Actually they are serving different purpose as the alarms are meant to notify someone where the correlation is to create additional event.
For that correlation event you could create alarm.
Alarms is just to match some events where with correlation you could create additional logic to match events under specific conditions and based on that to create it's own.
From performance point of view i have no Idea but my best guess is that the Correlation will be more intensive.
Yes you are right that the 2 serve different purpose. But I have a requirement to create correlation rule for every intelligence built into the SIEM and then create an Alarm for it. Why? So that all the intelligence (SOC related) are in one place.
Your guess about correlation being intensive makes sense to me.
Thanks again for your inputs.
It depends on your architecture. Correlation is performed on the ACE or a Receiver. Alarms are executed on the ESM and in the case of Field Match, also the Receiver. If you have a combo box, you definitely want to go with correlation to offload it from the ESM.
To answer your question though, best practice will be to create correlation rules and leave yourself the option to enable and disable alarms on a per rule without impacting the analysis. It's preferable to use Field Match alarms as opposed to Internal Event Match since they will be faster and impact the ESM less.
Thanks Andy, the information you provided helps.