TWTQ: Correlation rules vs. alert profiles

TWTQ: Correlation rules vs. alert profiles

Hey everyone,
Here's This Week's Top Question (TWTQ):

Q: Which should I choose - correlation rules or alert profiles?

A: In essence, the main difference between correlation rules and alert profiles is that correlation rules are useful when you wish to check for anomalies or security incidents across multiple device types. On the other hand, alert profiles are useful to detect specific security incidents on individual, critical resources.

Here is a comparison between alert profiles and correlation rules:
  • A correlation rule specifies one or more events, occurring on one or more devices. An alert profile can only specify a single event, from a single device type. 
  • A correlation rule provides more power than an alert profile in defining a scenario. As a correlation rule can include more than one event, it allows you to specify the ordering of the events, time windows between events, and make use of various conditions.
  • Threshold limits can be specified in both correlation rules and alert profiles. However, while a correlation rule can check that a specific field's value is the same throughout all repetitions of an action, an alert profile cannot.

Here are a few examples to better understand the distinction between the two:
Brute force attack
A brute force attack consists of two distinct events: failed and successful logons. Therefore, you would have to use a correlation rule to describe this scenario.

Multiple databases dropped within a short timeframe
Let's say you want to know when five or more databases are dropped on your Oracle Database servers, within five minutes. As this is a single event type (database dropped), a single device type (Oracle Database), and you don't wish to check for a common value among the occurrences, you can configure an alert profile and set a threshold value for the minimum number of occurrences.

Multiple databases dropped within a short timeframe, by the same user
Consider the previous scenario again, but this time you also want to ensure all databases are dropped by the same user. Though it is a single event and device type, an alert profile cannot be used to check that the username field has the same value for all occurrences. The correlation feature allows you to do this using the 'Constant within action' constraint. So, you would have to use a correlation rule for this scenario.

As correlation is a memory intensive process, ensure that your correlation rules cannot be created as alert profiles instead. If you have a specific scenario in mind and are unsure about what to configure it as, you could always reach out to us and we'd be happy to help.