Defining Context Options for Correlation Situation elements
Correlation Contexts define the patterns for matching groups of related events in traffic.
Correlation Situations are used by NGFW Engines and Log Servers to conduct further analysis of detected events. Correlation Situations do not handle traffic directly. Instead they analyze the events generated by matches to Situations found in traffic. Correlation Situations use Event Binding elements to define the log events that bind together different types of events in traffic.
Correlation Context Type | Description |
---|---|
Compress | Combines repeated similar events into the same log entry, reducing clutter in the Logs view.
Example: There is a custom Situation for detecting suspicious access to a file server. An attacker is likely to browse through many files, triggering an alert entry for each file. An Event Compress Situation can be used to combine Situations together when the suspect’s IP address is the same. |
Count | Finds recurring patterns in traffic by counting how many times certain Situations occur within the
defined period, so that action can be taken if the threshold values you set are exceeded. Example: A Situation that detects access to a system could normally trigger just a log entry. The Event Count Situation could be used to blacklist connections when access by any single host is too frequent. |
Group | Finds event patterns in traffic by keeping track of whether all events in the defined set of
Situations match at least once in any order within the defined time period. Example: Individual attempts to exploit different vulnerabilities in a software product in use on your server might not be too alarming if you know that your system is patched against those vulnerabilities. However, when several such events are found in a short period, it becomes more likely that someone is trying to systematically attack the server. They might also already knows that the server is running that particular piece of software. A Situation that belongs to the Group Context can detect this kind of attack. |
Match | Allows you to use Filters to filter event data produced by specific Situations. |
Sequence | Finds event patterns in traffic by keeping track of whether all events in the defined set of
Situations match in a specific order within the defined time period. Example: Clients might use a certain type of request (for example, “give file X”) to fetch a file from a file server. When administrators log on to the same server, a successful administrator logon can be seen in the traffic as a certain type of response (for example, “full access granted”). However, a vulnerability in the server software can allow an attacker to send a specially crafted file fetch request. This kind of request might look like a valid “give file x” command, but actually causes the server to give the attacker administrator rights. This action is seen as a normal-looking “full access granted” response from the server. The Event Sequence Situation can detect when a “give file X” Situation match is followed by a “full access granted” Situation match, which cannot be any legitimate traffic. |