12-06-2024 09:57 AM
Hello,
Has anyone experienced a negative impact from having the "Log Container Page Only" feature checked/turned on?
I ask because of the warning, "If you enable the Log container page only option, there may not always be a correlated URL log entry for threats detected by antivirus or vulnerability protection." Do you have examples of instances when the correlated URL log entries made it difficult to fully log/chase down other vulnerabilities?
For context, the company I work for has to comply with several government regulations (CMMC). If the "Log Container page only" option weakens our system security/validity, it may not be an option I can use. It would be great, however, to reduce the number of logs being produced because it would make observing user activity MUCH easier. Any advice is appreciated.
Thanks,
Angela
12-10-2024 08:46 PM
With "Log Container Page Only" unchecked, you can see exactly which sub-resource on a URL triggered alerts. For example, if a user visits a site like cnn.com, you might see a URL log flagged as high-risk or even a threat. You’d be able to pinpoint the specific resource and determine whether it was an ad, a tracking script, or embedded malicious JavaScript that caused the alert.
With "Log Container Page Only" checked, lets say you have an infected host in your environment and your asked for root cause so you start looking through logs. You see a bunch of alerts and threats to URLs, but you don't know what they clicked on or which sub-resource they interacted with on the page. Evidence of a website URL might suffice, but some orgs might need more additional detail into determining root cause.
Whether to check or uncheck this setting really depends on the organization's needs and how deep you need to go into logs for your role. Reducing log volume is great for simplicity, but it can weaken your ability to chase down vulnerabilities or meet detailed compliance requirements. If your organization lacks additional security layers like a secure browser, proxy, or endpoint detection, you might consider leaving it unchecked to retain more visibility.
Hope this helps!
12-10-2024 08:46 PM
With "Log Container Page Only" unchecked, you can see exactly which sub-resource on a URL triggered alerts. For example, if a user visits a site like cnn.com, you might see a URL log flagged as high-risk or even a threat. You’d be able to pinpoint the specific resource and determine whether it was an ad, a tracking script, or embedded malicious JavaScript that caused the alert.
With "Log Container Page Only" checked, lets say you have an infected host in your environment and your asked for root cause so you start looking through logs. You see a bunch of alerts and threats to URLs, but you don't know what they clicked on or which sub-resource they interacted with on the page. Evidence of a website URL might suffice, but some orgs might need more additional detail into determining root cause.
Whether to check or uncheck this setting really depends on the organization's needs and how deep you need to go into logs for your role. Reducing log volume is great for simplicity, but it can weaken your ability to chase down vulnerabilities or meet detailed compliance requirements. If your organization lacks additional security layers like a secure browser, proxy, or endpoint detection, you might consider leaving it unchecked to retain more visibility.
Hope this helps!
12-11-2024 06:03 AM
Thanks, Jay! I figured it was something along those lines.
V/r,
Angela
12-11-2024 06:12 AM
Is it possible to create a separate URL Filtering Profile so that the main logs retain full information, but another group of logs is limited to the container pages? Our Palo Alto logs are fed into another software for simplified user monitoring. Sometimes the amount of data from Palo Alto makes it difficult or impossible to run reports for more than a week.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
