One or more out-of-the-box directives, or rules, performed by the correlation engine of the Sheriff CSM Server. These look at and connect multiple events to assess their relative priority and reliability. The events then get re-injected into the Sheriff CSM Server process as though they were coming from the Sheriff CSM Sensor (Deputy). For more information about correlation rules, see Correlation Rules.
Elevated parameters that Sheriff CSM evaluates, based on existing policy configurations and event risk. An alarm is generated when the risk of an event is >= 1. Because risk is calculated as Risk = asset value * (reliability * priority / 25),
the likelihood of an alarm will be influenced by the asset or network value. It is important to consider correlation settings in regard to risk values, as you may want multiple directive rules depending on reliability and asset values. For more information about directives, see Event Correlation.
Depending on how your policies are configured, this can account for alarms coming from various sources. For example, policies set up in the Default policy group can process alarms from events, while Policies for events generated in the server will only target server events. For more information about policy groups, see The Policy View.
Alarms are generated and processed differently for events related to OTX pulses. For more information, see Viewing OTX Alarms.
Alarms are sorted into five different categories, which are represented by the graphic icons in the display. These are: