TWTQ: Selecting correlation rules for your business

TWTQ: Selecting correlation rules for your business

Hey everyone!

We're back with This Week's Top Query (TWTQ):

Q: How do I know which correlation rules to enable?

A: EventLog Analyzer provides you with over 30 predefined correlation rules, and we are working on adding more everyday. 

Every organization has different security requirements. To understand which rules are most relevant to you, you can first look at the rule description on the Manage Rules page (accessible by going to the Correlation tab -> Manage Rules).
Click on the icon shown to enable/disable respective rules

Look into the various rule descriptions to know which are valid to your business environment. We even encourage you to go into the rule definition page (access this by clicking on the update icon next to the required rule), and checking how the rule is structured. You can even modify the rule, to ensure it is tailor-made for your specific needs.

We would like to mention here that correlation is a highly memory-intensive process. So please select the rules you need carefully to ensure optimal performance :-)