Unlike enVision 4.x, Security Analytics lacks the ability to create advanced correlated alerts in the base product;although I've heard that this will be available with the Data Warehousing engine(CEP).
An advanced correlated alert is a combination of alerts from various device sources that occur within a specified time period.
1. Alert X occurs due to excessive “login failures” within a 5 minute period
2. Then after 5 minutes an entirely different Alert Y occurs.
The ability to correlate these two separate events is extremely powerful and can be driver for actionable content. The key is the ability to cache variables storing event field data contextually that can be globally accessible to the advanced correlated alert chain.
Correlation is the:
- Triggering of an alert based on some combination and/or sequence of other events
- The analysis and comparison of events from either a single or across multiple devices.
Is there any other way to do this in SA? Are there any plans to include this function in the base SA 10.x platform?
Perhaps writing a REST API script to periodically monitor the alert queue for alerts and taking action from there could work here.