Documentation Center
AlienVault® USM Appliance™

Cross-Correlation Rules

Applies to Product: USM Appliance™ AlienVault OSSIM®

The correlation engine uses cross-correlation rules to connect NIDS events and vulnerabilities discovered by the AlienVault Vulnerability Scanner.

AlienVault USM Appliance provides a web interface, Configuration > Threat Intelligence > Cross Correlation for you to examine, modify, and create cross-correlation rules.

Cross Correlation window from Threat Intelligence.

At the bottom of the page, you can navigate to the next pages to see more rules. You can also use the search icon to display the search box, and then search by Data Source Name, Event Type, Ref Name, and Ref SID Name.  

Quick Search box for cross-correlation rules.

To view a cross-correlation rule, do one of the following

  • Double-click the rule.
  • Highlight the rule and click Modify.

For example, the following cross-correlation rule ties an AlienVault NIDS login failed event (for the "sa" account on a Microsoft SQL Server), to when the account has a blank password. The correlated event created in this case would indicate that someone tries to log in to the system using a password, while the system itself has been configured without a password.

Modify Cross Correlation options.