Rule-based Event Correlation can be performed on an ACE appliance (preferred) or any available McAfee Event Receiver. When an ACE is in use in your SIEM design, a Rules-based Correlation Engine should be enbled by default.
To verify Rules-based correlation is enabled on the ACE:
- Expand the ACE in your system tree, and verify that there is a Rule Correlation engine enabled. The screenshot below shows a properly configured ACE.
- If your Rule Correlation engine is not enabled, Open up ACE Properties and select Correlation Management.
- Ensure the Enabled button is selected for your Rule Correlation engine, and then Write the configuration to your ACE.
In an environment where no ACE is available, it is possible to enable rule-based correlation directly on a Receiver appliance, via the instructions below. It is always preferred to run correlation on an ACE appliance; there are several drawbacks to running correlation on a Receiver:
- Correlation imposes a performance penalty of ~20% on a typical receiver. This may impact your ability to parse events under high load.
- The following correlation modes are not supported on a Receiver appliancce:
- Flow-based correlation
- Risk-based correlation
- Deviation-based correlation
- Historical correlation..
To enable Rules-based correlation on an Event Receiver, in environments with no ACE:
- Click on any available Event Receiver from the System Tree.
- Click the Add Data Source button from the Actions Toolbar. The Add Data Source window will open.
- From the Data Source Vendor drop down, select McAfee.
- From the Data Source Model drop down, select Correlation Engine.
- Enter a Name for this Correlation Data Source.
- Click OK.
- A dialog box will open indicating that Data Source Settings have changed and must be applied to the Event Receiver. Click Yes.
- When the Data Source Settings have been written to the Event Receiver, a dialog box will provide confirmation. Click Close.
- Since each Data Source must have a policy applied, the Rollout window will appear. It is a requirement that policy be properly rolled out to the Event Receiver and all corresponding Data Sources after making any changes. Click OK.