The firewall logs a correlated event when the patterns and thresholds defined in a Correlation Object match the traffic patterns on your network. To Interpret Correlated Events and view a graphical display of the events, see Use the Compromised Hosts Widget in the ACC.
The following table summarizes the Correlation log severity levels:
Confirms that a host has been compromised based on correlated events that indicate an escalation pattern. For example, a critical event is logged when a host that received a file with a malicious verdict by WildFire, exhibits the same command-and control activity that was observed in the WildFire sandbox for that malicious file.
Indicates that a host is very likely compromised based on a correlation between multiple threat events, such as malware detected anywhere on the network that matches the command and control activity being generated from a particular host.
Indicates that a host is likely compromised based on the detection of one or multiple suspicious events, such as repeated visits to known malicious URLs that suggests a scripted command-and-control activity.
Indicates that a host is possibly compromised based on the detection of one or multiple suspicious events, such as a visit to a malicious URL or a dynamic DNS domain.
Detects an event that may be useful in aggregate for identifying suspicious activity; each event is not necessarily significant on its own.
Interpret Correlated Events
Interpret Correlated Events You can view and analyze the logs generated for each correlated event in the Monitor Automated Correlation Engine Correlated Events tab. Correlated ...
Correlated Events A correlated event is logged when the patterns and thresholds defined in a correlation object match the traffic patterns on your network. To ...
Monitor > Automated Correlation Engine
Monitor > Automated Correlation Engine The automated correlation engine tracks patterns on your network and correlates events that indicate an escalation in suspicious behavior or ...
Use the Automated Correlation Engine
Use the Automated Correlation Engine The automated correlation engine is an analytics tool that uses the logs on the firewall to detect actionable events on ...
Monitor > Automated Correlation Engine > Correlated Events
Monitor > Automated Correlation Engine > Correlated Events Correlated events expand the threat detection capabilities on the firewall and Panorama; the correlated events gather evidence ...
Correlation Object A correlation object is a definition file that specifies patterns to match against, the data sources to use for the lookups, and time ...
Monitor > Automated Correlation Engine > Correlation Object...
Monitor > Automated Correlation Engine > Correlation Objects To counter the advances in exploits and malware distribution methods, correlation objects extend the signature-based malware detection ...
View the Correlated Objects
View the Correlated Objects You can view the correlation objects that are currently available on the firewall. Select Monitor Automated Correlation Engine Correlation Objects . ...
Automated Correlation Engine Concepts
Automated Correlation Engine Concepts The automated correlation engine uses correlation objects to analyze the logs for patterns and when a match occurs, it generates a ...