Automated Correlation Engine
The automated correlation engine is an analytics tool that uses the logs on the firewall to detect actionable events on your network. The engine correlates a series of related threat events that, when combined, indicate a likely attack on your network. It pinpoints areas of risk, such as compromised hosts on the network, allows you to assess the risk and take action to prevent exploitation of network resources. The automated correlation engine uses correlation objects to analyze the logs for patterns and when a match occurs, it generates a correlated event .
The automated correlation engine is supported on the following platforms only: Panorama—M-Series appliance and the virtual appliance PA-7000 Series PA-5000 Series PA-3000 Series
Correlation Objects
A correlation object is a definition file that specifies patterns to match against, the data sources to use for the lookups, and the time period within which to look for these patterns. A pattern is a boolean structure of conditions that queries the following data sources (or logs) on the firewall: application statistics, traffic, traffic summary, threat summary, threat, data filtering, and URL filtering. Each pattern has a severity rating, and a threshold for the number of times the pattern match may occur within a defined time limit to indicate malicious activity. When the match conditions are met, a correlation event is logged.
To view the correlation objects that are currently available, select Monitor > Automated Correlation Engine > Correlation Objects. All the objects in the list are enabled by default.
Correlated Events
A correlation event is logged when the patterns and thresholds defined in a correlation object match the traffic patterns on your network. You can view and analyze the logs generated for each correlated event in the Monitor > Automated Correlation Engine > Correlated Events tab.
Click the icon to see the detailed log view, which includes all the evidence on a match:
Tab Description
Match Information Object Details: Presents information on the Correlation Objects that triggered the match.
Match Details: A summary of the match details that includes the match time, last update time on the match evidence, severity of the event, and an event summary.
Match Evidence Presents all the evidence that corroborates the correlated event. It lists detailed information on the evidence collected for each session.
For a graphical display of the correlated events, see the compromised hosts widget on ACC >Threat Activity. The compromised hosts widget aggregates the correlated events and sorts them by severity. It displays the source IP address/user who triggered the event, the correlation object that was matched and the number of times the object was matched. The match count link allows you to jump to the match evidence details.

Related Documentation