Automatic email alerts: Sinkhole and security policies

Reply
Highlighted
L2 Linker

Automatic email alerts: Sinkhole and security policies

Hi Community,

 

This query is for PAN-OS v8.1.X

 

I am trying to generate an email alert when the firewall sees an (action eq sinkhole) event or when the security policy created to sinkhole an infected host is used. Email Profile(s) have already configured and so has Sinkhole.

 

What is the best way to configure both, the email alert for the (action eq sinkhole) or any other Log-Threat entry, and also, when a specific security policy is used?

 

Lastly, is it possible to generate a dynamic object including source IPs that have already been blocked by the firewall after detecting a vulnerability? The idea is to block access to IPs that already attempted an attack and were blocked by the firewall in the past.

 

panw-highrisk-ip-list and panw-known-ip-list do not seem to be very effective as only one IP: 80.211.52.246 has been detected in almost 5 days.

 

Thanks.

Ho

 

L7 Applicator

Re: Automatic email alerts: Sinkhole and security policies

@ash83,

For alerting you would really want to build out a Log Setting profile. This will allow you to setup the filter that you want and then specify the actions you wish to take when the firewall sees anything matching your filter. Documentation can be found HERE.

You could also setup an additional Log Forwarding profile if you want to alert on security policy activity. You can get pretty detailed here about when and how you want to be alerted, and what should actually trigger an alert. That documentation can be found HERE.

 

There's a few ways you can do that last question. You could utilize a Vulnerability Protection Profile specific to external connections and set the Action to "Block IP" and specify your desired duration ( up-to 3600 seconds) to prevent continual requests from the same address in quick succession. You could also utilize something like MineMeld to build an EDL based off  of the alerts the firewall generates. More powerful SIEMs such as Splunk can also incorporate these logs and the MineMeld API to automatically feed indicators into MineMeld based off of the firewall logs for you without manual entry. 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!