I was going through mcafee esm's manual and came across ACE's ability to correlate the event/log/flow data.
In the product guide it says :
Be aware of the following when using historical correlation:
• Real-time correlation is discontinued until you disable historical correlation.
• The risk distribution is skewed by event aggregation.
• When you move the risk manager back to real-time risk correlation, the thresholds must be tuned.
1) I want to know that why it is that when historical correlation capability is enabled real-time correlation doesn't work.?
2) What is the skewing of events by event aggregation mentioned in the product guide.
3) It says when the real-time risk correlation is enabled again what are the thresholds and why there is a need of tuning them