You can apply predefined correlation rules, use the correlation rule wizard to create custom correlation rules for your environment, or modify existing rules. Correlation rules allow you to identify groups of events that may indicate attacks or other security risks. You must have the Administrator role to create or edit correlation rules.
When you create a correlation rule, you must select which of the three types to create. The rule template controls what event or events are considered an incident. The following templates are available:
Note: Effective correlation requires a full view of incoming events. For this reason you should consider avoiding applying suppression or summarization rules at the agent level. Any events that are suppressed or summarized at the agent are not considered for correlation and incident creation.
Event correlation can result in significant network traffic. For this reason you may wish to consider assigning a dedicated Correlation Server. See the CA User Activity Reporting Module Implemention Guide for more information about server roles.
If there too many incident messages for the correlation service to process, the correlation service maintains a queue of up to 10,000 messages. Any further messages are lost. CA User Activity Reporting Module generates a self-monitoring event if this occurs.
|
Copyright © 2013 CA.
All rights reserved.
|
|