Up
Previous Next

Sheriff CSM™

Correlation Contexts

Sheriff CSM uses Correlation Contexts to allow overlapping networks. A Sheriff CSM Server can handle overlapping networks when they are connected to different Sheriff CSM Sensors (Deputies). A common use case would be two branches of the same company using the same private addresses, but obviously belonging to different networks. In this case, you can deploy different Sheriff CSM Sensors to monitor different networks, and use Contexts to differentiate events coming from overlapping IP addresses by assigning a unique Context to each Sheriff CSM Sensor. You can then create policies or run reports on individual contexts.

Note: Directives do not support contextual filtering as they are processed at the server level. However, you can create correlation rules based on a specific Sensor, achieving a similar effect.

When a Sheriff CSM Server or Sheriff CSM All-in-One detects that a new Sheriff CSM Sensor tries to connect, on the Configuration > Deployment > Sensors page, it posts the following question:

"Does this Sensor monitor a network already monitored by another Sensor?"

If selecting “yes", you need to select a Sensor that monitors the same network; thus the two Sensors share the same Context.

If selecting “no”, Sheriff CSM creates a new Context for this new Sensor, allowing for network overlapping.

Sheriff Vigilante Limitations: Sheriff CSM includes a faster and more robust correlation section with more complex correlation directives. Sheriff Vigilante has a smaller number of correlation directives, but you are allowed to customize and build your own directives based on your needs.