Interpret Correlated Events
You can view and analyze the logs generated for each correlated event in the MonitorAutomated Correlation EngineCorrelated Events tab.
Correlated Events includes the following details:
The time the correlation object triggered a match.
The time when the event was last updated with evidence on the match. As the firewall collects evidence on pattern or sequence of events defined in a correlation object, the time stamp on the correlated event log is updated.
The name of the correlation object that triggered the match.
The IP address of the user/device on your network from which the traffic originated.
The user and user group information from the directory server, if User-ID is enabled.
A rating that indicates the urgency and impact of the match. The severity level indicates the extent of damage or escalation pattern, and the frequency of occurrence. Because correlation objects are primarily for detecting threats, the correlated events typically relate to identifying compromised hosts on the network and the severity implies the following:
A description that summarizes the evidence gathered on the correlated event.
Click the icon to see the detailed log view, which includes all the evidence on a match:
Object Details: Presents information on the Correlation Object that triggered the match.
Match Details: A summary of the match details that includes the match time, last update time on the match evidence, severity of the event, and an event summary.
Presents all the evidence that corroborates the correlated event. It lists detailed information on the evidence collected for each session.
Monitor > Automated Correlation Engine > Correlated Events
Monitor > Automated Correlation Engine > Correlated Events Correlated events expand the threat detection capabilities on the firewall and Panorama; the correlated events gather evidence ...
Correlation Logs The firewall logs a correlated event when the patterns and thresholds defined in a Correlation Object match the traffic patterns on your network. ...
Monitor > Automated Correlation Engine
Monitor > Automated Correlation Engine The automated correlation engine tracks patterns on your network and correlates events that indicate an escalation in suspicious behavior or ...
Correlated Events A correlated event is logged when the patterns and thresholds defined in a correlation object match the traffic patterns on your network. To ...
Use the Compromised Hosts Widget in the ACC
Use the Compromised Hosts Widget in the ACC The compromised hosts widget on ACC Threat Activity , aggregates the Correlated Events and sorts them by ...
Monitor > Automated Correlation Engine > Correlation Object...
Monitor > Automated Correlation Engine > Correlation Objects To counter the advances in exploits and malware distribution methods, correlation objects extend the signature-based malware detection ...
Correlation Object A correlation object is a definition file that specifies patterns to match against, the data sources to use for the lookups, and time ...
Use the Automated Correlation Engine
Use the Automated Correlation Engine The automated correlation engine is an analytics tool that uses the logs on the firewall to detect actionable events on ...
Automated Correlation Engine Concepts
Automated Correlation Engine Concepts The automated correlation engine uses correlation objects to analyze the logs for patterns and when a match occurs, it generates a ...