How does Event Correlation work?

If an Asset has a Correlation Engine as an Output Destination, and a Manager's Normalization Engine normalizes a log message from the Asset's Log Source (see How does Log-Message Normalization work?), TLC forwards the Normalized Message to the Manager's Correlation Engine. To identify events of interest, the Correlation Engine applies Correlation Rules to the Normalized Messages received from the Normalization Engine.

Each Correlation Rule is constructed with a flowchart containing the following components:

Inputs (either a Collector or a Correlation Engine),

Decisions, and

Outputs (an appropriate response).

TLC includes an extensive set of Tripwire-defined Inputs, Decisions, and Outputs. To configure these 'building blocks' in a Correlation Rule, you simply drag-and-drop these objects to configure a logical flow of your choosing (see Working with Correlation Rules). As needed, you can also create custom Decisions to suit your organization's needs.

Outputs

A Correlated Event is an event of interest identified by the Correlation Engine. If a Normalized Message satisfies the conditions specified by the Decisions in a Correlation Rule, and the message does not match a Normalized-Message Filter (see How does Log-Message Normalization work?), the Correlation Engine creates a Correlated Event and initiates the response(s) defined by the Correlation Rule's Output(s). An Output can be any of the following actions:

Saving the Correlated Event in an Event-Management Database,

Creating an Event Ticket in the Ticket Center (see What is the Ticket Center?), and/or

Running an Action (see What are Actions?).

Decisions

In a condition of a Decision, you can specify a Classification Tag, a value for a Normalized-Message field, or a Correlation List with multiple Tags or values. For example, consider a simple Correlation Rule with a single Decision containing a single condition specifying an IP address for a field in Normalized Messages. If a field in a Normalized Message contains the IP address specified by the condition, TLC triggers the Output response(s) specified by the rule. If instead you applied a Correlation List with three (3) IP addresses to the condition, the Correlation Engine would initiate the Output response(s) if a field contained any of the three IP addresses cited by the Correlation List.

A Dynamic Correlation List is a Correlation List consisting of items that are automatically updated by TLC when related data is changed on another system. For example, you may create a Dynamic Correlation List with Assets monitored by a Tripwire Enterprise Server or user accounts on an Active Directory server. If a change is made to this data in TE or Active Directory, TLC automatically updates the Correlation List. For more information, see Working with Correlation Lists.

The steps below describe the decision-making process involved in the correlation of Normalized Messages (outlined in red in Figure 36).

Figure 36.  Correlating a log message (click to enlarge)

Correlating a log message

Does the Normalized Message match Norm. Message Filter?

Yes = If the Normalized Message matches a Normalized-Message Filter, TLC ignores the message.

No = Otherwise, TLC proceeds with the correlation process.

Does the Normalized Message match a Correlation Rule?

Yes = If the Correlation Engine is enabled in the Installed Modules tab of the Manager’s properties dialog (see Working with Managers), and the Normalized Message satisfies the conditions defined by a Correlation Rule, TLC creates a Correlated Event and initiates the responses specified by the rule.

No = Otherwise, the Correlation Engine ignores the Normalized Message.