An event could be any number of things; essentially an event is something that happens. Lots of things happen; you boil a kettle, add coffee granules to a cup, add milk to the cup, add boiling water (I’ll let you comment on the order in the comments below!), you pick up a cup, you drink the contents. These events are all part of a process to make a cup of coffee to drink, and if you were to be told of one of these events on their own, you may be able to guess why what they relate to, but it would be just a guess.
A recent example of event correlation in my house is when a few days before my daughter’s birthday (event #1) a delivery driver arrived with a parcel (event #2). The correlation between these two events led my daughter to believe her present was in the parcel. Whether she was right or wrong (in this instance she was right, but didn’t guess what was in the box correctly, based on event number 3: shaking of the box) isn’t the point—cause isn’t always aligned to correlation.
In IT when something happens, it’s often written as a log entry; a textual recording of the event. Being able to collect these individual log events and make them available in a single solution means you can look at each event and use this data to correlate to other events.
A commonly referenced example of event correlation is where 500 login failures are recorded as events against one of your systems, a login success is followed by a configuration change, the same source IP connected to a database, and then three days later the big event hits the news: your company leaked the records of all your customers. Out of millions of events recorded during this time window, these event records, when correlated together, answer the questions of how the attacker gained access to your systems, what changes were made, and what records were accessed.
Taking two or more events and comparing across known patterns of other events allows you to at least identify if there’s correlation between these events. The outcome of this is you may be able to identify if there’s a cause of a bigger event.