category malware with action allowed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

category malware with action allowed

L1 Bithead

Hi,

we use Splunk.

 

We tried following searchstring: http_category=malware | timechart count BY vendor_action

 

We find out that we get back action allowed with category malware.

Is there a failure in the search? The action in our URL security profil for malware is block. 

Is there someone with same environment and same results ?

 

best regards

holger

4 REPLIES 4

Cyber Elite
Cyber Elite

@hnasshoven,

I think you'd really need to look at the logs on the firewall side of things in regards to these entries and actually see what's up. A snapshot of the query results doesn't present much data for troubleshooting. If you're blocking all malware sites I wouldn't expect to see any allow logs recorded, so something definitely seems odd at this point. 

@BPry  that`s my problem, the logfiles on the device don`t catch the event anymore.  

Hey @hnasshoven ,

Looking at the date of those logs it has been almost an year so really depending on the volume of traffic your firewalls are processing, I am almost certain that your traffic log quota on the firewall is not able to keep traffic for such long period. You can check you retention under CLI with: > show system logdb-quota

 

"http_category" is field for logs of type url. And url log should be generated only when the URL match category with action, alert, block, or continue. Action allow will not generate url log entry.

 

It is also strange that in your graph you see actions "deny" and "reset-both", which are not action from url type logs.

So it looks like your query is returning mixture of different log types and I am wondering if some of them are not threat logs or something else.

 

As @BPry suggested you need to looks in the detailed logs to better understand what are those. If they are no longer present on the firewall, you need to query your Splunk and review detailed or raw logs.

 

 

On other hand...Nothing in your query is  filtering by vendor, or by device. Are you sure the result is only from Palo Alto firewall logs? Are there any other security devices that are sending logs to your Splunk?

 

 

 

We have  a lot of devices sending logfiles to splunk but we differentiate  the logfiles by source and the source is 100% from Palo

 

Fact is the IP "72.5.65.111" changed in 07 Jul 21 from Hostname v10.events.data.microsoft.com

to (PAN) Category Malware on 14 Jul 21 I guess this alone is strange.

 

Is there a way to import logfiles to a Palo Device Virtual/Hardware? Cause we export our logfiles every day so I have the original Logfile.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!