mmarchese Absent Member.
Absent Member.
315 views

Clear queue correlation buffer after action is triggered


Hello,

We are developing a custom action and we are facing the following
problem:

The correlation rule waits for too similar events within 2 minutes. When
2 events occur in less than 2 minutes, action is triggered. However, if
a 3rd event occurs in less than 2 minutes after the second one, the
action is triggered again. We need this not to happen.

Is there a way to clear the correlation buffer after action is
triggered?

Thanks in advance


--
mmarchese
------------------------------------------------------------------------
mmarchese's Profile: https://forums.netiq.com/member.php?userid=1311
View this thread: https://forums.netiq.com/showthread.php?t=53742

0 Likes
6 Replies
Knowledge Partner
Knowledge Partner

Re: Clear queue correlation buffer after action is triggered

There is a setting on every Correlation Rule that lets you determine how
long, after an event fires, the rule will wait until it fires again. It's
under the right-hand panel where you can also set actions, as I recall, in
7.3, and is part of the 'Action Execution Criteria'.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
cnrossi Absent Member.
Absent Member.

Re: Clear queue correlation buffer after action is triggered


But in that case, does it evaluate the "group by" criteria ? If a rule
groups by username and diferent users reach the correlation conditions
before the waiting time is complete.

I can give an example if you need.


ab;258319 Wrote:
> There is a setting on every Correlation Rule that lets you determine
> how
> long, after an event fires, the rule will wait until it fires again.
> It's
> under the right-hand panel where you can also set actions, as I recall,
> in
> 7.3, and is part of the 'Action Execution Criteria'.
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...



--
cnrossi
------------------------------------------------------------------------
cnrossi's Profile: https://forums.netiq.com/member.php?userid=937
View this thread: https://forums.netiq.com/showthread.php?t=53742

0 Likes
Knowledge Partner
Knowledge Partner

Re: Clear queue correlation buffer after action is triggered

This came up somewhere recently, and I think the answer was 'yes', but I
have not tested it lately myself.

If not, using Alerting may be another way to have the same result, as an
alert should group by fields that make sense (and you can customize them)
and then multiple events could roll up into a singe alert (assuming
Sentinel 7.3 when the new Alerts were introduced).

Another option may be to have an action from your rule insert the
discriminated-upon data into a dynamic list, and then have your
correlation rule logic test for that value in the dynamic list. If there,
do not fire. Dynamic list values can have expirations, so after some
period of time (an hour) they automatically go away.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
mmarchese Absent Member.
Absent Member.

Re: Clear queue correlation buffer after action is triggered


Hi ab,

Which will be the best way to manage dynamic list items from inside a
custom action? Is there any example?

Thanks in advance

ab;258323 Wrote:
> This came up somewhere recently, and I think the answer was 'yes', but
> I
> have not tested it lately myself.
>
> If not, using Alerting may be another way to have the same result, as
> an
> alert should group by fields that make sense (and you can customize
> them)
> and then multiple events could roll up into a singe alert (assuming
> Sentinel 7.3 when the new Alerts were introduced).
>
> Another option may be to have an action from your rule insert the
> discriminated-upon data into a dynamic list, and then have your
> correlation rule logic test for that value in the dynamic list. If
> there,
> do not fire. Dynamic list values can have expirations, so after some
> period of time (an hour) they automatically go away.
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...



--
mmarchese
------------------------------------------------------------------------
mmarchese's Profile: https://forums.netiq.com/member.php?userid=1311
View this thread: https://forums.netiq.com/showthread.php?t=53742

0 Likes
Knowledge Partner
Knowledge Partner

Re: Clear queue correlation buffer after action is triggered

Some of the default, but maybe not deployed, correlation rules use Dynamic
lists. Looking just now I found the Write to Map action, which may
interest you:

Documentation link:
https://www.netiq.com/support/sentinel/plugins/prod/actions/WriteToMap_2011.1r2.pdf

This should already be present within Sentinel, but you may need to tweak
it for your own uses (I have not tried).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
cnrossi Absent Member.
Absent Member.

Re: Clear queue correlation buffer after action is triggered


Hi ab, we have tried your last suggestion (add processed events to a
dynamic list and check at the correlation rule that eventId not in that
dynamic list) but it doesn't work if you trigger several events in a
very short period of time. Maybe it is a race-condition problem. What we
are doing right now is checking it at the correlation rule level and
also at the begining of the Action logic. The problem is that the
correlation rule is triggered (and logged) but sometimes no action is
taken. I guess it is a very simple use case like "notify me every each
group of X events of that type" where the trigger is the count() inside
a time frame.


--
cnrossi
------------------------------------------------------------------------
cnrossi's Profile: https://forums.netiq.com/member.php?userid=937
View this thread: https://forums.netiq.com/showthread.php?t=53742

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.