https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/pan-ngfw-into-xdr-best-practices/m-p/543113#M4410 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/239366">@PaulThomas00</a>,</P> <P>&nbsp;</P> <P>Thank you for reaching out on LIVEcommunity!</P> <P>&nbsp;</P> <P>I'm not sure there's a best practices for NGFW logs available.&nbsp; Can you tell me a little more about your issue?&nbsp; I'm assuming the incidents have been investigated and determined to be false positive.</P> Wed, 24 May 2023 01:32:06 GMT anlynch 2023-05-24T01:32:06Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/pan-ngfw-into-xdr-best-practices/m-p/542964#M4400 <P>Hi there,&nbsp;</P> <P>&nbsp;</P> <P>We have have recently started ingesting PAN NGFW logs into XDR, however they're generating a lot of incidents, for now I have excluded - prevented/terminated events, does anyone have any information on best practices, useful ways to use these?</P> Mon, 22 May 2023 21:15:43 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/pan-ngfw-into-xdr-best-practices/m-p/542964#M4400 PaulThomas00 2023-05-22T21:15:43Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/pan-ngfw-into-xdr-best-practices/m-p/543113#M4410 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/239366">@PaulThomas00</a>,</P> <P>&nbsp;</P> <P>Thank you for reaching out on LIVEcommunity!</P> <P>&nbsp;</P> <P>I'm not sure there's a best practices for NGFW logs available.&nbsp; Can you tell me a little more about your issue?&nbsp; I'm assuming the incidents have been investigated and determined to be false positive.</P> Wed, 24 May 2023 01:32:06 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/pan-ngfw-into-xdr-best-practices/m-p/543113#M4410 anlynch 2023-05-24T01:32:06Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/pan-ngfw-into-xdr-best-practices/m-p/543118#M4413 <P>Thanks for the reply,&nbsp;</P> <P>It may be the way the FW is configured, but currently all events are being sent to XDR including URL filtering, http traversal, suspicous DNS query, which are all prevented/blocked/terminate/detected, I can see how these events maybe useful in context of an incident, but wondering if there is any benefit from ingesting PAN NGFW events directly into XDR?<BR />The result is an overwhelming number of incidents created. Just wondering the best way to manage these. Any suggestions would be appreciated.&nbsp;</P> Wed, 24 May 2023 01:39:36 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/pan-ngfw-into-xdr-best-practices/m-p/543118#M4413 PaulThomas00 2023-05-24T01:39:36Z