In Chapter 6, Network Security Data Analysis, we looked at how individual systems might flag an occurrence as suspicious. Sometimes, however, each individual occurrence is not suspicious on its own. A good example of this is in identifying scams online. The first time you are told you are a winner of $1 million and to click through to tell them which account to pay the money into, this might not seem suspicious – particularly if you were already on a competition site! But when your friend also wins $1 million, and her friend and several other people you know, that would certainly seem suspicious!

When identifying a scam – and when identifying a security alert – having data from multiple sources is often advantageous. Having aggregated the data from multiple sources such as NetFlow, Antivirus, IPS/IDS, and other logs, and normalized the data to minimize contradictions and redundancy, we can use this as effectively a new set of data to draw further conclusions from. There are many management consoles that help to draw conclusions from the data. For 210-255, topic 4.9 specifically references the use of the Firepower Management Center:

In this section, we will look at how to use a management console to find correlations between multiple data sources and distinguish the most significant alerts. We will reference the Firepower Management Center, but will focus on the generic techniques, as the console itself will likely evolve and be updated over time.

A correlation rule combines a number of user-defined features to help identify significant alerts. In an ideal world – where memory, processing power, and licensing was unlimited – every alert would be investigated. As it is, applying too many, multi-condition rules is itself a resource-consuming activity. 

Correlation rules and policies can be assigned a priority value from 1 to 5, with 1 being the highest priority and 5 being the lowest. In the 210-255 specification, there is no requirement to know all the possible correlation rule options. There may be a selection of correlation rules, and a set of events, which should be matched to them. The highest priority match would be the correct answer. An example of this is given in the questions at the end of the chapter.