Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Command Center for Security 6.2.

Definition of correlation

The word correlation has various meanings and different interpretations. The most basic definition is that correlation is simply a relationship between two or more things. The relationship can be parallel, causal, reciprocal, linear, or nonlinear, and be associated with functions of time or other functions. Correlation can be thought of as an expressed function of an independent variable, yielding a dependent value.

BMC Defender Server performs a semantic correlation. This semantic correlation is contrasted with purely statistical correlation methods (although statistical functions are provided in various locations within the BMC Defender Server program).

In terms of expressed function, the input to the BMC Defender Server (that is, the independent variable) is an arbitrary textual message generated by a device, or generated internally by BMC Defender Server. The output of the BMC Defender Server (that is, the dependent variable) is a specific meaning associated with those messages, or in many cases a very specific action that is executed by the program.

Operationally, the BMC Defender Server finds meaning in the messages by using simple or complex match patterns that divide messages into Threads. Additionally, BMC Defender Server employs triggers to establish context to messages, and Alerts to monitor specific message rates. Once the meaning of a message (or group of messages) is determined, BMC Defender Server takes specific action such as sending a syslog message, running a program, or opening a ticket and assigning this ticket to a user or group.

The various algorithms and rules implemented by BMC Defender Server provide a huge degree of freedom in establishing one-to-many and many-to-one types of relationships. This correlation process is easy to get started with, but has considerable depth. Because the terms correlation and semantic are quite abstract, any correlation whose intention is to furnish meaning to an arbitrary input stream of data must necessarily have this depth and flexibility. Some of this flexibility might appear intimidating at first glance, especially without the explanation and application notes furnished herein.

Related topic

Key-concepts


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*