Correlation Contexts

Applies to Product: USM Appliance™ LevelBlue OSSIM®

USM Appliance uses Correlation Contexts to allow overlapping networks. A USM Appliance Server can handle overlapping networks when they are connected to different USM Appliance Sensors. A common use case would be two branches of the same company using the same private addresses, but obviously belonging to different networks. In this case, you can deploy different USM Appliance Sensors to monitor different networks, and use Contexts to differentiate events coming from overlapping IP addresses by assigning a unique Context to each USM Appliance Sensor. You can then create policies or run reports on individual contexts.

Note: Directives do not support contextual filtering as they are processed at the server level. However, you can create correlation rules based on a specific sensor, achieving a similar effect.

When a USM Appliance Server or USM Appliance All-in-One detects that a new USM Appliance Sensor tries to connect, on the Configuration > Deployment > Sensors page, it posts the following question:

"Does this sensor monitor a network already monitored by another sensor?"

If selecting “yes", you need to select a sensor that monitors the same network; thus the two sensors share the same Context.

If selecting “no”, USM Appliance creates a new Context for this new sensor, allowing for network overlapping.

AlienVault OSSIM Limitations: USM Appliance includes a faster and more robust correlation section with more complex correlation directives. LevelBlue OSSIM has a smaller number of correlation directives, but you are allowed to customize and build your own directives based on your needs.