https://live.paloaltonetworks.com/t5/general-topics/default-threat-id-correlation-for-action/m-p/47998#M35292 <HTML><HEAD></HEAD><BODY><P>Hello <A href="https://live.paloaltonetworks.com/u1/28351">craigmueller</A>,</P><P></P><P>Here is the link you are looking for :</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1367">Trigger Conditions for Brute Force Signatures</A></P><P></P><P></P><P>Hope that helps!</P><P></P><P></P><P>Thanks and regards,</P><P>Kunal Adak</P></BODY></HTML> Mon, 30 Jun 2014 21:07:14 GMT kadak 2014-06-30T21:07:14Z https://live.paloaltonetworks.com/t5/general-topics/default-threat-id-correlation-for-action/m-p/47994#M35288 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>I was searching for a while and could not find the answer to this question.</P><P></P><P>By default, does a Palo Alto block every instance a threat ID (that is enabled) is seen or does it wait until 1 threat ID hits 5 times in 1 minute (for example).</P><P></P><P>I would think it would be the former, but was searching for confirmation.</P><P></P><P>Thanks</P></BODY></HTML> Mon, 30 Jun 2014 19:34:59 GMT https://live.paloaltonetworks.com/t5/general-topics/default-threat-id-correlation-for-action/m-p/47994#M35288 craigmueller 2014-06-30T19:34:59Z https://live.paloaltonetworks.com/t5/general-topics/default-threat-id-correlation-for-action/m-p/47995#M35289 <HTML><HEAD></HEAD><BODY><P>Hello Craig,</P><P></P><P>If threat ID has default action RESET than it will stop in first instance. So, it depends on default action of threat.</P><P></P><P>There is a different case in Vulnerability. Lets say there is a vuln. for bruteforce. And Palo Alto conclude it bruteforce if there are more than 60 attempts in 1 minutes. So in these type of scenarios we check the hits. </P><P></P><P>Best thing is to understand threat details, firewall will behave case to case bases.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Mon, 30 Jun 2014 20:58:35 GMT https://live.paloaltonetworks.com/t5/general-topics/default-threat-id-correlation-for-action/m-p/47995#M35289 hshah 2014-06-30T20:58:35Z https://live.paloaltonetworks.com/t5/general-topics/default-threat-id-correlation-for-action/m-p/47996#M35290 <HTML><HEAD></HEAD><BODY><P>Hardik,</P><P></P><P>Let's take HTTP Unauthorized Brute-force Attack (40031) for example and it's set to the default action of allow. You are saying, there would have to be 60 attempts within 1 minute before an alert would be created?</P><P></P><P>Do you have a link to these figures?</P></BODY></HTML> Mon, 30 Jun 2014 21:03:14 GMT https://live.paloaltonetworks.com/t5/general-topics/default-threat-id-correlation-for-action/m-p/47996#M35290 craigmueller 2014-06-30T21:03:14Z https://live.paloaltonetworks.com/t5/general-topics/default-threat-id-correlation-for-action/m-p/47997#M35291 <HTML><HEAD></HEAD><BODY><P>Hi Craig,</P><P></P><P>You are right about the behavior, certain number of attempts within 1 minute can trigger vulnerability 40031. And it will only generate a Threat log, because default action is Alert, not Reset.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Mon, 30 Jun 2014 21:07:03 GMT https://live.paloaltonetworks.com/t5/general-topics/default-threat-id-correlation-for-action/m-p/47997#M35291 hshah 2014-06-30T21:07:03Z https://live.paloaltonetworks.com/t5/general-topics/default-threat-id-correlation-for-action/m-p/47998#M35292 <HTML><HEAD></HEAD><BODY><P>Hello <A href="https://live.paloaltonetworks.com/u1/28351">craigmueller</A>,</P><P></P><P>Here is the link you are looking for :</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1367">Trigger Conditions for Brute Force Signatures</A></P><P></P><P></P><P>Hope that helps!</P><P></P><P></P><P>Thanks and regards,</P><P>Kunal Adak</P></BODY></HTML> Mon, 30 Jun 2014 21:07:14 GMT https://live.paloaltonetworks.com/t5/general-topics/default-threat-id-correlation-for-action/m-p/47998#M35292 kadak 2014-06-30T21:07:14Z https://live.paloaltonetworks.com/t5/general-topics/default-threat-id-correlation-for-action/m-p/47999#M35293 <HTML><HEAD></HEAD><BODY><P>Thank you for the link.</P><P></P><P>Are there separate lists for each group of signatures? Like 40022 or 40008.</P></BODY></HTML> Mon, 30 Jun 2014 21:15:10 GMT https://live.paloaltonetworks.com/t5/general-topics/default-threat-id-correlation-for-action/m-p/47999#M35293 craigmueller 2014-06-30T21:15:10Z https://live.paloaltonetworks.com/t5/general-topics/default-threat-id-correlation-for-action/m-p/48000#M35294 <HTML><HEAD></HEAD><BODY><P>Hi Craig,</P><P></P><P>There may not be, but why do you need it?</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Mon, 30 Jun 2014 22:22:24 GMT https://live.paloaltonetworks.com/t5/general-topics/default-threat-id-correlation-for-action/m-p/48000#M35294 hshah 2014-06-30T22:22:24Z https://live.paloaltonetworks.com/t5/general-topics/default-threat-id-correlation-for-action/m-p/48001#M35295 <HTML><HEAD></HEAD><BODY><P>I was looking for more information on the threat IDs and what triggers the alerts.</P></BODY></HTML> Mon, 30 Jun 2014 22:24:45 GMT https://live.paloaltonetworks.com/t5/general-topics/default-threat-id-correlation-for-action/m-p/48001#M35295 craigmueller 2014-06-30T22:24:45Z https://live.paloaltonetworks.com/t5/general-topics/default-threat-id-correlation-for-action/m-p/48002#M35296 <HTML><HEAD></HEAD><BODY><P>Hi Craig,</P><P></P><P>Normally PAN doesnt disclose that information unless asked by specific customer for specific ID. </P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Mon, 30 Jun 2014 22:43:44 GMT https://live.paloaltonetworks.com/t5/general-topics/default-threat-id-correlation-for-action/m-p/48002#M35296 hshah 2014-06-30T22:43:44Z https://live.paloaltonetworks.com/t5/general-topics/default-threat-id-correlation-for-action/m-p/48003#M35297 <HTML><HEAD></HEAD><BODY><P>ok, thanks everyone for the information</P></BODY></HTML> Mon, 30 Jun 2014 22:45:24 GMT https://live.paloaltonetworks.com/t5/general-topics/default-threat-id-correlation-for-action/m-p/48003#M35297 craigmueller 2014-06-30T22:45:24Z