View the Correlated Objects

You can view the correlation objects that are currently available on the firewall.
  1. Select MonitorAutomated Correlation EngineCorrelation Objects. All the objects in the list are enabled by default.
  2. View the details on each correlation object. Each object provides the following information:
    • Name and Title—The name and title indicate the type of activity that the correlation object detects. The name column is hidden from view, by default. To view the definition of the object, unhide the column and click the name link.
    • ID— A unique number that identifies the correlation object; this column is also hidden by default. The IDs are in the 6000 series.
    • Category—A classification of the kind of threat or harm posed to the network, user, or host. For now, all the objects identify compromised hosts on the network.
    • State—Indicates whether the correlation object is enabled (active) or disabled (inactive). All the objects in the list are enabled by default, and are hence active. Because these objects are based on threat intelligence data and are defined by the Palo Alto Networks Threat Research team, keep the objects active in order to track and detect malicious activity on your network.
    • Description—Specifies the match conditions for which the firewall or Panorama will analyze logs. It describes the sequence of conditions that are matched on to identify acceleration or escalation of malicious activity or suspicious host behavior. For example, the Compromise Lifecycle object detects a host involved in a complete attack lifecycle in a three-step escalation that starts with scanning or probing activity, progressing to exploitation, and concluding with network contact to a known malicious domain.

Related Documentation