A simple rule is defined by specifying the events that can trigger the rule to fire (For example, firewall events, firewall events of severity 3 or higher). The filter criteria can be intersected (using the “all”option in the GUI or the “AND” operator in RuleLG) or the filter criteria can be unioned (using the “any” option in the GUI or the “OR” operator in RuleLG).
For example, a rule might be defined so that it fires anytime an event takes place on a server that is on the critical list. Another rule might be defined to fire anytime an event of severity 4 or greater takes place on a server that is on the critical list.
A simple rule requires only one event in order to fire.
For users familiar with the Correlation rule language (RuleLG), the defining operator for a simple rule is the “filter” operator. For more information about RuleLG, see Sentinel 6.1 Rapid Deployment Correlation Engine RuleLG Language
in the Sentinel 6.1 Rapid Deployment Reference Guide.
In Sentinel 6, filter criteria must be defined in the Correlation Rule Wizard. You cannot use existing public filters.
To create a simple rule:
Open the Correlation Rule Manager window and select a folder from the drop-down list to which this rule is added.
Click the
button located on the top left corner of the screen. The Correlation Rule window displays. Select .In the Simple Rule window, define a condition for this rule. Select the Property and Operator values from the drop-down lists and specify data in the value field.
Click
to add additional definitions for this rule.Preview the rule in the RuleLG preview window. For example, filter(e.sev=3).
Click
.The Update Criteria window displays.Enable the update criteria for the rule to fire and click
. The General Description window displays.Provide a name for this rule. You have an option to modify the rule folder.
Provide rule description and click
.You have an option to create another rule from this wizard. Select your option and click
.For trademark and copyright information, see Legal Notices.