaprison Table

Features	Correlation in Sentinel 5.x	Correlation in Sentinel 6.1RD
Gate Operation	Not available	This is new in 6.x
Sequence Operation	Not available	This is new in 6.x
Inlist Operator and Dynamic Lists	Not available	These are new in 6.x
Isnull Operator	For metatag values equal to null, Sentinel 5.x supported the following syntax which is replaced by the ISNull operator in Sentinel 6.0 e.SIP= “ ”	This is new in 6.x. Uses ISNull operator.
Update Window		This is new in Sentinel 6.x
SensorType field		Sentinel 6.x merges the “C” (Correlated Events) and “W” (watchlist events) SensorTypes. All events generated by the Correlation Engine are now labeled “C” in the SensorType field.
Correlation Actions and Correlation Rules		Correlation Actions and Correlation Rules are decoupled in Sentinel 6.x
Boolean expressions	filter operation supported the Boolean expressions AND and OR.	The window operation supports Boolean expressions OR: window(e.dip=w.dip OR e.sip=w.sip, filter(e.sev>2),60) AND: window(e.evt=w.evt AND e.sun=w.sun, filter(e.sev>2),60)
Creating a rule from a PUBLIC filter	GUI Option	Sentinel 6.x doesn't have the GUI option to create a rule from a PUBLIC filter. The filter criteria must be defined in the correlation wizard or language.
Update functionality for rules	Updates to a rule were based on a sliding window based on the trigger time period.	The update functionality for a rule that is triggered more than once is configurable in Sentinel 6.x.The update functionality can be set when the rule is deployed; the rule actions might happen every time the rule is triggered, or they can be set to occur once and then wait for some period of time before the action occurs again. This prevents multiple notifications on a single, ongoing event.The IN, NOT IN, and difference operators are deprecated. Correlation rules using these operators must be modified before running them in Sentinel 6.x.
The e.all metatag		The e.all metatag has been deprecated. Correlation rules using this operator should be updated to use specific short tags before running them in Sentinel 6.x.