Greetings All,

As part of our Sentinel migration from SM we need to replicate the
ability to allow SQL 2008 to gather specific events and report them in
SharePoint. In SM, they have created rules that creates alerts for the
events they wish to see and have an external pull of those alerts into a
scratch DB where it is cleaned up and made available to SharePoint.

As part of our transition from SM to Sentinel we have forwarded our
events from SM to Sentinel and I have intern created a data
synchronization rule "(rv32:"INCM") AND pn"NetIQ Security Manager")
NOT (st:"I" NOT st:"A" NOT st:"P")" to basically send the same SM alert
information from Sentinel to SharePoint.

My Questions are:

- Is there a way for a correlation rule to send a correlated events to
SQL 2008 by an action rather then listing them in the Sentinel UI?
- If not by an action, is there a way for a correlation rule to TAG
event triggers rather then creating a new event so I can use the TAG
to route events to an external SQL server?
- Can the "inslist" function used in correlation rules be used in
searches or data syncronizatin rules? Example (rv40 inlist
Event_IDs). I have tried this with eratic results.

I am trying to limit the use of Correlation Rules in Sentinel for
actionable events, not taging data that is meant for external reporting
if that makes sense. As always many thanks in advance for your input
and help.


abel5405's Profile:
View this thread: