Security Center provides the feature of automatic alert correlation analysis. The feature automatically aggregates multiple alerts generated on the intrusions that are launched from the same IP address or service, or alerts of the same user. This feature helps aggregate alerts for the intrusions that may be launched by the same attacker. After you enable this feature, you can handle alerts that have the same characteristics with a few clicks. This feature enables you to handle alerts in an efficient manner. This topic describes how to enable the feature of automatic alert correlation analysis.

Background information

The feature of automatic alert correlation analysis analyzes the paths of alerts and aggregates multiple alerts generated on the intrusions that are launched from the same IP address or service, or alerts of the same user. By default, this feature is disabled in Security Center Enterprise and Ultimate. You must manually enable this feature. After you enable this feature, Security Center aggregates alerts that have the same characteristics and displays the aggregated alerts on the Alerts page. Security Center recalculates the numbers under All Alerts and Urgent Alerts, and the numbers of alerts of different types. The Alert correlation icon icon appears in the right side of an aggregated alert. You can click the name of the aggregated alert to view the results of automatic alert correlation analysis. For more information, see View exceptions related to an alert.

After you disable the feature of automatic alert correlation analysis, Security Center splits the aggregated alerts into individual alerts. Security Center recalculates the numbers under All Alerts and Urgent Alerts, and the numbers of alerts of different types.

Limits

Only the Enterprise and Ultimate editions of Security Center support this feature. If you do not use these editions, you must upgrade Security Center to the Enterprise or Ultimate edition before you can use this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Feature.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. In the Alarm aggregation switch section, turn on Alert Association. Automatic alert correlation analysis
    Notice If you have 10,000 alerts or less, you can turn on Alert Association. If you have more than 10,000 alerts, you can archive the alerts on the Alerts page to reduce the alerts. For more information, see Archive alerts.