https://live.paloaltonetworks.com/t5/general-topics/cis-control-13-5-unauthorized-use-of-encryption/m-p/344560#M86201 <P>Looking for input on this one. From a Palo Alto perspective, what would be the best way to monitor for encrypted traffic in general? Need a way to make sure we're specifically able to point to traffic that was encrypted and provide a report or show that in a dashboard perhaps in our SIEM. Taking a first look from the ground up and looking for open discussion. Thanks in advance!&nbsp;</P> Wed, 19 Aug 2020 13:49:59 GMT Mr_Kaplan 2020-08-19T13:49:59Z https://live.paloaltonetworks.com/t5/general-topics/cis-control-13-5-unauthorized-use-of-encryption/m-p/344560#M86201 <P>Looking for input on this one. From a Palo Alto perspective, what would be the best way to monitor for encrypted traffic in general? Need a way to make sure we're specifically able to point to traffic that was encrypted and provide a report or show that in a dashboard perhaps in our SIEM. Taking a first look from the ground up and looking for open discussion. Thanks in advance!&nbsp;</P> Wed, 19 Aug 2020 13:49:59 GMT https://live.paloaltonetworks.com/t5/general-topics/cis-control-13-5-unauthorized-use-of-encryption/m-p/344560#M86201 Mr_Kaplan 2020-08-19T13:49:59Z https://live.paloaltonetworks.com/t5/general-topics/cis-control-13-5-unauthorized-use-of-encryption/m-p/424805#M94291 <P>Super slick way to get this done, let's utilize some built-in functionality to make this easy.&nbsp;</P><P>&nbsp;</P><P>Create a custom vulnerability profile, in my example I used the hexadecimal payload in an SSL-response-version packet to indicate TLS 1.0 is being used.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screen Shot 2021-08-05 at 9.12.51 AM.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/35479i541DA4200C44F24A/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screen Shot 2021-08-05 at 9.12.51 AM.png" alt="Screen Shot 2021-08-05 at 9.12.51 AM.png" /></span></P><P>&nbsp;</P><P>Now that I have a custom vuln sig, we are able to see all the traffic touching it on the ACC tab.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screen Shot 2021-08-05 at 9.13.16 AM.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/35480i0AD49BEB387E9A20/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screen Shot 2021-08-05 at 9.13.16 AM.png" alt="Screen Shot 2021-08-05 at 9.13.16 AM.png" /></span></P><P>&nbsp;</P><P>Which means that I am now able to build custom reports based off that vuln.&nbsp;</P><P>&nbsp;</P><P>You could fully automate getting emailed reports of the traffic touching your signature, or configure a custom log forwarding rule to generate email alerts, for example. Lots of options. For a SIEM, you could export the log/alert to an HTTP server profile. See example screenshot below. But instead of those real threats, you would see your custom encrypted traffic one.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="LINE-Notify.png" style="width: 558px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/35481i175781F5003A4EBB/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="LINE-Notify.png" alt="LINE-Notify.png" /></span></P><P>&nbsp;</P> Thu, 05 Aug 2021 14:17:38 GMT https://live.paloaltonetworks.com/t5/general-topics/cis-control-13-5-unauthorized-use-of-encryption/m-p/424805#M94291 LAYER_8 2021-08-05T14:17:38Z