Understanding Correlation

Correlation adds intelligence to security event management by automating analysis of the incoming event stream to find patterns of interest. Correlation allows you to define rules that identify critical threats and complex attack patterns so that you can prioritize events and initiate effective incident management and response. Starting with Sentinel 6.0, the Correlation engine is built with a pluggable framework, which allows the addition of new Correlation engines in the future.

Correlation rules define a pattern of events that should trigger, or fire, a rule. Using either the Correlation Rule Wizard or the simple RuleLG language, you can create rules that range from simple to extremely complex, for example:

Two or more of these rules can be combined into one composite rule. The rule definition determines the conditions under which the composite rule fires:

After the rule is defined, it should be deployed to an active Correlation engine, and one or more actions can be associated with it. After the rule is deployed, the Correlation engine processes events from the real-time event stream to determine whether they should trigger any of the active rules.

NOTE:Events that are sent directly to the database or dropped by a global filter are not processed by the Correlation engine.

When a rule fires, a correlated event is sent to the Sentinel Control Center, where it can be viewed in the Active Views window.

Figure 1 Active Views Window

The correlated event can also trigger actions, such as sending an e-mail with the correlated event’s details or creating an incident associated with an iTRAC workflow.

For trademark and copyright information, see Legal Notices.