To counter the advances in exploits and malware distribution methods, correlation objects extend the signature-based malware detection capabilities on the firewall. They provide the intelligence for identifying suspicious behavior patterns across different sets of logs and they gather the evidence required to investigate and promptly respond to an event.
A correlation object is a definition file that specifies patterns for matching, the data sources to use for performing the lookups, and the time period within which to look for these patterns. A pattern is a boolean structure of conditions that query the data sources, and each pattern is assigned a severity and a threshold, which is number of time the pattern match occurs within a defined time limit. When a pattern match occurs, a correlation event is logged.
The data sources used for performing lookups can include the following logs: application statistics, traffic, traffic summary, threat summary, threat, data filtering, and URL filtering. For example, the definition for a correlation object can include a set of patterns that query the logs for evidence of infected hosts, evidence of malware patterns, or for lateral movement of malware in the traffic, url filtering, and threat logs.
