Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Support_Team_Bi
Contributor
Jump to solution

Question about Log type Correlated

Hello

Can you explain me about type correlated in log info and the log view(As Image) ? 

Capture2.PNG

 

Capture.PNG

 

In black highlight, why are there many ip in one cell (Source or User column) ?

 

Thank you.

0 Kudos
1 Solution

Accepted Solutions
Amir_Senn
Employee
Employee

To filter in/out correlated from use "(NOT) type:Correlated". In views/reports I suggest using the filter "Pre-defined Filter" which allows you to choose from "Log Type Filter"/"Default Report Filter" which filters non-traffic log types out such as control, audit, correlated and more.

Watching the logs of correlated events is unique per event. Check the correlated event itself for related fields (blade, attack name for examples) and try to filter them in a query.

Kind regards, Amir Senn

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
Correlated means it's been taken from many individual events that could have occurred as individual logs, but instead are represented as a single log.
0 Kudos
Amir_Senn
Employee
Employee

Correlated events are not traffic logs but logs that are generated from the SmartEvent.

In SmartEvent you have a policy called "Event Policy", in which you define filters and thresholds for event and you can attach them with automatic reaction.

A correlated event could be a matching of a single log or X logs over Y time to your choosing.

Kind regards, Amir Senn
Support_Team_Bi
Contributor

Thank you for the answer.

How can I find a single log before generate from SmartEvent ? 

How to separate correlate log in report ? 

 

Thank you

0 Kudos
Amir_Senn
Employee
Employee

To filter in/out correlated from use "(NOT) type:Correlated". In views/reports I suggest using the filter "Pre-defined Filter" which allows you to choose from "Log Type Filter"/"Default Report Filter" which filters non-traffic log types out such as control, audit, correlated and more.

Watching the logs of correlated events is unique per event. Check the correlated event itself for related fields (blade, attack name for examples) and try to filter them in a query.

Kind regards, Amir Senn
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events