https://live.paloaltonetworks.com/t5/general-topics/automatic-email-alerts-sinkhole-and-security-policies/m-p/261320#M74091 <P>Hi Community,</P><P>&nbsp;</P><P>This query is for PAN-OS v8.1.X</P><P>&nbsp;</P><P>I am trying to generate an email alert when the firewall sees an (action&nbsp;eq sinkhole) event or when the security policy created to sinkhole an infected host is used. Email Profile(s) have already configured and so has Sinkhole.</P><P>&nbsp;</P><P>What is the best way to configure both, the email alert for the (action&nbsp;eq sinkhole) or any other Log-Threat entry, and also, when a specific security policy is used?</P><P>&nbsp;</P><P>Lastly, is it possible to generate a dynamic object including source IPs that have already been blocked by the firewall after detecting a vulnerability? The idea is to block access to IPs that already attempted an attack and were blocked by the firewall in the past.</P><P>&nbsp;</P><P>panw-highrisk-ip-list and panw-known-ip-list do not seem to be very effective as only one IP: 80.211.52.246 has been detected in almost 5 days.</P><P>&nbsp;</P><P>Thanks.</P><P>Ho</P><P>&nbsp;</P> Thu, 16 May 2019 10:02:01 GMT ash83 2019-05-16T10:02:01Z https://live.paloaltonetworks.com/t5/general-topics/automatic-email-alerts-sinkhole-and-security-policies/m-p/261320#M74091 <P>Hi Community,</P><P>&nbsp;</P><P>This query is for PAN-OS v8.1.X</P><P>&nbsp;</P><P>I am trying to generate an email alert when the firewall sees an (action&nbsp;eq sinkhole) event or when the security policy created to sinkhole an infected host is used. Email Profile(s) have already configured and so has Sinkhole.</P><P>&nbsp;</P><P>What is the best way to configure both, the email alert for the (action&nbsp;eq sinkhole) or any other Log-Threat entry, and also, when a specific security policy is used?</P><P>&nbsp;</P><P>Lastly, is it possible to generate a dynamic object including source IPs that have already been blocked by the firewall after detecting a vulnerability? The idea is to block access to IPs that already attempted an attack and were blocked by the firewall in the past.</P><P>&nbsp;</P><P>panw-highrisk-ip-list and panw-known-ip-list do not seem to be very effective as only one IP: 80.211.52.246 has been detected in almost 5 days.</P><P>&nbsp;</P><P>Thanks.</P><P>Ho</P><P>&nbsp;</P> Thu, 16 May 2019 10:02:01 GMT https://live.paloaltonetworks.com/t5/general-topics/automatic-email-alerts-sinkhole-and-security-policies/m-p/261320#M74091 ash83 2019-05-16T10:02:01Z https://live.paloaltonetworks.com/t5/general-topics/automatic-email-alerts-sinkhole-and-security-policies/m-p/261398#M74109 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/57857">@ash83</a>,</P><P>For alerting you would really want to build out a Log Setting profile. This will allow you to setup the filter that you want and then specify the actions you wish to take when the firewall sees anything matching your filter. Documentation can be found <A href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/device/device-log-settings.html" target="_self">HERE</A>.</P><P>You could also setup an additional Log Forwarding profile if you want to alert on security policy activity. You can get pretty detailed here about when and how you want to be alerted, and what should actually trigger an alert. That documentation can be found <A href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/configure-log-forwarding.html" target="_self">HERE.</A></P><P>&nbsp;</P><P>There's a few ways you can do that last question. You could utilize a Vulnerability Protection Profile specific to external connections and set the Action to "Block IP" and specify your desired duration ( up-to 3600 seconds) to prevent continual requests from the same address in quick succession. You could also utilize something like MineMeld to build an EDL based off&nbsp; of the alerts the firewall generates. More powerful SIEMs such as Splunk can also incorporate these logs and the MineMeld API to automatically feed indicators into MineMeld based off of the firewall logs for you without manual entry.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 16 May 2019 20:53:02 GMT https://live.paloaltonetworks.com/t5/general-topics/automatic-email-alerts-sinkhole-and-security-policies/m-p/261398#M74109 BPry 2019-05-16T20:53:02Z