The correlation rules describe the logic that is applied to an event or a set of events to detect possible security concerns.
See“About creating the right rule set for your business”on page 85.
You can create correlation rules from the Rules view of the console of the Information Manager client.
See“About correlation rules”on page 87.
The process for creating the correlation rules is as follows:
■ Define a name for the rule.
See“To define a name for the rule”on page 101.
■ Configure rule condition.
See“To configure the rule conditions”on page 101.
■ Configure the rule action.
See“To configure the rule actions”on page 102.
■ Deploy the rule on the server.
See“To deploy the rule on the server ”on page 104.
To define a name for the rule
1 On the Information Manager console, click Rules.
2 In the left navigation pane, under the Correlation Rules folder, click User Rules.
3 On the Rules tab, click Create new filter or rule (+).
4 In the Input dialog box, type a name for the rule.
You can now define a rule condition. A conclusion is generated if the set of events satisfies the defined conditions.
Note:You can configure multi-conditioned rules. Multi-conditioning lets you define the rules that support up to five user activities in a sequence. You can create a conclusion when a sequence of specified pattern is detected for one combination of one-to-many fields within a specified time period.
See“Creating a multicondition rule”on page 104.
To configure the rule conditions
1 On the Conditions tab, in the Description window, type a description for the rule.
2 On Conditions > Rule Type, click the entry that best matches the type of event and target combination that applies to the new rule.
For example, to declare an incident whenever a specific event is detected, select Single Event. To declare an incident after a specific number of events are detected from a specific IP address, select Many Targets, One Source.
See“About rule types”on page 89.
3 In the Event Criteria area, click Add.
4 Select the left column of the new entry, and then choose an event field.
5 Select the center column and specify the operator.
6 Select the right column. Based on the operator that you chose, specify the value that must be true for the event type.
7 Repeat steps3through6for any other event criteria that you want applied to the rule.
You can select multiple event criteria and apply logical operators (AND/OR) to them.
8 In Event Count, specify the number of times that the event criteria that you specified must be true for an incident to be declared.
events of a specific type must occur within 60 minutes, before an incident is declared.
10 In Table Size, specify the maximum number of events that the rule can track at any one time. The table size should generally be a multiple of the Event Count setting. The Table Size setting divided by the Event Count setting is equal to the maximum number of event groups that the rule can manage.
11 In the Tracking Keys area, specify the fields to include in the incident. This field can be any of the One-Many, Many-One, or Tracking fields that are associated with the incident.
You can now define the rule actions. A conclusion is generated if the set of events satisfies the defined conditions.
Note:You can create rules to detect threats based on the absence of the events that you expect to occur.
See“Creating a correlation rule based on the X not followed by Y rule type”
on page 107.
To configure the rule actions
1 On the Actions tab, check Alerting Incident (not a Security Incident) to specify that an incident is an alert incident and not a security incident.
Alerting incidents notify about a situation that requires your attention if there is a discrepancy on a system.
Security incidents notify about a situation where there is a potential threat due to a security breach in the organization.
2 From the Severity options, select the severity that you want to be associated with the incident.
3 In the Description area, type a description of the problem. This information appears to users who are assigned the incidents or the tickets based upon the incidents that this rule triggers.
(Optional) Click Add (+) to include the fields from the final event that triggered the conclusion. When a conclusion is generated, these fields are replaced with their corresponding values in the description.
4 (Optional) Click Remediation to populate the Custom Remediation library for this conclusion and to instruct the analysts with a remedy that is specific for your organization.
5 In the Correlate By list box, select the method by which conclusions are grouped into incidents.
6 If you selected Resource and Conclusion Type from the Correlate By list box, you can select a field in Resource Field. This field is used to correlate conclusions within an incident. Conclusions can be correlated together into incidents based on the value of the resource field.
7 To specify that a user or team is automatically assigned to incidents that this rule creates, do the following:
■ Turn on Enable Auto Assign and then click Add.
■ If you want to assign incidents based upon the IP address of the affected target computer, in the left column select IP Address or Network options.
Any Address is the default option. Retain the default option to ensure that all the occurrences of the incident get assigned irrespective of the IP address.
■ To assign incidents to an individual user, in the Usercolumn, select the user who should be assigned with the incidents.
■ To assign incidents to a group of users, in the User Group column, select the team that should be assigned with the incidents.
At any time, you can click Clear to clear the selections.
■ If you want to automatically assign incidents to the least busy member in a user group, check Assign to least busy user and then select the corresponding user group.
8 In the Notification area, check Enable if you want to notify users about the incident activity.
If you want to notify users only when an incident is created, check Send notification for incident creation only.
9 Click Recipients to select the method of notification for each recipient. The options are Email Address Entry, User, User Group, Syslog, SNMP Trap.
Once the method of notification is selected, you are prompted to enter details corresponding to the option that you selected.
After you specify the condition and the action, you can test the rule and then deploy it on the server.
then click Start Test.
2 When you are satisfied with the incidents and the conclusions that the rule creates, turn on the rule in the Rules list.
3 On the top toolbar, click Deploy to the server.
See“Enabling and disabling rules”on page 115.