Identity Correlation

Identity correlation provides the ability to model users and associate them with events. Identity correlation can be accomplished using session lists for some scenarios (session correlation) and active lists for others (user or device correlation).

You can capture and record session-related data in a user-defined session list where it can be used for a number of purposes in identifying and tracking users in relation to MAC addresses, IP addresses, machines, network logons, and so forth.

Also, you can use a pre-populated active list to find a value and then use the value (as a variable) in a rule. You can use this strategy to identify entities or objects in a variety of scenarios such as correlating various user IDs (logins, e-mail addresses, badge IDs) to unique IDs; mapping unique user IDs to user roles; and even finding the status of a machine by its host name.

The following topics describe scenarios for using both resources, and include step-by-step examples of using sessions lists and active lists with rules and variables for identity correlation.