An aggregate rule is defined by specifying a subrule and the number of times the subrule must fire within a specific time window in order to trigger the aggregate rule. For example, an aggregate rule might require that a subrule fire 10 times within 5 minutes for the aggregate rule to fire.
Aggregate rules have an optional
field, which can be any populated field from the events. For example, an aggregate rule might require that a subrule fire 10 times within 5 minutes where each of the 10 events has the same destination server.NOTE:For users familiar with the Correlation rule language (RuleLG), the defining operator for an aggregate rule is the “trigger” operator. The trigger clause might also use the “discriminator” operator to define the group by field. For more information about RuleLG, see Sentinel 6.1 Rapid Deployment Correlation Engine RuleLG Language
in the Sentinel 6.1 Rapid Deployment Reference Guide.
To create an aggregate rule:
Open the Correlation Rule Manager window and select a folder from the drop-down list to which this rule is added.
Click the
button located on the top left corner of the screen. The Correlation Rule window displays. Select .In Aggregate Rule window, click the
button to select a sub rule to create an aggregate rule. The Add Rule window displays.You can select only one sub rule when creating an aggregate rule.
Select a rule and click
.Set parameters for the rule to fire.
To group event tags according to the attributes, Click
. The Attribute List window displays.Select the attribute you want, then preview the rule in the RuleLG preview window.
Click
.The Update Criteria window displays.Update the criteria for the rule to fire and click
. The General Description window displays.Provide a name for this rule. You have an option to modify the rule folder.
Provide a rule description and click
.You have an option to create another rule from this wizard. Select your option and click
.For trademark and copyright information, see Legal Notices.