Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Prisma SASE

Prisma SASE
Prisma SASE icon

Coralogix Extension For Prisma SASE Includes:

Alerts - 13

Stay on top of Prisma SASE key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Threat - critical severity threat detected

This alert detects all Prisma Access - Threat logs that have critical severity. Impact Depends on the type and parameters of the log. Please check the logs for more details. Mitigation To further investigate the alert, check fields like 'event_id', Action, 'Application', 'SubType', 'dst', 'src', usrName' in the log if these fields are present (can change per log). Also, check for any repeating alerts for the same user/machine/ip and adjacent logs.

Threat - high severity threat detected

This alert detects all Prisma Access - Threat logs that have high severity. Impact Depends on the type and parameters of the log. Please check the logs for more details. Mitigation To further investigate the alert, check fields like 'event_id', Action, 'Application', 'SubType', 'dst', 'src', usrName' in the log if these fields are present (can change per log). Also, check for any repeating alerts for the same user/machine/ip and adjacent logs.

System - critical severity threat detected

This alert detects all Prisma Access - System logs that have critical severity. Impact Depends on the type and parameters of the log. Please check the logs for more details. Mitigation To further investigate the alert, check fields like 'event_id', 'EventDescription', 'SubType', 'SequenceNo' in the log if these fields are present (can change per log).

System - high severity threat detected

This alert detects all Prisma Access - System logs that have high severity. Impact Depends on the type and parameters of the log. Please check the logs for more details. Mitigation To further investigate the alert, check fields like 'event_id', 'EventDescription', 'SubType', 'SequenceNo' in the log if these fields are present (can change per log).

System - medium severity threat detected

This alert detects all Prisma Access - System logs that have medium severity. Impact Depends on the type and parameters of the log. Please check the logs for more details. Mitigation To further investigate the alert, check fields like 'event_id', 'EventDescription', 'SubType', 'SequenceNo' in the log if these fields are present (can change per log).

Building Block - Successful Login Observed from an IP address

This alert detects whenever a successful connection is seen from an IP address. This alert is the building block for the below flow alert: Prisma - Flow Alert - Suspicious Login Activity Observed

UserID - VPN login from a new user observed

This alert is triggered whenever a VPN login from a new user is observed. Impact Threat actors can create new user accounts and use them to log in to critical services/applications using a VPN. Mitigation Check if the administrator is aware of this new user and if this login activity is legit. If not, investigate further. MITRE Tactic: TA0001 MITRE Technique: T1133

Global Protect - new host was seen

This alert detects whenever Global Protect assigns a new unique ID to identify a host. Impact Adversaries may introduce new machines/devices into a network that can be used as a vector to gain access. Mitigation Check if the network administrator is aware of this new host. If not, investigate further. MITRE Tactic: TA0001 MITRE Technique: T1200"

Global Protect - More than usual failed connection attempts for a user

This alert detects when the number of failed connection/login attempts for a user is higher than normal, but no less than 3 attempts in a time interval of 5 minutes. This might be an indication of a brute-force attempt. Impact Many failed connection/login attempts in a short time frame might indicate a brute-force attack against the relevant account. Mitigation Investigate the failed connection/login attempts and verify the root cause of more than usual login failures. It might be an indicator of compromise. MITRE Tactic: TA0006 MITRE Technique: T1110

Threat - medium severity threat detected

This alert detects all Prisma Access - Threat logs that have medium severity. Impact Depends on the type and parameters of the log. Please check the logs for more details. Mitigation To further investigate the alert, check fields like 'event_id', Action, 'Application', 'SubType', 'dst', 'src', usrName' in the log if these fields are present (can change per log). Also, check for any repeating alerts for the same user/machine/ip and adjacent logs.

Global Protect - Multiple Failed Connection Attempts from an IP address

This alert triggers whenever more than 10 failed connection attempts in a 5-minute interval are observed from an IP address. This might be an indication of a brute-force attempt. Impact Multiple failed connection/login attempts in a short time frame might indicate a brute-force attack against the relevant account/s. Mitigation Investigate the failed connection/login attempts and verify the root cause of login failures. It might be an indicator of compromise. MITRE Tactic: TA0006 MITRE Technique: T1110

Flow Alert - Suspicious Login Activity Observed

This alert detects whenever there are multiple failed connection attempts from a remote IP followed by a successful connection. This could be an indication of a brute-force attack. Impact Many failed login attempts in a short time frame might indicate a brute-force attack against the relevant account. Mitigation Investigate the failed login attempts and verify the root cause of a high number of login failures. It might be an indicator of compromise. MITRE Tactic: TA0006 MITRE Technique: T1110

No logs from Prisma SASE

This rule detects if there are no logs in the last 12 hours for Prisma SASE in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

Integration

Learn more about Coralogix's out-of-the-box integration with Prisma SASE in our documentation.

Read More
Schedule Demo