Sentinel's correlation algorithm computes correlated events by analyzing the data stream in real time. It publishes the correlated events based on user-defined rules before the events reach the database. Rules in the correlation engine can detect a pattern in a single event of a running window of events. When a match is detected, the correlation engine generates a correlated event describing the found pattern and may create an incident or trigger a remediation workflow through iTRAC. The correlation engine works with a rules checker component which computes the correlation rule expressions and validates syntax of filters. In addition to providing a comprehensive set of correlation rules, Sentinel's correlation engine provides specific advantages over database-centric correlation engines.
By relying on in-memory processing rather than database inserts and reads, the correlation engine performs during high steady-state volumes as well as during event spikes when under attack, the time when correlation performance is most critical.
Correlation volume does not slow down other system components, so the user interface remains responsive, especially with high event volumes.
Distributed correlation: Organizations can deploy multiple correlation engines, each on its own server, without the need to replicate configurations or add databases. Independent scaling of components provides cost-effective scalability and performance.
The correlation engine can add events to incidents after an incident has been determined.
Users are encouraged to measure a metric called Event Rules per Second (ERPS). ERPS is the measure of the number of events that can be examined by a correlation rule per second. This measure is a good performance indicator as it estimates the impact on performance when two factors intersect: events per second and number of rules in use.
Dynamic Lists: Dynamic lists are distributed list structures that may be used for storing elements and performing fast lookups on those elements. These lists can store a set of strings such as IP addresses, server names or usernames. Examples of dynamic lists include:
Terminated user list
Suspicious user watch list
Privileged user watch list
Authorized ports and services list
Authorized server list
In all cases, correlation rules may reference named dynamic lists to perform lookups on list members. For example, a rule may be written to identify a file access event from a user who is not a member of the Authorized Users list. Additionally, correlation actions integrate with the dynamic list module to add or remove elements from a list. The combination of lookups and automated actions on the same list provides a powerful feedback mechanism used to identify complex situations.