Showing results for 
Search instead for 
Did you mean: 
Level 7

Correlation Rule Aggregation

Hi Team,

I have got a question on Correlation Rule based aggregation.

As we all know that aggregation is "ON" by default on McAfee Receivers. Therefore, whenever I make a correlation rule or work on some content packs, I turn OFF aggregation because I dont want to lose more visibility(i.e. aggregate them) on event logs coming from receivers (Or may be I dont understand the concept of aggregation @ Correlation rule, if you guys can share your thoughts on it, Or turning OFF Correlation on ACE would eat-up ACE resources)

Can you please suggest some best practices for making Rules

Best Regards

0 Kudos