Defining Context Options for Correlation Situation elements

Correlation Contexts define the patterns for matching groups of related events in traffic.

Correlation Situations are used by NGFW Engines and Log Servers to conduct further analysis of detected events. Correlation Situations do not handle traffic directly. Instead they analyze the events generated by matches to Situations found in traffic. Correlation Situations use Event Binding elements to define the log events that bind together different types of events in traffic.

Table 1. Correlation Context types
Correlation Context Type Description
Compress Combines repeated similar events into the same log entry, reducing clutter in the Logs view.

Example: There is a custom Situation for detecting suspicious access to a file server. An attacker is likely to browse through many files, triggering an alert entry for each file. An Event Compress Situation can be used to combine Situations together when the suspect’s IP address is the same.

Count Finds recurring patterns in traffic by counting how many times certain Situations occur within the defined period, so that action can be taken if the threshold values you set are exceeded.

Example: A Situation that detects access to a system could normally trigger just a log entry. The Event Count Situation could be used to blacklist connections when access by any single host is too frequent.

Group Finds event patterns in traffic by keeping track of whether all events in the defined set of Situations match at least once in any order within the defined time period.

Example: Individual attempts to exploit different vulnerabilities in a software product in use on your server might not be too alarming if you know that your system is patched against those vulnerabilities. However, when several such events are found in a short period, it becomes more likely that someone is trying to systematically attack the server. They might also already knows that the server is running that particular piece of software. A Situation that belongs to the Group Context can detect this kind of attack.

Match Allows you to use Filters to filter event data produced by specific Situations.
Sequence Finds event patterns in traffic by keeping track of whether all events in the defined set of Situations match in a specific order within the defined time period.

Example: Clients might use a certain type of request (for example, “give file X”) to fetch a file from a file server. When administrators log on to the same server, a successful administrator logon can be seen in the traffic as a certain type of response (for example, “full access granted”). However, a vulnerability in the server software can allow an attacker to send a specially crafted file fetch request. This kind of request might look like a valid “give file x” command, but actually causes the server to give the attacker administrator rights. This action is seen as a normal-looking “full access granted” response from the server. The Event Sequence Situation can detect when a “give file X” Situation match is followed by a “full access granted” Situation match, which cannot be any legitimate traffic.

Depending on the Usage Context properties of the Correlation Situation, correlation can be done only on the NGFW Engine, only on the Log Server, or on both the NGFW Engine and the Log Server. By default, correlation is done on both the NGFW Engine and the Log Server for custom Correlation Situations. For more information about selecting the Usage Context, see the following Context-specific sections.
In custom Correlation Situations, logging might be automatically enabled for the correlated Situations even if the correlated Situations do not normally have logging enabled. If the Situations produce a large amount of log data and correlation is done on the Log Server, the increased amount of log data might overload the network or the Log Server even if no correlation matches occur.