Monitor > Automated Correlation Engine > Correlated Events
Correlated events expand the threat detection capabilities on the firewall and Panorama; the correlated events gather evidence of suspicious or unusual behavior of users or hosts on the network.
The correlation object makes it possible to pivot on certain conditions or behaviors and trace commonalities across multiple log sources. When the set of conditions specified in a correlation object are observed on the network, each match is logged as a correlated event.
The correlated event includes the details listed in the following table.
The time the correlation object triggered a match.
The timestamp when the match was last updated.
The name of the correlation object that triggered the match.
The IP address of the user from whom the traffic originated
The user and user group information from the directory server, if User-ID™ is enabled.
A rating that classifies the risk based on the extent of damage caused.
A description that summarizes the evidence gathered on the correlated event.
To view the detailed log view, click Details ( ) for an entry. The detailed log view includes all the evidence for a match:
Object Details—Presents information on the correlation object that triggered the match. For information on correlation objects, see Monitor > Automated Correlation Engine > Correlation Objects.
Match Details—A summary of the match details that includes the match time, last update time on the match evidence, severity of the event, and an event summary.
This tab includes all the evidence that corroborates the correlated event. It lists detailed information on the evidence collected for each session.
See a graphical display of the information in the Correlated Events tab, see the Compromised Hosts widget on the ACCThreat Activity tab. In the Compromised Hosts widget, the display is aggregated by source user and IP address and sorted by severity.
To configure notifications when a correlated event is logged, go to the DeviceLog Settings or PanoramaLog Settings tab.
Interpret Correlated Events
Interpret Correlated Events You can view and analyze the logs generated for each correlated event in the Monitor Automated Correlation Engine Correlated Events tab. Correlated ...
Monitor > Automated Correlation Engine
Monitor > Automated Correlation Engine The automated correlation engine tracks patterns on your network and correlates events that indicate an escalation in suspicious behavior or ...
Automated Correlation Engine Concepts
Automated Correlation Engine Concepts The automated correlation engine uses correlation objects to analyze the logs for patterns and when a match occurs, it generates a ...
Use the Compromised Hosts Widget in the ACC
Use the Compromised Hosts Widget in the ACC The compromised hosts widget on ACC Threat Activity , aggregates the Correlated Events and sorts them by ...
Use the Automated Correlation Engine
Use the Automated Correlation Engine The automated correlation engine is an analytics tool that uses the logs on the firewall to detect actionable events on ...
Correlated Events A correlated event is logged when the patterns and thresholds defined in a correlation object match the traffic patterns on your network. To ...
Monitor > Automated Correlation Engine > Correlation Object...
Monitor > Automated Correlation Engine > Correlation Objects To counter the advances in exploits and malware distribution methods, correlation objects extend the signature-based malware detection ...
Ingest Traps ESM Logs on Panorama
Ingest Traps ESM Logs on Panorama Visibility is a critical first step in preventing and reducing the impact of an attack. To help you meet ...
API Log Retrieval Parameters
API Log Retrieval Parameters Specify the log type with additional optional parameters to retrieve logs from a firewall. Parameter Description log-type The type of logs ...