Monitor > Automated Correlation Engine > Correlation Objects
To counter the advances in exploits and malware distribution methods, correlation objects extend the signature-based malware detection capabilities on the firewall. They provide the intelligence for identifying suspicious behavior patterns across different sets of logs and they gather the evidence required to investigate and promptly respond to an event.
A correlation object is a definition file that specifies patterns for matching, the data sources to use for performing the lookups, and the time period within which to look for these patterns. A pattern is a boolean structure of conditions that query the data sources, and each pattern is assigned a severity and a threshold, which is number of time the pattern match occurs within a defined time limit. When a pattern match occurs, a correlation event is logged.
The data sources used for performing lookups can include the following logs: application statistics, traffic, traffic summary, threat summary, threat, data filtering, and URL filtering. For example, the definition for a correlation object can include a set of patterns that query the logs for evidence of infected hosts, evidence of malware patterns, or for lateral movement of malware in the traffic, url filtering, and threat logs.
Correlation objects are defined by Palo Alto Networks® and are packaged with content updates. You must have a valid threat prevention license to get content updates.
By default, all correlation objects are enabled. To disable an object, select the object and Disable it.
Correlation Object Fields
Name and Title
The label indicates the type of activity that the correlation object detects.
A unique number identifies the correlation object. This number is in the 6000 series.
A summary of the kind of threat or harm posed to the network, user, or host.
The state indicates whether the correlation object is enabled (active) or disabled (inactive).
The description specifies the match conditions for which the firewall or Panorama will analyze logs. It describes the escalation pattern or progression path that will be used to identify malicious activity or suspicious host behavior.
Correlation Object A correlation object is a definition file that specifies patterns to match against, the data sources to use for the lookups, and time ...
Monitor > Automated Correlation Engine
Monitor > Automated Correlation Engine The automated correlation engine tracks patterns on your network and correlates events that indicate an escalation in suspicious behavior or ...
Automated Correlation Engine Concepts
Automated Correlation Engine Concepts The automated correlation engine uses correlation objects to analyze the logs for patterns and when a match occurs, it generates a ...
Interpret Correlated Events
Interpret Correlated Events You can view and analyze the logs generated for each correlated event in the Monitor Automated Correlation Engine Correlated Events tab. Correlated ...
Monitor > Automated Correlation Engine > Correlated Events
Monitor > Automated Correlation Engine > Correlated Events Correlated events expand the threat detection capabilities on the firewall and Panorama; the correlated events gather evidence ...
View the Correlated Objects
View the Correlated Objects You can view the correlation objects that are currently available on the firewall. Select Monitor Automated Correlation Engine Correlation Objects . ...
Use the Automated Correlation Engine
Use the Automated Correlation Engine The automated correlation engine is an analytics tool that uses the logs on the firewall to detect actionable events on ...
Use the Compromised Hosts Widget in the ACC
Use the Compromised Hosts Widget in the ACC The compromised hosts widget on ACC Threat Activity , aggregates the Correlated Events and sorts them by ...
Correlation Logs The firewall logs a correlated event when the patterns and thresholds defined in a Correlation Object match the traffic patterns on your network. ...