Security Center provides the feature of automatic alert correlation analysis. The feature automatically aggregates multiple alerts generated on the intrusions that may be launched by the same attacker. For example, alerts on attacks from the same IP address or service, or on the same user can be aggregated. After you enable this feature, you can handle alerts that have the same characteristics with a few clicks. This feature allows you to handle alerts in an efficient manner. This topic describes how to enable the feature of automatic alert correlation analysis.

Background information

The feature of automatic alert correlation analysis analyzes the paths of alerts and aggregates multiple alerts generated on the intrusions that are launched from the same IP address or service, or on the same user. By default, this feature is disabled in Security Center Enterprise and Ultimate. You must manually enable this feature. After you enable this feature, Security Center aggregates alerts that have the same characteristics and displays the aggregated alerts on the Alerts page. Security Center recalculates the numbers under All Alerts and Urgent Alerts, and the numbers of alerts of different types. The Alert correlation icon icon appears to the right of an aggregated alert. You can click the name of the aggregated alert to view the results of automatic alert correlation analysis. For more information, see View exceptions related to an alert.

After you disable the feature of automatic alert correlation analysis, Security Center splits the aggregated alerts into individual alerts. Then, Security Center recalculates the numbers under All Alerts and Urgent Alerts, and the numbers of alerts of different types.

Limits

Only the Enterprise and Ultimate editions of Security Center support this feature. If you do not use these editions, you must upgrade Security Center to the Enterprise or Ultimate edition before you can use this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Features.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. In the Alarm aggregation switch section, turn on Alert Association. Alarm aggregation switch
    Notice You can turn on Alert Association only when the number of alerts is less than or equal to 10,000. This number equals the total number of handled and unhandled alerts. If the number of alerts is greater than 10,000, you can archive the alerts on the Alerts page to reduce the number of alerts. For more information, see Archive alerts.