Correlation data source

A correlation data source analyzes data flowing from an ESM, detects suspicious patterns within the data flow, generates correlation alerts that represent these patterns, and inserts these alerts into the Receiver's alert database.

A suspicious pattern is represented by data interpreted by correlation policy rules, which you can create and modify. These types of rules are separate and distinct from Nitro IPS or firewall rules and have attributes that specify their behavior.

Only one correlation data source can be configured on a Receiver, in a similar fashion to configuring syslog or OPSEC. Once you have configured a Receiver's correlation data source, you can roll out the correlation’s default policy, edit the base rules in this correlation's default policy, or add custom rules and components and then roll out the policy. You can enable or disable each rule and set the value of each rule's user-definable parameters. For details regarding the Correlation Policy, see Correlation rules.

When you are adding a correlation data source, the vendor is McAfee and the model is Correlation Engine.

When the correlation data source is enabled, the ESM sends alerts to the correlation engine on the Receiver.