A simple rule is defined by specifying which events can trigger the rule to fire (e.g., firewall events, firewall events of severity 3 or higher). The filter criteria may be intersected (using the "all"option in the GUI or the "AND" operator in RuleLG) or the filter criteria may be unioned (using the "any" option in the GUI or the "OR" operator in RuleLG).
For example, a rule might be defined so that it fires anytime an event takes place on a server that is on the critical list. Another rule might be defined to fire anytime an event of severity 4 or greater takes place on a server that is on the critical list.
A simple rule requires only one event in order to fire.
NOTE: For users familiar with the correlation rule language (RuleLG), the defining operator for a simple rule is the "filter" operator. For more information about RuleLG, refer to the Sentinel Correlation Engine RuleLG Language in Reference Guide.
NOTE: In Sentinel 6, filter criteria must be defined in the correlation rule wizard. You cannot use existing public filters.
To create a simple rule:
Open the Correlation Rules window and select a folder from the drop-down list to which this rule will be added.
Click the Add button located on the top left corner of the screen. The Correlation Rule window will display. Select Simple Rule.
In the Simple Rule window, define a condition for this rule. Select the Property and Operator values from the drop-down lists and enter data in value field.
Click Add to add additional definitions for this rule.
You can preview the rule in the RuleLG preview window. e.g., filter(e.sev=3). Click Next. The Update Criteria window will display.
Update criteria for the rule to fire and click Next. The General Description window will display.
Enter a name to this rule. You have an option to modify the rule folder.
Enter rule description and click Next.
You have an option to create another rule from this wizard. Select your option and click Next.