Question 1: Can I benefit from the correlation feature with a 3020? You mention it’s only available with certain hardware platforms. Answer: Correlation objects are implemented on 3xxx, 5xxx and 7xxx devices. If you forward the logs to Panorama, it will support correlation objects for all devices.
Question 2: Can alerts be set up for correlation events? Answer: Yes. Correlated events are just another log type that can be forwarded or emailed as with any other log type.
Question 3: If a host is listed in the correlation findings, is it guaranteed that it is infected? Answer: It is very likely that it is infected.
Question 4: Can I see an example of the result of the automated correlation engine and how it works? Answer: Please contact your SE for a demo.
Question 5: Do you need a WildFire subscription to take advantage of the automated correlation engine in PAN-OS 7.0? Answer: For correlation objects that are triggered by WildFire (there are two in 7.0), you need a WildFire subscription. For the other four, you do not need a license.
Question 6: How many correlations come with PAN-OS 7.0? Can I create my own correlations? Answer: In latest 7.0, there are six. We are working on three or more new ones that will be pushed via content as soon as they are ready.
Question 7: How often will auto-correlation definitions be updated/created, and will there be the ability for end users to create or define their own? Answer: [They will be updated] as often as Unit 42 defines them and then they get pushed on a daily basis. You cannot define your own in 7.0, though we have plans to allow custom correlation objects in future releases.
Question 8: We can't demo the correlation engine on our PA-200 lab firewalls, and we aren't ready to upgrade production. When will a lab SKU for Panorama be released? We've needed a low-cost Panorama lab license for a long time. Answer: A lab Panorama SKU is available: PAN-PRA-LAB.
Question 9: Is there any possibility of false positives in correlation confirmation? Answer: There is always that possibility, but to address this, we have been using confirmed IOCs. If we find too many FPs, we can change the correlation object definition and push it via normal content updates.
Question 10: In the correlation engine, can I add to the C2 IPs? Answer: In 7.0, correlation objects are not editable.
Question 11: We get a lot of false positives on the correlation engine because of sites with ads. Is there a good workaround for this? Answer: I would love to get data about FPs. Please raise a ticket for that. In 7.0.2, we have reduced some of the FPs.
Question 12: Can we create custom correlation, or are only pre-made correlations available? Answer: Not in 7.0. We have plans to allow this in future releases.
Question 13: How much CPU intensive is automated correlation engine? Answer: The extra CPU and memory on 3k/5k/7k is negligible. If you use Panorama, you can disable the correlation objects on the device as Panorama will run it on behalf of the device.
Question 14: Can you take action dynamically, based upon a correlation object? Answer: You can forward the log via SYSLOG, SNMP trap or an email (like any other log type: system, traffic, threat, etc.)
Question 15: Can correlated events be parsed to syslog? Answer: Yes. CO logs are “just” another log type.
Question 16: Can correlation be run against data on existing firewall data, or do they need to be connected to Panorama full time for it to work? Answer: The device (if it is a 3k/5k/7k) can run the CO by itself. For Panorama, the logs need to be sent to Panorama.