Using a Dynamic List in a Correlation Rule

Dynamic Lists can be referenced in a Correlation Rule by using the Custom/Freeform option of the Correlation Rule Wizard. For example:

filter(e.<tagname> inlist <Dynamic List Name>)

where

e.<tagname> represents a metatag in the incoming event, such as e.shn (Source Host Name) or e.dip (Destination IP address)

<Dynamic List Name> is the name of an existing Dynamic List, such as CriticalServerList

To add a Dynamic List to correlation rule:

1. In the Dynamic List window, create a dynamic list.

  1. Open the Correlation Rules window and select a folder from the drop-down list to which this rule will be added.

  2. Click the Add button located on the top left corner of the screen. The Correlation Rule window will display. Select Custom/Freeform Rule.

  3. In the Custom/Freeform Rule window, write the condition for the rule including the name of the dynamic list. For example, filter(e.sev inlist Severity) where Severity is the dynamic list name.

  4. Click Validate to test the validity of the rule.

  5. On successful validation of the rule, click Next, the Update Criteria window will display.

  6. Update the criteria for the rule to fire and click Next.

  7. Enter a name to this rule. You have an option to modify the rule folder.

  8. Enter rule description and click Next.

  9. You have an option to create another rule from this wizard. Select your option and click Next.

NOTE: Users must have the permission to Start/Stop Correlation Engine to perform these actions.

The two states of Correlation engine are Enable image\ebx_850051292.gif and Disable image\ebx_-1050699701.gif.

When the Correlation Engine is enabled, it processes active correlation Rules. When in a disabled state, all its in-memory data is preserved and no new correlation events are generated. Disabling the Correlation Engine does not affect other parts of the Sentinel system.

Correlation rules are stored in the Sentinel database. When you activate the Correlation Engine in Sentinel Control Center, it requests the deployment information and rules from the database. Changes to a rule will not be reflected in the Correlation Engine until one of the following things happens: