NetIQ Sentinel 7.4 Correlation Server
NetIQ Sentinel 8.0 Correlation Server
This is a list of general considerations when creating and monitoring correlation rules in Sentinel.
1.Try not to
create correlation rules that have filters that call for the message
field to match a regular expression value. Using a regex operator against the
message field can be very costly.
2.If you are creating multiple complex correlation rules,
spread out the deployment so that the health of Sentinel can be monitored along
the way.
3.Test new correlation rules in lab or development environment before deployment.
4.Only create correlation rules that are useful and
relevant.
5. The rule should not generate undue noise. Think about
how many correlated events you can reasonable respond to during the course of
your daily activities.
6.The correlation rule/alert should clearly match a
security condition, either a known security problem or a potential policy
violation.
7.The correlation rules are not simply to populate report
data, but each and every one of these rules are designed to present an alert to
the user. As such, rules will need to meet a certain bar in order to be
considered useful/relevant in the Sentinel System.