Advanced Correlation

Threat Defender uses Behavior-based Correlation, also called advanced correlation, to analyze the network traffic and detect threats.

Threat Defender correlates current and historical traffic flows in real time. It uses event tracking tables to store combinations of attributes and track the properties of communication events across the traffic flows and over time. Threat Defender uses rules to add entries to the tables and to query them. No traffic passes Threat Defender without being handled by the correlation engine.

Navigate to Policy > Advanced Correlation to see an overview of all advanced correlation scenarios defined in the system. Threat Defender provides several predefined scenarios for the most common tasks.

The table displays the correlation scenarios with their Name and a Note. The slider switch in the first column indicates whether a scenario is active (on) or inactive (off). The buttons in last column allow you to view the details of a scenario, edit its general settings or delete it from the system.


Using the edit_icon icon you can only edit the Name and Note of a scenario. To edit its security settings, double-click on the respective row in the overview table.


The scenarios are processed from top to bottom. It is therefore recommended to place more specific scenarios at the top of the table and scenarios that apply to a broader range of traffic at the bottom. To reorder scenarios, click the ACTIVATE REORDER button above the table. Move the scenarios to the desired positions using drag and drop.

To add a new scenario to the system, click the Add button above the overview table.

Advanced Correlation Scenario Settings

After clicking Add or the edit_icon icon, you can change the general settings of the correlation scenario:




The slider switch indicates whether the scenario is enabled or disabled.


Enter the name of the scenario.


Optional: Add a short description of the scenario.

The buttons at the bottom of the screen allow you to store your changes (SAVE) or to discard them (CANCEL).

After saving the general settings of a correlation scenario or double-clicking on its row in the overview table, you can configure its security settings.

To reset the state of a correlation scenario, click RESET STATE. This will delete the content of all dynamic network objects and event tracking tables used in the scenario. The system prompts you to confirm the reset action.

For the security settings of the scenario, the following tabs are available:

  • The Rules tab displays the rules included in the scenario. Click Add to add a new rule to the scenario. For further information, see Rules.

  • The Dynamic Network Objects tab displays the dynamic network objects included in the scenario. Click Add to add a new dynamic network object to the scenario. For further information, see Dynamic Network Objects.

  • The Event Tracking Tables tab displays the event tracking tables associated with this scenario. Click Add to add a new event tracking table to the scenario. For further information, see Event Tracking Tables.

Any changes you configure in these tabs are stored for the correlation scenario when you click SAVE in the respective tab.

Additional References: