Rule operations work on subrules that have been combined into a compound rule. They include:
Gate
Sequence
The gate operation is used to create a composite rule which is used in identifying complex situations from the occurrence of simple situations.
The composite rule is made up of one or more nested subrules and can be configured to fire if some, any or all of the subrules fire within a specified time window. The subrules can be a simple rule or another composite rule. For more information on Composite Rule, see Correlation Tab
in the Sentinel 6.1 Rapid Deployment User Guide.
The syntax for gate is:
Gate(<subrule 1 rulelg>, <subrule 2 ruled>…<subrule n ruleLG>, <mode>, <evaluation period>, discriminator(<list of tags>))
Where
Subrule Rulelgs are the ruled definitions for 1 to n subrules mode = all | any | 1 | 2 | … | n, which is the number of subrules that must be triggered in order for the gate rule to trigger <evaluation period> specifies the duration for which past events matching the filter expression are maintained, specified in seconds (s), minutes (m), or hours (h). If no letter is specified, seconds are assumed. discriminator is a field to group by
For example, this rule is a typical perimeter security IDS inside/outside rule
filter(e.sev > 3) flow gate(filter(e.sn = “in”), filter(e.sn = “out”), all, 60s, discriminator(e.dip, e.evt))
Sequence rules are similar to gate rules, except that all child rules must fire in time order for the sequenced rule to evaluate to true.
The subrules can be a simple rule or another composite rule.
The syntax for sequence is:
Sequence(<subrule 1 rulelg>, <subrule 2 rulelg>…<subrule n ruleLg>, <evaluation period>, discriminator(<list of tags>))
Where
Subrule Rulelgs are the rulelg definitions for 1 to n subrules <evaluation period> is a time period expressed in seconds (s), minutes (m), or hours (h) discriminator is a field to group by
For example, this rule detects three failed logins by a particular user in 10 minutes followed by a successful login by same user.
sequence (filter(e.evt="failed logins") flow trigger(3, 600, discriminator(e.sun,e.dip)), filter(e.evt="goodlogin"), 600, discriminator(e.sun, e.dip))