Monitor > Logs, Add Log Filter: Is there a Filtering Criterion Equiv.-To "# Of Sessions"

Reply
Highlighted
Not applicable

Monitor > Logs, Add Log Filter: Is there a Filtering Criterion Equiv.-To "# Of Sessions"

Hello.  Via the Monitor page, I'm trying to build a log query, to report upon all threats regarded as critical within the last 24 hours that held / conducted a minimum of 12 (twelve) sessions.  I've got the first 2 (two) filtering parameters - my "critical" vulnerability sensitivity; and my time frame eq. last 24 hours.  However I'm "stuck", with respect to setting the Minimum Number of Sessions criteria:  I just cannot seem to figure out the appropriate filter.  So I sure hope you all can provide me some help?

L6 Presenter

Re: Monitor > Logs, Add Log Filter: Is there a Filtering Criterion Equiv.-To "# Of Sessions"

Hi...It is possible that a user may retrieve the same threat multiple times via the same tcp/udp session.  We offer the 'count' field to reflect the number of times we saw the threat.  You can sort by 'count' to see the threat events in decreasing order but we don't have a filter criteria for the count value.  You could export the report and keep those events where the count is 12 or greater.

Thanks.

L4 Transporter

Re: Monitor > Logs, Add Log Filter: Is there a Filtering Criterion Equiv.-To "# Of Sessions"

Hi,

Like it was said before we donot have the filter criteria for gettting the threats encountered in last 24 hours that conducted a minimum of 12 sessions for a critical severity.

As far a I understand, the closest we can acheive in your case is filter through the session ID and/or the threat id and monitor that threat ID consistently.

To do that, please ,look at the attachement, capture-session-id.PNG

Regards,

Parth

Not applicable

Re: Monitor > Logs, Add Log Filter: Is there a Filtering Criterion Equiv.-To "# Of Sessions"

`

Not applicable

Re: Monitor > Logs, Add Log Filter: Is there a Filtering Criterion Equiv.-To "# Of Sessions"

Basically what I'm requesting here, are simply 'fundamental components' for a  daily threat report log. Surely, this isn't the first time one of Palo  Alto's customers has requested a means by which to filter out the  hundreds, even thousands, of "one hit wonders" that regularly attempt to infiltrate their firewalls on a daily basis, in order to fous on the ones that are engaging in many-multiple, repeated sessions (e.g., indic. possible DoS, etcetera)?  That is, I can't be the 1st to request a filter  criteria for the count value?  Can I?  Really?...

L6 Presenter

Re: Monitor > Logs, Add Log Filter: Is there a Filtering Criterion Equiv.-To "# Of Sessions"

The ability to search through events and notify the admin when the events exceed a certain threshold is typically performed by a SIM/SIEM tool.  We offer integration with SIM/SIEM vendors listed here:

https://live.paloaltonetworks.com/docs/DOC-1418

If you like to see this feature within the Palo Alto firewall, please submit a feature request to your local Palo Alto SE.  Thanks.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!