topic Re: Palo Alto Networks next-generation firewalls Threat prevention signatures in Next-Generation Firewall Discussions

Palo Alto Networks next-generation firewalls Threat prevention signatures

lonis23i — Fri, 17 Mar 2023 16:24:56 GMT

Hello.

Please currently i'm studying the Palo Alto Networks next-generation firewalls Threat prevention module, and 'm interested in the list of the available signatures (description, severity ranking, Threat type, ). I found that threat vault can give this informations : https://threatvault.paloaltonetworks.com/ but for that we need to provide the specific UTID (Unique Threat ID).

Is there a way to get the list of all the available signatures for the Palo Alto Networks next-generation firewalls Threat prevention module ?

Waiting for the response, any help will be appreciated.

Have nice day,

Cordially.

Re: Palo Alto Networks next-generation firewalls Threat prevention signatures

OtakarKlier — Fri, 17 Mar 2023 16:48:47 GMT

Hello,

I dont think one exists, however if it did, there would be tens of thousands, most likely. Learn the best practices around threat prevention, like updating the dynamic updates and applying the profiles to policies, etc.

Regards,

Re: Palo Alto Networks next-generation firewalls Threat prevention signatures

lonis23i — Fri, 17 Mar 2023 17:19:50 GMT

Hello,

First of all thanks for the quick reply.

The reason behind my request is that i want to implement some alerts on SIEM level for the most critical signatures of the Threat prevention module of the PALO ALTO PAN-OS firewall. to be able to that i want to see the vailable signatures for this module.

Now based of the Threat Vault resource, is the information presented there is only for the "Palo Alto Networks next-generation firewalls Threat prevention signatures" or there is another solution (XDR, ...ect). and if it is the case maybe we can found the class ID for the signatures related to the Firewall threat prevention module!

Thanks in advance for the help,

Best regards,

Re: Palo Alto Networks next-generation firewalls Threat prevention signatures

OtakarKlier — Fri, 17 Mar 2023 17:25:37 GMT

Hello,

I gotcha. I kinda do a similar thing. However first with the threat signatures, I block anything that is medium or higher. Then on my SIEM, I have it only alert on Critical severity events.

Regards,

Re: Palo Alto Networks next-generation firewalls Threat prevention signatures

lonis23i — Fri, 17 Mar 2023 17:57:45 GMT

Hello,

That's great thanks for sharing, so your approach based only on the criticality understood, and did you encounter lot of events on the SIEM level ? just to have an idea about the number of alerts triggered!

For me i want at first took a look into the signatures, types, coverage, criticality... etc and after that take a decision if you have any source that can help that will be appreciated man ^^,

King regards,

Re: Palo Alto Networks next-generation firewalls Threat prevention signatures

OtakarKlier — Fri, 17 Mar 2023 18:28:18 GMT

Hello,

Well I think I have a special case, because most of all my services that are externally accessible are whitelisted. But for those that are not, I dont get many. You kinda just have to filter through the noise. Since every environment is different, I would say start with your internal zones first when it comes to alerting. It should be reasonable quiet. Then add the external stuff and just start to recognize the 'noise' rather than anything else.

Here are a few things I use to try to limit my external exposure footprint.

Whitelist countries that can connect to my external IP's
- We only allow the US
Use the External Dynamic Lists to help block others
- Palo Alto has 4 that are great as well as the SpamHaus ones
  - http://www.spamhaus.org/drop/drop.txt
  - http://www.spamhaus.org/drop/edrop.txt
Make sure to use Applications instead of ports (sometimes not possible)
- SSL instead of 443, etc
Enable Telemetry
- This allows usage stats to be sent to Palo Alto so they can use their Machine learning to create new threat profies etc. This helps everyone out (kind of a way to giving back to the community)

The idea is to make is as difficult as possible for an adversary so they go after someone else. Also realize that most ways companies get compromised is from the inside, someone clicks a link or attachment, etc. so dont forget to secure that as well!

Hope this helps.

Re: Palo Alto Networks next-generation firewalls Threat prevention signatures

lonis23i — Sat, 18 Mar 2023 13:10:44 GMT

Hello,

Thank you very much for taking the time to answer and also for the valuable informations that you shared with us 😉,

Yes, this really helpful man,

Best regards,

Re: Palo Alto Networks next-generation firewalls Threat prevention signatures

OtakarKlier — Mon, 20 Mar 2023 13:00:58 GMT

Anytime! Please dont hesitate to ask additional questions, etc.