Event Correlation
Event Correlation is the processes involved with reducing a large number of incident alerts to a much smaller, more manageable number within monitoring and incident/problem support management systems. Event correlation is not the same as Root Cause Analysis or Root Cause Determination.
Several incident alert handling functions have been identified as or as functions of event correlation;Alert Suppression, Alert Filtering, Alert De-duplication, and Alert Association. The level of event correlation is determined by how many of these functions are utilized. Some of these functions are integrated into incident alert monitoring systems, others have to be configured, others have to be created and implemented specific to an incident/problem support management system. Some functions of event correlation become manual in nature if the monitoring and support management systems do not have level of functionality to support them.
Alert Suppression
removes or drops incident alerts that are generated or created by systems that are down steam of a failed system. For example servers that are down stream of a failed router will fail availability. Alert suppression will prevent incident/problem trouble tickets being generated in the support management system.
Alert Filtering
removes or drops informational incident alerts or incident alerts that are from systems or functions that are not part of the support model implemented in the incident/problem support management system. An example of this is the filtering of informational data alerts from a firewall when the support model is related to hardware avalability and faults only.
Alert De-duplication
identifies incident alerts that are duplicates of a previously received incident alert. Duplicate alerts occur because of a continuing problem within a system. De-duplication can either drop the duplicate alert or can create a "child" trouble ticket and attach it to the trouble ticket of the original incident alert. The original trouble ticket is known as the "parent" trouble ticket.
Alert Association
identifies incident alerts that are results of, or are associated with problems in other systems or functions. This level of correlation creates "child" trouble tickets that are attached to the originally generated "parent" trouble ticket. For example, this can function to attach server availability fault alerts to a Change Request during the time of a planned maintenance outage.
Definitions provided by Wikipedia - The Free Encyclopedia
Event Correlation Related Products
Software Blade Architecture
The Check Point Software Blade Architecture supports a complete and increasing selection of Software Blades, each delivering a modular security gateway or security management function. Because Software Blades are modular and moveable, Software Blades enable users to efficiently and quickly tailor Security Gateway and Management functionality to specific and changing security needs. New blades are quickly licensed as needed without the addition of new hardware.
