Use historical correlation to run past events and flows through the custom rules engine (CRE) to identify threats or security incidents that already occurred.
You cannot use historical correlation in Log Manager. For more information about the differences between JSA and Log Manager, see Capabilities in Your JSA Product.
By default, an JSA deployment analyzes information that is collected from log sources and flow sources in near real-time. With historical correlation, you can correlate by either the start time or the device time. Start time is the time that the event was received by JSA. Device time is the time that the event occurred on the device.
Historical correlation can be useful in the following situations:
Analyzing bulk data--If you bulk load data into your JSA deployment, you can use historical correlation to correlate the data against data that was collected in real-time. For example, to avoid performance degradation during normal business hours, you load events from multiple log sources every night at midnight. You can use historical correlation to correlate the data by device time to see the sequence of network events as they occurred in the last 24 hours.
Testing new rules--You can run historical correlation to test new rules. For example, one of your servers was recently attacked by new malware for which you do not have rules in place. You can create a rule to test for that malware. Then, you can use historical correlation to check the rule against historical data to see whether the rule would trigger a response if it were in place at the time of the attack. Similarly, you can use historical correlation to determine when the attack first occurred or the frequency of the attack. You can continue to tune the rule and then move it into a production environment.
Re-creating offenses that were lost or purged--If your system lost offenses because of an outage or other reason, you can re-create the offenses by running historical correlation on the events and flows that came in during that time.
Identifying previously hidden threats--As information becomes known about the latest security threats, you can use historical correlation to identify network events that already occurred but did not trigger an event. You can quickly test for threats that have already compromised your organization's system or data.