4 Replies Latest reply on Jul 9, 2015 12:32 PM by anand_guru

    Which is better Alarm or Correlation Rule

    anand_guru

      Hello Experts,

       

      With SIEM v9.4 and above we can include multiple logical conditions in an alarm condition. This feature is very similar to the way we define the correlation rule logic (its very limited in alarms though).

       

      Given this, what is good for SIEM in terms of performance (light on processing) - Creating an Alarm or Correlation rule?

       

      Thanks,

      Anand 

        • 1. Re: Which is better Alarm or Correlation Rule
          alexander_h

          Hi Anand,

           

          Actually they are serving different purpose as the alarms are meant to notify someone where the correlation is to create additional event.

          For that correlation event you could create alarm.

          Alarms is just to match some events where with correlation you could create additional logic to match events under specific conditions and based on that to create it's own.

           

          From performance point of view i have no Idea but my best guess is that the Correlation will be more intensive.

          • 2. Re: Which is better Alarm or Correlation Rule
            anand_guru

            Thanks Alexander,

             

            Yes you are right that the 2 serve different purpose. But I have a requirement to create correlation rule for every intelligence built into the SIEM and then create an Alarm for it. Why? So that all the intelligence (SOC related) are in one place.

             

            Your guess about correlation being intensive makes sense to me.

             

            Thanks again for your inputs.

            • 3. Re: Which is better Alarm or Correlation Rule
              andy777

              It depends on your architecture. Correlation is performed on the ACE or a Receiver. Alarms are executed on the ESM and in the case of Field Match, also the Receiver. If you have a combo box, you definitely want to go with correlation to offload it from the ESM.

               

              To answer your question though, best practice will be to create correlation rules and leave yourself the option to enable and disable alarms on a per rule without impacting the analysis. It's preferable to use Field Match alarms as opposed to Internal Event Match since they will be faster and impact the ESM less.

              • 4. Re: Which is better Alarm or Correlation Rule
                anand_guru

                Thanks Andy, the information you provided helps.