2.8 Correlation

A single event might seem trivial, but in combination with other events, it might warn you of a potential problem. Sentinel helps you correlate such events by using the rules you create and deploy in the Correlation Engine, and take appropriate action to mitigate any problems.

Correlation adds intelligence to security event management by automating the analysis of the incoming event stream to find patterns of interest. Correlation allows you to define rules that identify critical threats and complex attack patterns so that you can prioritize events and initiate effective incident management and response. Additionally, correlation rules are now associated with MITRE ATT&CK ID. For more information about correlation, see Correlating Event Data in the Sentinel User Guide.

To monitor events according to the correlation rules, you must deploy the rules in the Correlation Engine. When an event occurs that matches the rule criteria, the Correlation Engine generates a correlation event describing the pattern. For more information, see Correlating Event Data in the Sentinel User Guide.