To view the correlation objects that are currently
Automated Correlation Engine
. All the objects in the list are
enabled by default.
View the details on each correlation object. Each object
provides the following information:
name and title indicate the type of activity that the correlation
object detects. The name column is hidden from view, by default.
To view the definition of the object, unhide the column and click
the name link.
— A unique number that identifies the
correlation object; this column is also hidden by default. The IDs
are in the 6000 series.
—A classification of the kind
of threat or harm posed to the network, user, or host. For now,
all the objects identify compromised hosts on the network.
—Indicates whether the correlation
object is enabled (active) or disabled (inactive). All the objects
in the list are enabled by default, and are hence active. Because
these objects are based on threat intelligence data and are defined
by the Palo Alto Networks Threat Research team, keep the objects
active in order to track and detect malicious activity on your network.
—Specifies the match conditions
for which the firewall or Panorama will analyze logs. It describes
the sequence of conditions that are matched on to identify acceleration
or escalation of malicious activity or suspicious host behavior.
For example, the
detects a host involved in a complete attack lifecycle in a three-step
escalation that starts with scanning or probing activity, progressing
to exploitation, and concluding with network contact to a known