topic Re: Monitor > Logs, Add Log Filter: Is there a Filtering Criterion Equiv.-To "# Of Sessions" in General Topics

Monitor > Logs, Add Log Filter: Is there a Filtering Criterion Equiv.-To "# Of Sessions"

IMgrtrU — Wed, 02 May 2012 18:43:05 GMT

Hello. Via the Monitor page, I'm trying to build a log query, to report upon all threats regarded as critical within the last 24 hours that held / conducted a minimum of 12 (twelve) sessions. I've got the first 2 (two) filtering parameters - my "critical" vulnerability sensitivity; and my time frame eq. last 24 hours. However I'm "stuck", with respect to setting the Minimum Number of Sessions criteria: I just cannot seem to figure out the appropriate filter. So I sure hope you all can provide me some help?

Re: Monitor > Logs, Add Log Filter: Is there a Filtering Criterion Equiv.-To "# Of Sessions"

rmonvon — Thu, 03 May 2012 15:34:27 GMT

Hi...It is possible that a user may retrieve the same threat multiple times via the same tcp/udp session. We offer the 'count' field to reflect the number of times we saw the threat. You can sort by 'count' to see the threat events in decreasing order but we don't have a filter criteria for the count value. You could export the report and keep those events where the count is 12 or greater.

Thanks.

Re: Monitor > Logs, Add Log Filter: Is there a Filtering Criterion Equiv.-To "# Of Sessions"

ppatel — Sun, 06 May 2012 21:28:36 GMT

Hi,

Like it was said before we donot have the filter criteria for gettting the threats encountered in last 24 hours that conducted a minimum of 12 sessions for a critical severity.

As far a I understand, the closest we can acheive in your case is filter through the session ID and/or the threat id and monitor that threat ID consistently.

To do that, please ,look at the attachement, capture-session-id.PNG

Regards,

Parth

Re: Monitor > Logs, Add Log Filter: Is there a Filtering Criterion Equiv.-To "# Of Sessions"

IMgrtrU — Wed, 16 May 2012 19:06:43 GMT

Re: Monitor > Logs, Add Log Filter: Is there a Filtering Criterion Equiv.-To "# Of Sessions"

IMgrtrU — Wed, 16 May 2012 19:13:20 GMT

Basically what I'm requesting here, are simply 'fundamental components' for a daily threat report log. Surely, this isn't the first time one of Palo Alto's customers has requested a means by which to filter out the hundreds, even thousands, of "one hit wonders" that regularly attempt to infiltrate their firewalls on a daily basis, in order to fous on the ones that are engaging in many-multiple, repeated sessions (e.g., indic. possible DoS, etcetera)? That is, I can't be the 1st to request a filter criteria for the count value? Can I? Really?...

Re: Monitor > Logs, Add Log Filter: Is there a Filtering Criterion Equiv.-To "# Of Sessions"

rmonvon — Wed, 16 May 2012 19:34:35 GMT

The ability to search through events and notify the admin when the events exceed a certain threshold is typically performed by a SIM/SIEM tool. We offer integration with SIM/SIEM vendors listed here:

https://live.paloaltonetworks.com/docs/DOC-1418

If you like to see this feature within the Palo Alto firewall, please submit a feature request to your local Palo Alto SE. Thanks.