Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Palo Alto

Palo Alto
Palo Alto icon

Out-of-the-Box Security For Palo Alto Includes:

Dashboards - 8

Gain instantaneous visualization of all your Palo Alto data.

Palo Alto - Config Events
Palo Alto - Config Events
Palo Alto - GlobalProtect Users and Machines
Palo Alto - GlobalProtect Users and Machines
Palo Alto - GlobalProtect VPN
Palo Alto - GlobalProtect VPN
Palo Alto - Network Traffic
Palo Alto - Network Traffic
Palo Alto - SaaS Activity
Palo Alto - SaaS Activity
Palo Alto - System Events
Palo Alto - System Events
Palo Alto - Threat Monitoring
Palo Alto - Threat Monitoring
Palo Alto - Threat Signature Details
Palo Alto - Threat Signature Details

Alerts - 20

Stay on top of Palo Alto key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Palo Alto Firewall - GlobalProtect - Consecutive Successful VPN Logins Observed

This alert detects when there is more than 1 successful VPN login observed from the same source using different user names within a specific interval of time. This alert is a type of Unique count value. Here, if the number of users exceeds more than 1 from the same source in 10 minutes of interval then it will trigger an alert. Impact Consecutive successful logins within a short interval of time from the same unknown source for different usernames could be an indication of malicious activity. Mitigation Check if the user is aware of the login activity and if it is legitimate. If not, investigate further. Also, make sure that authentication via MFA is in place. MITRE Tactic: TA0001 MITRE Technique: T1078

Palo Alto Firewall - More than usual drop actions (By Destination)

This alert detects when the 'deny' action for any event are generated more than the usual number, in the context of a single destination IP. So, in this case, if the denied action count exceeds the threshold value of 50 above the usual number within 5 minutes of the time window, the alert will be triggered. The 'usual number' is calculated by the algorithm dynamically based on the pattern of the previous 7 days of data. The algorithm takes one week to learn the traffic pattern. Impact Depends on the type and parameters of the log. Please check the logs for more details. Mitigation Investigate the logs, pay attention to the following log fields: 'action, 'type', 'threat_id', source/destination IPs, source/destination zones, 'direction', app fields, 'sequence_no' and 'session_id'. Also, check for any repeating alerts for the same user/machine/ip and adjacent logs.

Palo Alto Firewall - More than usual deny actions (By Source)

This alert detects when the 'deny' action for any event are generated more than the usual number, in the context of a single source IP. So, in this case, if the denied action count exceeds the threshold value of 50 above the usual number within 5 minutes of the time window, the alert will be triggered. The 'usual number' is calculated by the algorithm dynamically based on the pattern of the previous 7 days of data. The algorithm takes one week to learn the traffic pattern. Impact Depends on the type and parameters of the log. Please check the logs for more details. Mitigation Investigate the logs, pay attention to the following log fields: 'action, 'type', 'threat_id', source/destination IPs, source/destination zones, 'direction', app fields, 'sequence_no' and 'session_id'. Also, check for any repeating alerts for the same user/machine/ip and adjacent logs.

Palo Alto Firewall - Medium Severity Event

This alert detects all Palo Alto logs that have medium severity. Impact Depends on the type and parameters of the log. Please check the logs for more details. Mitigation To further investigate the alert, determine the log type (type log field: Traffic, GlobalProtect, Threat etc). Once log type is determined, check for any repeating alerts for the same user/machine/ip and adjacent logs.

Palo Alto Firewall - High Severity Event

This alert detects all Palo Alto logs that have high severity. Impact Depends on the type and parameters of the log. Please check the logs for more details. Mitigation To further investigate the alert, determine the log type (type log field: Traffic, GlobalProtect, Threat etc). Once log type is determined, check for any repeating alerts for the same user/machine/ip and adjacent logs.

Palo Alto Firewall - Low Severity Event

This alert detects all Palo Alto logs that have low severity. Impact Depends on the type and parameters of the log. Please check the logs for more details. Mitigation To further investigate the alert, determine the log type (type log field: Traffic, GlobalProtect, Threat etc). Once log type is determined, check for any repeating alerts for the same user/machine/ip and adjacent logs.

Palo Alto Firewall - Traffic - DNS over TCP

This alert detects when a DNS communication (Destination port) over TCP protocol rather than UDP protocol. Impact DNS requests over TCP are usually used for either DNS zone transfer or for transferring large quantities of data using the DNS protocol. Both can be an indication of malicious activity. Mitigation Investigate the source hosts involved in those queries by using audit logs from these machines as this activity could be an indication of data exfiltration. Please see the below link for more detail: https://www.akamai.com/blog/news/introduction-to-dns-data-exfiltration MITRE Tactic: TA0010 MITRE Technique: T1048

Palo Alto Firewall - Traffic - Ingress RDP From Outside Zone

This alert detects when a RDP connection (TCP 3389) is originating from the Outside zone, and is not denied or dropped by the Palo Alto. Impact The impact of enabling Ingress RDP can result in unauthorized access to systems, data breaches, malware infections, service disruption, and damage to an organization's reputation. Mitigation Investigate whether this activity is legitimate or not, as some systems may allow RDP from the internet for the purpose of remote management. If that is the case, create an exclusion for the alert according to the source/destination IP/Hosts. MITRE Tactic: TA0001 MITRE Technique: T1133

Palo Alto Firewall - Traffic - Ingress SSH From Outside Zone

This alert detects when a SSH connection (TCP 22) is originating from the Outside zone, and is not denied or dropped by the Palo Alto. Impact The impact of enabling Ingress SSH can result in unauthorized access to systems. Mitigation Investigate whether this activity is legitimate or not, as some systems may allow SSH from the internet for the purpose of remote management. If that is the case, create an exclusion for the alert according to the source/destination IP/Hosts. MITRE Tactic: TA0001 MITRE Technique: T1133

Palo Alto Firewall - Threat - Exploit Kit Detected

This alert detects when the Palo Alto matched a threat signature of the type Exploit-Kit. This type of signature detects an exploit kit landing page. Exploit kit landing pages often contain several exploits that target one or many common vulnerabilities and exposures (CVEs), for multiple browsers and plugins. Because the targeted CVEs change quickly, exploit-kit signatures trigger based on the exploit kit landing page, and not the CVEs. Impact Context based. Read more about the type of Palo Alto threat signatures here: https://docs.paloaltonetworks.com/advanced-threat-prevention/administration/threat-prevention/threat-signature-categories Mitigation Investigate the logs, pay attention to the following log fields: 'action,'threat_id', source/destination IPs, source/destination zones, 'direction', app fields, 'sequence_no' and 'session_id'. Based on findings and if the action was not drop/deny, you can choose to block the traffic based on its source IP, Country or User.

Palo Alto Firewall - Threat - Protocol Anomaly Detected

This alert detects when the Palo Alto matched a threat signature of the type Protocol Anomaly. This type of signature detects protocol anomalies, where a protocol behavior deviates from standard and compliant usage. For example, a malformed packet, poorly-written application, or an application running on a non-standard port would all be considered protocol anomalies, and could be used as evasion tools. Impact Context based. Read more about the type of Palo Alto threat signatures here: https://docs.paloaltonetworks.com/advanced-threat-prevention/administration/threat-prevention/threat-signature-categories Mitigation Investigate the logs, pay attention to the following log fields: 'action,'threat_id', source/destination IPs, source/destination zones, 'direction', app fields, 'sequence_no' and 'session_id'. Based on findings and if the action was not drop/deny, you can choose to block the traffic based on its source IP, Country or User.

Palo Alto Firewall - Threat - Insecure Credentials Usage Detected

This alert detects when the Palo Alto matched a threat signature of the type Insecure-Credntials. This type of signature detects the use of weak, compromised, and manufacturer default passwords for software, network appliances, and IoT devices. Impact Context based. Read more about the type of Palo Alto threat signatures here: https://docs.paloaltonetworks.com/advanced-threat-prevention/administration/threat-prevention/threat-signature-categories Mitigation Investigate the logs, pay attention to the following log fields: 'action,'threat_id', source/destination IPs, source/destination zones, 'direction', app fields, 'sequence_no' and 'session_id'. Based on findings and if the action was not drop/deny, you can choose to block the traffic based on its source IP, Country or User.

Palo Alto Firewall - Threat - DoS Attack Detected

This alert detects when the Palo Alto matched a threat signature of the type DoS (Denial of Service). This signature detects a denial-of-service (DoS) attack, where an attacker attempts to render a targeted system unavailable, temporarily disrupting the system and dependent applications and services. To perform a DoS attack, an attacker might flood a targeted system with traffic or send information that causes it to fail. DoS attacks deprive legitimate users (like employees, members, and account holders) of the service or resource to which they expect access. Impact Context based. Read more about the type of Palo Alto threat signatures here: https://docs.paloaltonetworks.com/advanced-threat-prevention/administration/threat-prevention/threat-signature-categories Mitigation Investigate the logs, pay attention to the following log fields: 'action,'threat_id', source/destination IPs, source/destination zones, 'direction', app fields, 'sequence_no' and 'session_id'. Based on findings and if the action was not drop/deny, you can choose to block the traffic based on its source IP, Country or User.

Palo Alto Firewall - GlobalProtect - Multiple Failed Login Attempts

This alert detects when there are multiple failed VPN Login attempts or failed admin login attempts within a specific interval for the same user. Impact Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Mitigation Investigate the failed login attempts and verify with the user that it was him trying to log in. If it wasn't, investigate further the source of the login attempt to determine a possible compromise. also, make sure that MFA is enabled. MITRE Tactic: TA0006 MITRE Technique: T1110

Palo Alto Firewall - Threat - Phishing Detected

This alert detects when the Palo Alto matched a threat signature of the type Phishing. This signature detects when a user attempts to connect to a phishing kit landing page (likely after receiving an email with a link to the malicious site). A phishing website tricks users into submitting credentials that an attacker can steal to gain access to the network. Impact Context based. Read more about the type of Palo Alto threat signatures here: https://docs.paloaltonetworks.com/advanced-threat-prevention/administration/threat-prevention/threat-signature-categories Mitigation Investigate the logs, pay attention to the following log fields: 'action,'threat_id', source/destination IPs, source/destination zones, 'direction', app fields, 'sequence_no' and 'session_id'. Based on findings and if the action was not drop/deny, you can choose to block the traffic based on its source IP, Country or User.

Palo Alto Firewall - Threat - Code Execution Detected

This alert detects when the Palo Alto matched a threat signature of the type Code-Execution. This signature detects a code execution vulnerability that an attacker can leverage to run code on a system with the privileges of the logged-in user. Impact Context based. Read more about the type of Palo Alto threat signatures here: https://docs.paloaltonetworks.com/advanced-threat-prevention/administration/threat-prevention/threat-signature-categories Mitigation Investigate the logs, pay attention to the following log fields: 'action,'threat_id', source/destination IPs, source/destination zones, 'direction', app fields, 'sequence_no' and 'session_id'. Based on findings and if the action was not drop/deny, you can choose to block the traffic based on its source IP, Country or User.

Palo Alto Firewall - Threat - Info Leak Detected

This alert detects when the Palo Alto matched a threat signature of the type Info-Leak. This signature detects a software vulnerability that an attacker could exploit to steal sensitive or proprietary information. Often, an info-leak might exist because comprehensive checks do not exist to guard the data, and attackers can exploit info-leaks by sending crafted requests. Impact Context based. Read more about the type of Palo Alto threat signatures here: https://docs.paloaltonetworks.com/advanced-threat-prevention/administration/threat-prevention/threat-signature-categories Mitigation Investigate the logs, pay attention to the following log fields: 'action,'threat_id', source/destination IPs, source/destination zones, 'direction', app fields, 'sequence_no' and 'session_id'. Based on findings and if the action was not drop/deny, you can choose to block the traffic based on its source IP, Country or User.

Palo Alto Firewall - Threat - Brute Force Detected

This alert detects when the Palo Alto matched a threat signature of the type Brute-Force. A brute-force signature detects multiple occurrences of a condition in a particular time frame. While the activity in isolation might be benign, the brute-force signature indicates that the frequency and rate at which the activity occurred is suspect. For example, a single FTP login failure does not indicate malicious activity. However, many failed FTP logins in a short period likely indicate an attacker attempting password combinations to access an FTP server. Impact Context based. Read more about the type of Palo Alto threat signatures here: https://docs.paloaltonetworks.com/advanced-threat-prevention/administration/threat-prevention/threat-signature-categories Mitigation Investigate the logs, pay attention to the following log fields: 'action,'threat_id', source/destination IPs, source/destination zones, 'direction', app fields, 'sequence_no' and 'session_id'. Based on findings and if the action was not drop/deny, you can choose to block the traffic based on its source IP, Country or User.

Palo Alto Firewall - Critical Severity Event

This alert detects all Palo Alto logs that have critical severity. Impact Depends on the type and parameters of the log. Please check the logs for more details. Mitigation To further investigate the alert, determine the log type (type log field: Traffic, GlobalProtect, Threat etc). Once log type is determined, check for any repeating alerts for the same user/machine/ip and adjacent logs.

Palo Alto Firewall - No logs for past 30 minutes

This alert detects when there are no logs seen from Palo Alto to the user account in the past 30 minutes. Impact An adversary may disable logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Mitigation Investigate the root cause of this behavior and re-enable the logging, if it is disabled. Additionally, administrators can manage policies to ensure only necessary users have permission to make changes to logging policies. MITRE Tactic: TA0005 MITRE Technique: T1562

Documentation

Learn more about Coralogix's out-of-the-box integration with Palo Alto in our documentation.

Read More
Schedule Demo