https://live.paloaltonetworks.com/t5/prisma-access-discussions/where-is-prima-access-ser-behavior-analytics-uba-configured/m-p/630870#M1016 <P>As mentioned in&nbsp;<A href="https://live.paloaltonetworks.com/t5/community-blogs/new-features-introduced-in-prisma-access-3-2/ba-p/512990" target="_blank" rel="noopener">New Features in Prisma Access 3.2 | Palo Alto Networks</A>&nbsp;now Prisma Access should be able to even automatically block or lock bad users with UBA that do too many violations but there is no more info about this feature anywhere&nbsp;‌‌<span class="lia-unicode-emoji" title=":thinking_face:">🤔</span></P> <P>&nbsp;</P> <P>I know&nbsp; that with XSOAR you can make a playbook based on the number of threat logs generated for a given time to block bad source ip or user but what about without it?</P> <P>&nbsp;</P> <P>Also auto tagging is not an option as you can't say if 10 threat logs are seen for 1 minute from a user add tag and making a custom brute force signature that is triggered based of the number of requests ( <A href="https://docs.paloaltonetworks.com/advanced-threat-prevention/administration/configure-threat-prevention/customize-the-action-and-trigger-conditions-for-a-brute-force-signature" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/advanced-threat-prevention/administration/configure-threat-prevention/customize-the-action-and-trigger-conditions-for-a-brute-force-signature</A> ) is not for this as this will work only if the attacker does the same attack over and over again.</P> Wed, 20 Nov 2024 08:21:59 GMT nikoolayy1 2024-11-20T08:21:59Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/where-is-prima-access-ser-behavior-analytics-uba-configured/m-p/630870#M1016 <P>As mentioned in&nbsp;<A href="https://live.paloaltonetworks.com/t5/community-blogs/new-features-introduced-in-prisma-access-3-2/ba-p/512990" target="_blank" rel="noopener">New Features in Prisma Access 3.2 | Palo Alto Networks</A>&nbsp;now Prisma Access should be able to even automatically block or lock bad users with UBA that do too many violations but there is no more info about this feature anywhere&nbsp;‌‌<span class="lia-unicode-emoji" title=":thinking_face:">🤔</span></P> <P>&nbsp;</P> <P>I know&nbsp; that with XSOAR you can make a playbook based on the number of threat logs generated for a given time to block bad source ip or user but what about without it?</P> <P>&nbsp;</P> <P>Also auto tagging is not an option as you can't say if 10 threat logs are seen for 1 minute from a user add tag and making a custom brute force signature that is triggered based of the number of requests ( <A href="https://docs.paloaltonetworks.com/advanced-threat-prevention/administration/configure-threat-prevention/customize-the-action-and-trigger-conditions-for-a-brute-force-signature" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/advanced-threat-prevention/administration/configure-threat-prevention/customize-the-action-and-trigger-conditions-for-a-brute-force-signature</A> ) is not for this as this will work only if the attacker does the same attack over and over again.</P> Wed, 20 Nov 2024 08:21:59 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/where-is-prima-access-ser-behavior-analytics-uba-configured/m-p/630870#M1016 nikoolayy1 2024-11-20T08:21:59Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/where-is-prima-access-ser-behavior-analytics-uba-configured/m-p/639411#M1020 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1358622799">@Robert344Humphries</a>&nbsp; &nbsp;,</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for the reply, so "You can configure auto-tagging to tag users or IP addresses based on specific criteria, such as the number of threat logs generated within a certain timeframe." you mean that this functionality is in Prisma Access the latest version as before on the NGFW, where you could have matched on a single log entry but not the number of log entries for a period of time ?</P> <P>&nbsp;</P> <P>As shown in the below link what should the filter criteria look like to match couple of times (for example if there are 10 logs in 5 minutes) the threat log by source ip or user id?</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/network-security/security-policy/administration/objects/auto-tag-action/use-auto-tagging-to-automate-security-actions-cloud-management" target="_blank">https://docs.paloaltonetworks.com/network-security/security-policy/administration/objects/auto-tag-action/use-auto-tagging-to-automate-security-actions-cloud-management</A></P> Wed, 20 Nov 2024 10:42:49 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/where-is-prima-access-ser-behavior-analytics-uba-configured/m-p/639411#M1020 nikoolayy1 2024-11-20T10:42:49Z