https://live.paloaltonetworks.com/t5/general-topics/threat-prevention-inspection/m-p/13995#M10272 <HTML><HEAD></HEAD><BODY><P>Thnaks, That'll do panos.... That'll do</P></BODY></HTML> Tue, 18 Nov 2014 22:21:27 GMT Zewwy 2014-11-18T22:21:27Z https://live.paloaltonetworks.com/t5/general-topics/threat-prevention-inspection/m-p/13993#M10270 <HTML><HEAD></HEAD><BODY><P>Hey there,</P><P></P><P>I've really been enjoying the Palo Alto ability to update itself with threats prevention signatures almost instantly (depending on ones setup)</P><P></P><P>I've been checking the ACC more latly and have notice the following:</P><P></P><P><IMG class="image-0 jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/16929_pastedImage_0.png" style="max-height: 900px; max-width: 1200px;" /></P><P></P><P>I'll make some notes here:</P><P></P><P>1) This is only appearing to user who are using the Global Protect to VPN into the corporate network.</P><P></P><P>2) the Victim host is our SharePoint FE</P><P></P><P>3) We currently have an issue where constant Event ID 1 are populated on the SharePoint FE due to a miss configured Performance Point Service which (AFAIK) as been removed from every aspect of our SharePoint (we currently don't use scorecard, etc)</P><P></P><P>4) I don't know if these two issue are related in some way.</P><P></P><P>So my question is as follows is there any way I can get more details on each hit of this threat event? It'd be nice to click on the session and it displayed each session and time the event occurred/got triggered. Since these events are being done by legit users while remoteing in I'm not majorly concerned since I'm sure it has something to with the complex inner SharePoint permission structure (Even posting on TechNet, no one was able to tell me how to query any web parts that might be using performance point to track that event..)</P><P></P><P>But even for future threat sessions it be nice to see when they occurred to help track who was doing what when.. etc... please and thanks!</P></BODY></HTML> Tue, 18 Nov 2014 19:57:26 GMT https://live.paloaltonetworks.com/t5/general-topics/threat-prevention-inspection/m-p/13993#M10270 Zewwy 2014-11-18T19:57:26Z https://live.paloaltonetworks.com/t5/general-topics/threat-prevention-inspection/m-p/13994#M10271 <HTML><HEAD></HEAD><BODY><P>hi,</P><P>you have to filter and find these threats on Monitor/threat logs</P><P>so each session detail is there.if it is not enough , you may open packet capture for the related security profile.</P></BODY></HTML> Tue, 18 Nov 2014 20:04:38 GMT https://live.paloaltonetworks.com/t5/general-topics/threat-prevention-inspection/m-p/13994#M10271 Retired Member 2014-11-18T20:04:38Z https://live.paloaltonetworks.com/t5/general-topics/threat-prevention-inspection/m-p/13995#M10272 <HTML><HEAD></HEAD><BODY><P>Thnaks, That'll do panos.... That'll do</P></BODY></HTML> Tue, 18 Nov 2014 22:21:27 GMT https://live.paloaltonetworks.com/t5/general-topics/threat-prevention-inspection/m-p/13995#M10272 Zewwy 2014-11-18T22:21:27Z