<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic IDS Alerts in Panorama Discussions</title>
    <link>https://live.paloaltonetworks.com/t5/panorama-discussions/ids-alerts/m-p/1258837#M3113</link>
    <description>&lt;P&gt;Hi,&lt;/P&gt;
&lt;P&gt;I have been by auditors to submit IDS log alerts from Panorama, i know the best practice is to use Microsoft Sentinel. Has anyone done directly using Panorama and which severity is selected to minimize impact on the smtp server.&lt;/P&gt;</description>
    <pubDate>Mon, 13 Jul 2026 17:18:44 GMT</pubDate>
    <dc:creator>MP-Firewall</dc:creator>
    <dc:date>2026-07-13T17:18:44Z</dc:date>
    <item>
      <title>IDS Alerts</title>
      <link>https://live.paloaltonetworks.com/t5/panorama-discussions/ids-alerts/m-p/1258837#M3113</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;
&lt;P&gt;I have been by auditors to submit IDS log alerts from Panorama, i know the best practice is to use Microsoft Sentinel. Has anyone done directly using Panorama and which severity is selected to minimize impact on the smtp server.&lt;/P&gt;</description>
      <pubDate>Mon, 13 Jul 2026 17:18:44 GMT</pubDate>
      <guid>https://live.paloaltonetworks.com/t5/panorama-discussions/ids-alerts/m-p/1258837#M3113</guid>
      <dc:creator>MP-Firewall</dc:creator>
      <dc:date>2026-07-13T17:18:44Z</dc:date>
    </item>
    <item>
      <title>Re: IDS Alerts</title>
      <link>https://live.paloaltonetworks.com/t5/panorama-discussions/ids-alerts/m-p/1258858#M3114</link>
      <description>&lt;P&gt;Hello&amp;nbsp;&lt;a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/235045"&gt;@MP-Firewall&lt;/a&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;thanks for posting!&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;You asked a broad question. I will try to break it down.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;- I went through audits myself and what I took out of it in general auditors do not care from where data/reports come from as long as it provides enough proof. Under assumption that all your Firewalls are sending logs to Panorama, you can leverage Panorama's out of the box reports to start with. You can generate them from Panorama by navigating to: MONITOR &amp;gt; Reports &amp;gt; Threat Reports. There you will find many out of box reports. Auditors are likely going to ask something more specific or customed to your environment. This is where you can use custom reports under&amp;nbsp;MONITOR &amp;gt; Manage Custom Reports. I have seen cases where auditors ask for detailed log samples. You will find them under:&amp;nbsp;MONITOR &amp;gt; Logs &amp;gt; Threat. In all of these cases you reply on Panorama internal storage to give you enough retention to provide logs or generate reports. Here is a KB for reference with instructions to run predefined reports:&amp;nbsp;&lt;A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTvCAK" target="_self"&gt;Tips &amp;amp; Tricks: Scheduled predefined reports.&lt;/A&gt;&amp;nbsp;In the case auditors asked you to provide reports / logs beyond Panorama retention period, you will have to rely on external logging / SIEM.&lt;/P&gt;
&lt;P&gt;- You already mentioned Microsoft Sentinel in your post. Unless you are already using Sentinel in your environment, I would not necessarily focused only on this SIEM. Based on my experience auditors are not after what SIEM you are using, but what data you can provide them. If you plan to send logs from Panorama to Sentinel, make sure your table is set to retention that is long enough to fulfill audit requirements. Sentinel offers cost effective solution with Data Lake tier that allows long retention with relatively low cost at the expense of losing some of the capabilities offered in Analytics tier.&lt;/P&gt;
&lt;P&gt;- You mentioned in your post SMTP server. If you plan to send either logs or reports by email you can refer to this KB for more details:&amp;nbsp;&lt;A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTrCAK&amp;amp;lang=en_US" target="_self"&gt;What more can my firewall do? Forward log files and reports&lt;/A&gt;. When it comes to Threat logs, I would at least exclude informational severity and preferably low severity as well. This will help to reduce noise in logs / reports and loading on SMTP server to process sheer volume of traffic. From medium severity it is where interesting detections come in. Medium and higher severity includes events related to SCAN, RCE, Brute Forcing, etc.&lt;/P&gt;
&lt;P&gt;- Lastly, you did not mentioned what specific audit you are going through or what the scope or compliance is. When it comes to Threat logs Firewall can detect/block only what it can see. If you do not have decryption configured, then your Threat logs will not show much. To auditors it might look like your environment does not have any attacks while in reality Firewall is not able to detect it.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Kind Regards&lt;/P&gt;
&lt;P&gt;Pavel&amp;nbsp; &amp;nbsp;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Mon, 13 Jul 2026 23:15:14 GMT</pubDate>
      <guid>https://live.paloaltonetworks.com/t5/panorama-discussions/ids-alerts/m-p/1258858#M3114</guid>
      <dc:creator>PavelK</dc:creator>
      <dc:date>2026-07-13T23:15:14Z</dc:date>
    </item>
  </channel>
</rss>

