PAN NGFW into XDR best practices

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PAN NGFW into XDR best practices

L1 Bithead

Hi there, 

 

We have have recently started ingesting PAN NGFW logs into XDR, however they're generating a lot of incidents, for now I have excluded - prevented/terminated events, does anyone have any information on best practices, useful ways to use these?

2 REPLIES 2

L4 Transporter

Hi @PaulThomas00,

 

Thank you for reaching out on LIVEcommunity!

 

I'm not sure there's a best practices for NGFW logs available.  Can you tell me a little more about your issue?  I'm assuming the incidents have been investigated and determined to be false positive.

Thanks for the reply, 

It may be the way the FW is configured, but currently all events are being sent to XDR including URL filtering, http traversal, suspicous DNS query, which are all prevented/blocked/terminate/detected, I can see how these events maybe useful in context of an incident, but wondering if there is any benefit from ingesting PAN NGFW events directly into XDR?
The result is an overwhelming number of incidents created. Just wondering the best way to manage these. Any suggestions would be appreciated. 

  • 1214 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!