I have got a question on Correlation Rule based aggregation.
As we all know that aggregation is "ON" by default on McAfee Receivers. Therefore, whenever I make a correlation rule or work on some content packs, I turn OFF aggregation because I dont want to lose more visibility(i.e. aggregate them) on event logs coming from receivers (Or may be I dont understand the concept of aggregation @ Correlation rule, if you guys can share your thoughts on it, Or turning OFF Correlation on ACE would eat-up ACE resources)
Can you please suggest some best practices for making Rules