Hello. Via the Monitor page, I'm trying to build a log query, to report upon all threats regarded as critical within the last 24 hours that held / conducted a minimum of 12 (twelve) sessions. I've got the first 2 (two) filtering parameters - my "critical" vulnerability sensitivity; and my time frame eq. last 24 hours. However I'm "stuck", with respect to setting the Minimum Number of Sessions criteria: I just cannot seem to figure out the appropriate filter. So I sure hope you all can provide me some help?
Solved! Go to Solution.
Hi...It is possible that a user may retrieve the same threat multiple times via the same tcp/udp session. We offer the 'count' field to reflect the number of times we saw the threat. You can sort by 'count' to see the threat events in decreasing order but we don't have a filter criteria for the count value. You could export the report and keep those events where the count is 12 or greater.
Like it was said before we donot have the filter criteria for gettting the threats encountered in last 24 hours that conducted a minimum of 12 sessions for a critical severity.
As far a I understand, the closest we can acheive in your case is filter through the session ID and/or the threat id and monitor that threat ID consistently.
To do that, please ,look at the attachement, capture-session-id.PNG
Basically what I'm requesting here, are simply 'fundamental components' for a daily threat report log. Surely, this isn't the first time one of Palo Alto's customers has requested a means by which to filter out the hundreds, even thousands, of "one hit wonders" that regularly attempt to infiltrate their firewalls on a daily basis, in order to fous on the ones that are engaging in many-multiple, repeated sessions (e.g., indic. possible DoS, etcetera)? That is, I can't be the 1st to request a filter criteria for the count value? Can I? Really?...
The ability to search through events and notify the admin when the events exceed a certain threshold is typically performed by a SIM/SIEM tool. We offer integration with SIM/SIEM vendors listed here:
If you like to see this feature within the Palo Alto firewall, please submit a feature request to your local Palo Alto SE. Thanks.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!