Best practices when configuring correlation rules

  • 7018799
  • 11-Apr-2017
  • 01-Nov-2017


NetIQ Sentinel 7.4 Correlation Server
NetIQ Sentinel 8.0 Correlation Server


This is a list of general considerations when creating and monitoring correlation rules in Sentinel.


1.Try not to  create correlation rules that have filters that call for the message field to match a regular expression value. Using a regex operator against the message field can be very costly. 

2.If you are creating multiple complex correlation rules, spread out the deployment so that the health of Sentinel can be monitored along the way.

 3.Test new correlation rules in lab or development environment before deployment.

4.Only create correlation rules that are useful and relevant.

5. The rule should not generate undue noise. Think about how many correlated events you can reasonable respond to during the course of your daily activities.

 6.The correlation rule/alert should clearly match a security condition, either a known security problem or a potential policy violation.

 7.The correlation rules are not simply to populate report data, but each and every one of these rules are designed to present an alert to the user. As such, rules will need to meet a certain bar in order to be considered useful/relevant in the Sentinel System.