Simple question. At what point on during CPNEA* on the receiver does correlation occur?
* collection, parsing, normalization, enrichment, aggregation.
Oh, OK ... is this another one of those deals where the front-end is in one place and the back-end processing is in another, like data enrichment?
Well, the only front end is the ESM.
So as was mentioned, when an event comes into a receiver, it is partially processed there, the ESM will pick it up and assuming it meets any filters for a correlation engine, is sent to the ACE for correlation.
I'm not exactly sure of the order of these things, "collection, parsing, normalization, enrichment, aggregation", but it doesn't matter so long as the Receiver is able to get it done,
That being said, correlation is a separate process. The goal of the Receiver is to complete the listed items and insert the data into it's local database. It's a separate process that then queries that database and maintains correlation state. I haven't enabled correlation on a Receiver in years and wouldn't suggest doing so without being in a corner case that allowed for 50% of the Receiver capacity to be available and no need for for risk-based correlation or virtual correlation engines due to the simple implementation. Also, you can cover a lot of correlation use cases without correlation with Field Match alarms and the layer of boolean logic that they offer.