05-22-2023 02:15 PM
We have have recently started ingesting PAN NGFW logs into XDR, however they're generating a lot of incidents, for now I have excluded - prevented/terminated events, does anyone have any information on best practices, useful ways to use these?
05-23-2023 06:32 PM
Thank you for reaching out on LIVEcommunity!
I'm not sure there's a best practices for NGFW logs available. Can you tell me a little more about your issue? I'm assuming the incidents have been investigated and determined to be false positive.
05-23-2023 06:39 PM
Thanks for the reply,
It may be the way the FW is configured, but currently all events are being sent to XDR including URL filtering, http traversal, suspicous DNS query, which are all prevented/blocked/terminate/detected, I can see how these events maybe useful in context of an incident, but wondering if there is any benefit from ingesting PAN NGFW events directly into XDR?
The result is an overwhelming number of incidents created. Just wondering the best way to manage these. Any suggestions would be appreciated.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!