Using a Dynamic List in a Correlation Rule

Dynamic lists can be referenced in a Correlation rule by using the Custom/Freeform option of the Correlation Rule Wizard. For example:

filter(e.<tagname> inlist <Dynamic List Name>)

Where, e.<tagname> represents a meta tag in the incoming event, such as e.shn (Source Host Name) or e.dip (Destination IP address) <Dynamic List Name> is the name of an existing Dynamic List, such as CriticalServerList

The following instructions assume that a dynamic list already exists.

To add a dynamic list to correlation rule:

  1. Open the Correlation Rule Manager window and select a folder from the drop-down list to which this rule is added.

  2. Click the Add button located on the top left corner of the screen. The Correlation Rule window displays. Select Custom/Freeform Rule.

  3. In the Custom/Freeform Rule window, write the condition for the rule, including the name of the dynamic list. For example, filter(e.sev inlist Severity) where Severity is the dynamic list name.

  4. Click Validate to test the validity of the rule.

  5. After validation of the rule, click Next. The Update Criteria window displays.

  6. Update the criteria for the rule to fire and click Next.

  7. Provide a name for this rule. You have an option to modify the rule folder.

  8. Provide a rule description and click Next.

  9. You have an option to create another rule from this wizard. Select your option and click Next.

NOTE:Users must have the permission to Start/Stop the Correlation engine to perform these actions.

The two states of Correlation engine are:

Table 3 States of the Correlation Engine

States

Icons

Enable

Disable

When the Correlation engine is enabled, it processes active Correlation rules. When it is in a disabled state, all in-memory data is preserved and no new Correlation events are generated. Disabling the Correlation engine does not affect other parts of the Sentinel system.

Correlation rules are stored in the Sentinel database. When you activate the Correlation engine in the Sentinel Control Center, it requests the deployment information and rules from the database. Changes to a rule are not reflected in the Correlation engine until one of the following things happens:

For trademark and copyright information, see Legal Notices.