Has anyone done correlation within SA?
I was under the impression that correlation can be done in SA within the Concentrator?
But, I was also told you need the ESA to do some correlation as well?
Basic correlation rules can be created in the concentrator, but they are very basic. The better way to do it would be using ESA.
Hi, thanks for the reply
What would you consider "basic" in terms of correlations with the concentrator?
And, what would be considered more advanced with ESA?
Do you have any examples?
Basic is, this IP with this event hit 10 times.
Advanced is, This IP connected with a TCP ACK, then we saw this event on the server, followed by an admin user being created.
I just worked with a customer on creating a very basic correlation rule on a Concentrator.
The customer created a correlation rule that looked for large file transfers (<50MB) over a 5 minute window on the downstream Decoder.
In the test lab, I created a similar rule that set the threshold to 1000KB (1MB) so it would trigger more often for testing purposes.
The rule looks like:
When you investigate against that Concentrator you will see:
RSA published several correlation rules in Live content and you can download and modify these rules if they don't do exactly what you want.
You can find additional information on correlation rules at https://sadocs.emc.com/0_en-us/089_105InfCtr/120_AppSerCon/DeLdCon/10_ReqProc/30_ConfDecRul/ConfCorrRul
Hope this helps.
Retrieving data ...