Interpret Correlated Events

You can view and analyze the logs generated for each correlated event in the MonitorAutomated Correlation EngineCorrelated Events tab.
correlated_events.PNG
Correlated Events includes the following details:
Field
Description
Match Time
The time the correlation object triggered a match.
Update Time
The time when the event was last updated with evidence on the match. As the firewall collects evidence on pattern or sequence of events defined in a correlation object, the time stamp on the correlated event log is updated.
Object Name
The name of the correlation object that triggered the match.
Source Address
The IP address of the user/device on your network from which the traffic originated.
Source User
The user and user group information from the directory server, if User-ID is enabled.
Severity
To configure the firewall or Panorama to send alerts using email, SNMP or syslog messages for a desired severity level, see Use External Services for Monitoring .
A rating that indicates the urgency and impact of the match. The severity level indicates the extent of damage or escalation pattern, and the frequency of occurrence. Because correlation objects are primarily for detecting threats, the correlated events typically relate to identifying compromised hosts on the network and the severity implies the following:
  • Critical—Confirms that a host has been compromised based on correlated events that indicate an escalation pattern. For example, a critical event is logged when a host that received a file with a malicious verdict by WildFire exhibits the same command-and-control activity that was observed in the WildFire sandbox for that malicious file.
  • High—Indicates that a host is very likely compromised based on a correlation between multiple threat events, such as malware detected anywhere on the network that matches the command-and-control activity generated by a particular host.
  • Medium—Indicates that a host is likely compromised based on the detection of one or multiple suspicious events, such as repeated visits to known malicious URLs, which suggests a scripted command-and-control activity.
  • Low—Indicates that a host is possibly compromised based on the detection of one or multiple suspicious events, such as a visit to a malicious URL or a dynamic DNS domain.
  • Informational—Detects an event that may be useful in aggregate for identifying suspicious activity, but the event is not necessarily significant on its own.
Summary
A description that summarizes the evidence gathered on the correlated event.
Click the icon_spyglass_log.png icon to see the detailed log view, which includes all the evidence on a match:
ace_match_details.png
Tab
Description
Match Information
Object Details: Presents information on the Correlation Object that triggered the match.
Match Details: A summary of the match details that includes the match time, last update time on the match evidence, severity of the event, and an event summary.
Match Evidence
Presents all the evidence that corroborates the correlated event. It lists detailed information on the evidence collected for each session.

Related Documentation