Security Connector event correlation

When traffic and events are recorded by Enterprise Security Connector, this data is available in Enterprise Threat Protector (ETP) for further analysis. ETP allows you to easily compare and correlate Security Connector events to threat event data that is reported and tracked in the application. Administrators can also trace threat events to Security Connector events. Correlating this information makes it easier for you to identify compromised machines in your network and take action against threats or malicious activity in your network.

From the Security Connector activity report, you can examine and filter this data based on criteria and specific event information. To learn more about the Security Connector event data that is shown in ETP, see Event dimensions and Security Connector event details.

The following applies when there is a correlation between threat event and security connector event data:
  • In the Security Connector activity report, a View link is associated with a specific security connector event in an events table. For example, when you expand a grouped event and view specific events, this link appears in the Correlated Threat Event column of the table. Clicking this link opens the Correlated Threat Event for Security Connector Event dialog where event details are provided. You can also open the event in the Threat Event report by clicking the Show in Threat Events link in the dialog. For more information on the data that is shown, see Threat event details.
  • In the Threat Events report, a View Link is associated with a specific threat event in an events table. Clicking this link opens the Correlated Security Connector Event(s) for Threat Event dialog where event details are provided. You can also show Security Connector events on the Security Connector activity report by clicking the Show in Security Connectors Activity link in the dialog. For more information on the data that is shown for a security connector event, see Security Connector event details.
  • In the Security Connector activity report, when you view data based on a dimension or event criteria (for example, a Connector IP, destination port, hostname, and more), you can click event data and select Threat Events from the menu that appears. If there is a correlated event, this option opens the correlated threat event in a dialog where detailed information is provided based on the dimension you selected. For example, if you select to view Threat Events based on a specific affected internal IP address, the Correlated Threat Events by Filtered Dimension(s) dialog shows all the threat events that apply to the specific affected internal IP address you selected. In this dialog, you can search for events, view detailed event data, and download event data to a CSV file. You can also show this data on the Threat Events report where you can do more data analysis.
  • Likewise, in the Threat Events report, you can also view data based on specific criteria such as a domain, hostname, or resolved IP address, click event data and select the option for Security Connector Events. This option opens a dialog where correlated security connector events are shown for the dimension you selected. In this dialog, you can search for events, view detailed event data, and download event data to a CSV file. You can also show this data in the Security Connector report.
  • To help you analyze correlated data, the Threat Events and Security Connector activity reports include filter criteria for each event type. For example, in the Threat Events report, in addition to filtering data by criteria or dimensions specific to threat events, you can filter data based on Security Connector criteria such as the affected internal IP address, source port, and more. Similarly, in addition to filtering data based on Security Connector events, on the Security Connector activity report, you can filter data based on threat event criteria, such as domain, list, action, policy, and more.

    You can also configure and apply a filter to show correlated events. For example, on the Security Connector activity report, you can create and apply a filter to show events that correlate to threat events. Similarly, on the Threat Events report, you can create and apply a filter to show events that correlate to security connector events.