Is it possible to write a HIDS policy that can watch events coming from all agents? Like a correlation engine. If so how? Do I apply the policy to the CSP Manager only? What log would I monitor? The idea is that I can raise flags for certain criteria and if I find that event coming from multiple agents, I can alert on it. Currently, all rules appear to apply only to each agent.