cancel
Showing results for 
Search instead for 
Did you mean: 
jamesmac
Level 7

Noob question about correlation

Simple question. At what point on during CPNEA* on the receiver does correlation occur?

* collection, parsing, normalization, enrichment, aggregation.

James

0 Kudos
4 Replies
sssyyy
Level 12

Re: Noob question about correlation

Events > ESM > Correlation Engine > ESM for display

0 Kudos
jamesmac
Level 7

Re: Noob question about correlation

Oh, OK ... is this another one of those deals where the front-end is in one place and the back-end processing is in another, like data enrichment?

James

0 Kudos
akerr
Level 9

Re: Noob question about correlation

Well, the only front end is the ESM. 

So as was mentioned, when an event comes into a receiver, it is partially processed there, the ESM will pick it up and assuming it meets any filters for a correlation engine, is sent to the ACE for correlation.

0 Kudos
McAfee Employee

Re: Noob question about correlation

I'm not exactly sure of the order of these things, "collection, parsing, normalization, enrichment, aggregation", but it doesn't matter so long as the Receiver is able to get it done,

That being said, correlation is a separate process. The goal of the Receiver is to complete the listed items and insert the data into it's local database. It's a separate process that then queries that database and maintains correlation state. I haven't enabled correlation on a Receiver in years and wouldn't suggest doing so without being in a corner case that allowed for 50% of the Receiver capacity to be available and no need for for risk-based correlation or virtual correlation engines due to the simple implementation. Also, you can cover a lot of correlation use cases without correlation with Field Match alarms and the layer of boolean logic that they offer. 

0 Kudos