Isnull Operator |
For metatag values equal to null, Sentinel 5.x supported the following syntax:
e.SIP= “ ”
|
Uses the ISNull operator.
Example:
isnull(e.SIP)
|
SensorType field |
SensorType ‘W’
For example,
e.SensorType = "W"
|
Sentinel 6.1 Rapid Deployment merges the ‘C’ (Correlated Events) and ‘W’ (watchlist events) SensorTypes. All events generated by the Correlation Engine are now labeled ‘C’ in the field.
For example, Sentinel 5.x rules that include e.SensorType = "W” should be updated to e.SensorType = "C". |
Boolean expressions |
filter operation supported the Boolean expressions AND and OR. |
The window operation supports Boolean expressions
OR: window(e.dip=w.dip OR e.sip=w.sip, filter(e.sev>2),60)
AND: window(e.evt=w.evt AND e.sun=w.sun, filter(e.sev>2),60)
|
Creating a rule from a PUBLIC filter |
GUI Option |
Sentinel 6.1 Rapid Deployment does not have the GUI option to create a rule from a PUBLIC filter. The filter criteria must be defined in the Correlation wizard or RuleLG language. |
Update functionality for rules |
Updates to a rule were based on a sliding window based on the trigger time period. |
The update functionality for a rule that is triggered more than once is configurable in Sentinel 6.1 Rapid Deployment. The update functionality can be set when the rule is deployed; the rule actions might happen every time the rule is triggered, or they can be set to occur once and then wait for some period of time before the action occurs again. This prevents multiple notifications on a single, ongoing event.The IN, NOT IN, and difference operators are deprecated. Sentinel 5.x correlation rules using these operators must be modified either by using the Correlation Rule Wizard or RuleLG language before running them in Sentinel 6.1 Rapid Deployment. |
The e.all metatag |
|
The e.all metatag has been deprecated. Correlation rules using this operator should be updated to use specific short tags before running them in Sentinel 6.1 Rapid Deployment. |