The component that performs automated, real-time correlation, aggregation, and filtering of events, as well as incident creation. To perform these functions, correlation manager uses a set of rule files and a knowledge base to compare events to patterns of common network security threats.
The Information Manager component that identifies security threats and policy infractions by inspecting and tracking event data, asset vulnerabilities, and global threat information.
An event processing and correlation component that identifies security incidents by performing real-time, rule-based correlation, aggregation, and filtering of events from heterogeneous products. Correlation Manager normalizes event signatures and messages from disparate security products by mapping them to known standard event signatures and categories.