Task: Correlate Events
In this task, second level of event correlation is performed. Once a significant event is received (after filtering), the level of significance of the event is determined. Based on this, further action that needs to be taken on the event is decided.
Relationships
RolesPrimary Performer: Additional Performers:
Outputs
    Process Usage
    Main Description

    All significant events (from configuration items of different technologies) are collated and second level of correlation is carried out. Event correlation may be performed by a human or a correlation engine. This involves comparing the event with a set of criteria and rules in a prescribed order. The event may represent some impact on the business or IT infrastructure, and the rules can be used to determine the level and type of impact.

    Examples of what correlation engines may consider:

    • Number of similar events (e.g. this is the third time that the same user has logged in with the incorrect password; a business application reports that there has been an unusual pattern of usage of a mobile telephone that could indicate that the device has been lost or stolen)
    • Number of technology configuration items generating similar events
    • Whether a specific action is associated with the code or data in the event
    • Whether the event represents an exception
    • A comparison of utilization information in the event with a maximum or minimum standard (e.g. has the device exceeded a threshold?)
    • Whether additional data is required to investigate the event further, and possibly even a collection of that data by polling another system or database
    • Categorization of the event
    • Assigning a priority level to the event.

    Based on the nature and type of events, the type of response to be initiated is selected.