Threat and Blocked Activity in ACC

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Community Team Member

Palo Alto Networks dives into the next-generation firewall web interface to explain some features in the ACC tab to help you identify threat activity and blocked activity in your network. Find answers on LIVEcommunity.

 

 

The ACC has a wealth of information you can leverage to optimize your security posture.

 

This time, I'll go over the Threat Activity and Blocked Activity tabs in the ACC.

 

Firewall web interface - ACC Tab - Threat Activity and Blocked ActivityFirewall web interface - ACC Tab - Threat Activity and Blocked Activity

 

Inside the Threat Activity tab, you will find the following widgets selected by default:

  • Applications Using Non Standard Ports
  • Hosts Resolving Malicious Domains
  • Hosts Visiting Malicious URLs
  • Rules Allowing Apps On Non Standard Ports
  • Threat Activity
  • Wildfire Activity By File Type
  • Wildfire Activity By Application

Here's what that will look like on your screen:

View of Threat Activity widgets selected by defaultView of Threat Activity widgets selected by default

 

In the Blocked Activity tab, you will find the following widgets selected by default:

  • Blocked Application Activity
  • Blocked Content
  • Blocked Threats
  • Blocked User Activity
  • Security Policies Blocking Activity

View of Blocked Activity widgets selected by defaultView of Blocked Activity widgets selected by default

 

The very last tab you will notice a Plus (+) symbol. Clicking on this creates a new tab, which you can rename and customize to your liking with columns, the desired widget groups, and widgets respectively.

 

Blocked Activity View to Add a Custom WidgetBlocked Activity View to Add a Custom Widget

 

NOTE: Every widget has some useful options in the upper right corner.

View of widget optionsView of widget options

 

 

Let's go over four options so you can have a better idea of what each option offers.

 

Maximize & View More Data

  • Creates a popup window that fills the screen and does not display any graphs, only text. The option also expands the number of lines that are displayed. (You have two additional options in the upper right to Export CSV and Exit.)

Blocked Application Activity as textBlocked Application Activity as text

 

Set Local Filters

  • This popup window allows you to create a new filter for this widget. Select Apply to display the filter.

View of popup to set local filterView of popup to set local filter

 

Jump to Logs

  • Brings you directly to the logs associated with the widget. Threat Activity will bring you directly to the Threat Logs.

View of quick links to jump to a logView of quick links to jump to a log

 

Export

  • Popup window displays status as the widget data is exported to PDF.  

View of Export PDF status barView of Export PDF status bar

 

Below are the widget options you also have as graph options. These can vary depending on the data you're looking at, but, as an example, they can be:

  • Bar
  • Area
  • Column
  • Line
  • Treemap

View of graph optionsView of graph options

 

Now that you know what those options do, you can extract more information from the data being displayed.

While looking at a widget, you can click one of the options to display different data. Some widgets can be sorted by different data.

View of data displaying optionsView of data displaying options

 

If you click on a graph or on the text below, it will drill down and add that information to the local filter.

View of information drill-downView of information drill-down

 

To remove the filter, click the "X" to the left of the filter name. In the illustration above, it is Application[web-browsing].>

 

You also can add this to the global filter by clicking the "<-|" to the right of the filter.

 

You will also see the same symbol "<-|" when hovering over any text that is clickable. On any of the values displayed, a dropdown arrow  provides even more options as illustrated below:

View of dropdown menu buttonView of dropdown menu button

 

Depending on what data you are looking at, you will have different options. For example, if you hover over an application and select the dropdown, you will see the following:

View of dropdown menu optionsView of dropdown menu options

 

Global Find

  • Displays a Search window in the upper right corner of the web interface and displays search results based on your selection.

View of search windowView of search window

 

Value

  • Displays value information about the application.

View of application value informationView of application value information

 

If you are looking at IP-related data, you will have other options:

 

ip-options.jpg

 

Who Is

  • Pulls up a new browser window and shows the "Who Is" record of an IP.

whois.jpg

 

Search HIP Report

  • Allows you to search through the Host Information Profile on this IP to correlate the data with a possible GlobalProtect user.

 

Promote as Address

  • Will add the IP address to the Global Filter on the left pane and will change your graphs accordingly.

Filter.jpg

 

I hope this helps you understand the new ACC tab even better and helps you leverage this feature to find what you're looking for.

 

 

More ACC information can be found on the following links:

How To Use The Application Command Center (ACC) 

Tips & Tricks: ACC FAQ 

 

 

 

Thanks for taking time to read the blog.

If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.

 

As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,
Kiwi out!

 

3 Comments
  • 12086 Views
  • 3 comments
  • 0 Likes
Register or Sign-in
Labels
Top Liked Authors