Event correlation

Event correlation is a technique for making sense of a large number of events and pinpointing the few events that are really important in that mass of information. This is accomplished by looking for and analyzing relationships between events. Event correlation has been used in various fields for many years: since the 1970s, telecommunications and industrial process control; since the 1980s, network management and systems management; since the 1990s, IT service management, publish-subscribe systems (pub/sub), Complex Event Processing (CEP) and Security Information and Event Management (SIEM); since the early 2000s, Distributed Event-Based Systems and Business Activity Monitoring (BAM). Integrated management is traditionally subdivided into various fields: layer by layer: network management, system management, service management, etc. by management function: performance management, security management, etc. Event correlation takes place in different components depending on the field of study: Within the field of network management, event correlation is performed in a management platform typically known as a Network Management Station or Network Management System (NMS). For example, events may notify that a device has just rebooted or that a network link is currently down. Within the field of systems management, an event may for instance report that the CPU utilization of an e-business server has been at 100% for over 15 minutes. Within the field of service management, an event may notify that a Service-Level Objective is not met for a given customer, for example. Within the field of security management, the management platform is usually known as the Security Information and Event Management (SIEM), and event correlation is often performed in a separate correlation engine. That engine may directly receive events in real time, or it may read them from SIEM storage. In this case, examples of monitored events include activity such as authentication, access to services and data, and output from point security tools such as an Intrusion Detection System (IDS) or antivirus software.