Working with Correlation Lists

A Correlation List consists of multiple values, such as Classification Tags or Normalized-Message fields (e.g. IP addresses, port numbers, etc.). In the properties of a Decision in a Correlation Rule (see Defining a Correlation Rule), you can define a condition with a Correlation List as the specified value for a Normalized-Message field. If the rule correlates a Normalized Message that has one of the values specified by the Correlation List, and the message satisfies the condition's criteria, the message passes the condition.

A Dynamic Correlation List is a Correlation List consisting of items that are automatically updated by TLC when related data is changed on another system (known as the source system). To create Dynamic Correlation Lists for a source system, you must first create a connection with the source system by adding it to the Configuration Manager (see Table 94). Thereafter, TLC queries the source system hourly to refresh the system's Dynamic Correlation Lists. For example, consider an Active Directory domain assigned to a Dynamic Correlation List. If a user account is subsequently removed from the domain, the Correlation List will no longer include the user account.

Note 

Whenever TLC refreshes a Dynamic Correlation List for a TE Server (see Table 94), TLC logs in to TE with the TE user account specified for the TE Server (see Working with Tripwire Enterprise Servers). If this account is logged in to TE when TLC successfully authenticates, TE will terminate the other session.

Table 94. Types of Dynamic Correlation Lists

Type

Consists of ...

Active Directory

... all user accounts (or all disabled user accounts) in a domain, Organizational Unit (OU), or User Group on an Active Directory server.

To create this type of Dynamic Correlation List: 

1. (Optional) Add an Active Directory domain controller to TLC (see Working with Active Directories). If you only plan to create Correlation Lists for the Active Directory domain controller containing the user account running TLC Manager, this step is unnecessary.

2. Create the Correlation List (see steps below).

TE Server

... IP addresses for TE Assets identified by a saved filter.

Defined in the Asset View tab of the TE Node Manager, a saved filter is a collection of TE tags used to identify the IP addresses of specific TE Assets. For example, to identify an organization's Windows 2003 Servers in New York that are in compliance with PCI requirements, a TE user might create a saved filter named 'New York Win2K3 PCI' with the following tags:

Location:New York
Operating System:Windows 2003 Server
Policy:PCI

For more information about the TE Asset View tab and saved filters, see the Tripwire Enterprise User Guide.

To create this type of Dynamic Correlation List: 

1. On your TE Server, define one or more saved filters in the Asset View tab of the Node Manager.

2. Add the TE Server to TLC and enable the Use this server for Asset View setting (see Working with Tripwire Enterprise Servers).

3. Create the Correlation List (see steps below).

Tip

Tripwire recommends that you regularly download the latest Tripwire-defined TLC content from the Tripwire Web site. Tripwire-defined content includes Normalization Rules, Normalization Aliases, Correlation Rules, Correlation Lists, and some Tasks. For instructions, see Updating TLC with the Latest Tripwire Content.

To create, change, or delete a Correlation List:

1. In the side bar, select Resources >Configuration ManagerConfiguration Manager.
2. In the side bar of the Configuration Manager, select CorrelationCorrelation >Correlation ListsLists.

TLC presents your Correlation Lists in the workspace table.

Tip

You can sort, group, and filter the contents of tables. For more information, see Working with Tables).

3. To create a new Correlation List:
a. ClickAddAdd.
b. Complete the Correlation List properties (see Table 95) and click Save.

To create a copy of an existing Correlation List:

a. In the workspace, right-click the list to be copied and select Copy List.
b. As appropriate, modify the properties of the new list (see Table 95) and click Save.

Note 

Dynamic Correlation Lists cannot be copied.

To modify an existing Correlation List:

a. In the workspace, double-click the list.
b. As needed, edit the Correlation List properties (see Table 95) and click Save.

To delete a Correlation List, select the list in the workspace and clickDeleteDelete.

Note 

If a Correlation List is assigned to a condition in a Decision in a Correlation Rule, you cannot delete the Correlation List. To delete the list, you must first remove the list from the Correlation Rule (see Defining a Correlation Rule).

Tip

Your changes will not take effect until you push updates to your Managers (see Pushing Updates to your Managers).

Table 95. Correlation List fields and tabs

Field/Tab

Description

Name

The name of the Correlation List.

Field type

This drop-down indicates the type of values in the Correlation List and determines the Correlation List's availability in Correlation Rule Decisions (see Defining a Correlation Rule). For example, if you select IP Address or Asset View Saved Filter (IP Address) from this drop-down, the Correlation List would consist of IP address values. If a Decision specifies an IP address field (e.g. Destination IP) in the Type drop-down of a condition, the Correlation List would be available for selection in the condition's Value drop-down. Similarly, if you select a Tag Set here, the Correlation List will appear in a condition's Value drop-down if the Tag Set is selected in the condition's Type drop-down.

To create a Correlation List consisting of manually entered values for a specific Normalized-Message field, select the field from the 'Field type' drop-down and enter the values in the List Items tab. For descriptions of Normalized-Message fields, along with guidelines for appropriate values, click here.

To create a Correlation List with values applicable to all Normalized-Message fields, select Any Field from the 'Field type' drop-down and enter the values in the List Items tab.

To create a Correlation List consisting of Classification Tags in a Classification Tag Set, select the Tag Set from the 'Field type' drop-down and add the Tags in the List Items tab.

To create a Dynamic Correlation List of Active Directory user accounts (see Table 94), select Active Directory (User) from the 'Field type' drop-down and complete the Active Directory tab.

To create a Dynamic Correlation List of TE Asset IP addresses (see Table 94), select Asset View Saved Filter (IP Address) from the 'Field type' drop-down and complete the TE Asset View Saved Filter tab.

Description

(Optional) A description of the Correlation List.

Use CIDR Notation

Note: This checkbox and the associated text field are only available if IP Address is selected in the 'Field type' drop-down.

If enabled, enter a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. If the notation is valid, TLC populates the List Items tab with the addresses calculated by the CIDR notation. For example, the following entry would populate the List Items tab with all IP addresses between 192.1.1.0 and 192.1.1.15

192.1.1.0/28

Note: The minimum value for the CIDR notation suffix is 20. Therefore, 4,096 is the maximum number of IP addresses that can be calculated by a CIDR block.

List Items tab

This tab defines the values in the Correlation List.

Note: Only enabled Classification Tags can be added to a Correlation List. To enable Classification Tags, see Working with Classification Tags.

Note: If Active Directory (User) or Asset View Saved Filter (IP Address) is selected in the 'Field type' drop-down, the List Items tab cannot be edited.

To add a value to the Correlation List, clickAddAdd.

To define a value:

1. If a field is selected in the 'Field type' drop-down, type the value in the Value field.

If a Classification Tag is selected in the 'Field type' drop-down, select a Classification Tag from the Value drop-down.

2. (Optional) Enter a Description.

To delete a value:

1. Click the value.

2. Select the value by clicking the arrow to the left of the value.

3. ClickDelete/RemoveDelete.

TE Asset View Saved Filter tab

Note: This tab is only available if Asset View Saved Filter (IP Address) is selected in the 'Field type' drop-down.

Saved Filter Name. Specifies a TE saved filter. The Correlation List will consist of the IP addresses of TE Assets that have the TE tags specified by the filter (see Table 94).

Active Directory tab

Note: This tab is only available if Active Directory (User) is selected in the 'Field type' drop-down.

Active Directory Login. Specifies the Active Directory domain controller (DC) for the Correlation List. You may select Auto or any DC that has been added to the Active Directory page of the Configuration Manager.

If a DC is selected, TLC will refresh the Correlation List by querying the DC with the login credentials defined in the DC's properties (see Working with Active Directories).

If Auto is selected, TLC will assign the domain controller for the user account running TLC Manager. By default, TLC will refresh the Correlation List by querying the DC with the login credentials of the TLC Manager user account. (Tip: If you want TLC to query the DC with a different user account, you must add an Active Directory DC in the Configuration Manager. In the DC's properties, select Auto from the Domain Controller drop-down and enter the account's login credentials. For more information, see Working with Active Directories.)

Disabled Accounts or All Users. Indicates if the Correlation List will consist of all user accounts in the specified domain, or just the domain's disabled accounts.

Choose a location ... Specifies the domain, Organizational Unit (OU), or User Group containing the Active Directory user accounts to be included in the Correlation List.