automated correlation engine
is an analytics tool that uses the logs on the firewall to detect actionable events on your network. The engine correlates a series of related threat events that, when combined, indicate a likely attack on your network. It pinpoints areas of risk, such as compromised hosts on the network, allows you to assess the risk and take action to prevent exploitation of network resources. The automated correlation engine uses
to analyze the logs for patterns and when a match occurs, it generates a
A correlation object is a definition file that specifies patterns to match against, the data sources to use for the lookups, and the time period within which to look for these patterns. A pattern is a boolean structure of conditions that queries the following data sources (or logs) on the firewall: application statistics, traffic, traffic summary, threat summary, threat, data filtering, and URL filtering. Each pattern has a severity rating, and a threshold for the number of times the pattern match may occur within a defined time limit to indicate malicious activity. When the match conditions are met, a correlation event is logged.
view the correlation objects
that are currently available, select
Monitor > Automated Correlation Engine > Correlation Objects. All the objects in the list are enabled by default.
A correlation event is logged when the patterns and thresholds defined in a correlation object match the traffic patterns on your network. You can view and analyze the logs generated for each
Monitor > Automated Correlation Engine > Correlated Events
For a graphical display of the correlated events, see the compromised hosts widget on
ACC >Threat Activity. The compromised hosts widget aggregates the correlated events and sorts them by severity. It displays the source IP address/user who triggered the event, the correlation object that was matched and the number of times the object was matched. The match count link allows you to jump to the match evidence details.