Highlighted
Absent Member.
Absent Member.
4939 views

correlation VS Aggregation

I am very confused in correlation and  Aggregation . Can any one explain me with examples both the things?

0 Likes
4 Replies
Highlighted
Super Contributor.
Super Contributor.

Re: correlation VS Aggregation

Aggregation is the process, where you aggregate "almost same" (can be configured) base events into one aggregated event. For example instead of having 100 events like "connection blocked on firewall from 10.0.0.1:43258 to 192.168.1.1:80", you will have only one aggregated event, that will say, that there were 100 blocked connections from 10.0.0.1:43258 to 192.168.1.1:80 in some time range. You will lose some information but on the other hand it's better for performance and network load.

Correlation is the process, where you correlate events, that need not be from the same source. You can for example create rule, that will create correlated event if there there is base event from door card-reader system (user is in the building) followed by event from VPN server, that will indicate, that the same user is working from home over VPN.



0 Likes
Highlighted
Absent Member.
Absent Member.

Re: correlation VS Aggregation

Aggregation is used at the SmartConnector level to limit the number of events being ingested by the destination device (ESM / Logger).  For example, if you have a SmartConnector ingesting events from a firewall device, it will aggregate (i.e. summarize) similar events in a configurable time period, sending a single event to the destination.  This can provide significant bandwidth, storage, and processing savings.

Correlation is used to find relationships between events.  As an example, ESM's correlation engine uses the rules you construct (or those out of the box) to correlate base and aggregated events being fed in from SmartConnectors to determine something of interest has occurred.  For instance, maybe there is a failed login event that occurs on an endpoint - this by itself may not be of interest, but if that same failed login event occurs multiple times over a short period of time, it may be indicative of a brute force login attempt.  A rule can be configured to watch for this type of activity, generating a correlation event which can be acted upon.

If you need additional details and examples, definitely check out the 'ESM 101' documentation!

Hope this help.

Highlighted
Absent Member.
Absent Member.

Re: correlation VS Aggregation

Thank you , It gave me a clear view.

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: correlation VS Aggregation

Thank you

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.