Chapter 12: Historical Correlation
Use historical correlation to run past events through the custom rules engine to identify threats or security incidents that already occurred.
By default, an SureLog SIEM deployment analyzes information that is collected from log sources in near real-time. With historical correlation, you can correlate by either the start time or the device time. Start time is the time that the event was received by SureLog. Device time is the time that the event occurred on the device.
To enable Historical Correlation:
- Open the Correlation->Historical Correlation
- In the left pane, select the desired to alerts enable
- In the Alerts grid, select the alerts (or alerts) for activation
- Enable the alerts as follows:
To enable a single alert, click the Activate Selected button
To enable multiple rules, select the alerts first and then click the Activate Selected button
Rule creation and Alarm creation steps are the same with real time correlation except start and End Date