topic Re: Alert mail for threat detection in General Topics

Alert mail for threat detection

feelgood — Fri, 21 Feb 2020 13:49:28 GMT

Hello all,

I try to set up alert mail to prevent when my PA220 detects an threat (inboud attack for example).

I configured scheduled PDF reports (daily and weekly) but I want also be informed instantly when a threat is detecting ?

It is possible ?

Thank you in advance for your help.

Re: Alert mail for threat detection

RobinClayton — Fri, 21 Feb 2020 16:45:08 GMT

Yes, Do you have a logging option set on ALL your rules [ including the two default inter/intra zone ones ]

If so on

Objects > Log Forward > [your YourLogFowardName ]

Create a log forward type "Threat" with a destination of e-mail...

You will probably want tor change the severity in the log filter section.

Rob

Re: Alert mail for threat detection

BPry — Fri, 21 Feb 2020 21:40:58 GMT

@feelgood,

As @RobinClayton mentioned, you probably want to set the severity filter to avoid getting an alert on every single threat; generally I would advise that people run with at least the filter (severity geq medium) which would send you an alert for all medium and higher alerts. Some people like to set the filter to ((action neq alert) or (action neq allow)) but I personally find that to be too much when configuring an email profile.

Re: Alert mail for threat detection

feelgood — Tue, 25 Feb 2020 11:49:25 GMT

Hi,

Thank you @BPry @RobinClayton for your help.

No, I don't have Log Settings set up on my rules. I will do that.

Just question : on my default intra-zone, I can't activate Log Settings :

It can works yet ?

Thanks.

Re: Alert mail for threat detection

RobinClayton — Tue, 25 Feb 2020 15:44:39 GMT

Select the rule , then find (OVERRIDE) Cog at the bottom o the page. This will allow you to change the log settings.

Rob

Re: Alert mail for threat detection

feelgood — Wed, 26 Feb 2020 12:19:54 GMT

Hi,

Thanks a lot for your help.