Monitor > Logs, Add Log Filter: Is there a Filtering Criterion Equiv.-To "# Of Sessions"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Monitor > Logs, Add Log Filter: Is there a Filtering Criterion Equiv.-To "# Of Sessions"

Not applicable

Hello.  Via the Monitor page, I'm trying to build a log query, to report upon all threats regarded as critical within the last 24 hours that held / conducted a minimum of 12 (twelve) sessions.  I've got the first 2 (two) filtering parameters - my "critical" vulnerability sensitivity; and my time frame eq. last 24 hours.  However I'm "stuck", with respect to setting the Minimum Number of Sessions criteria:  I just cannot seem to figure out the appropriate filter.  So I sure hope you all can provide me some help?

1 accepted solution

Accepted Solutions

The ability to search through events and notify the admin when the events exceed a certain threshold is typically performed by a SIM/SIEM tool.  We offer integration with SIM/SIEM vendors listed here:

https://live.paloaltonetworks.com/docs/DOC-1418

If you like to see this feature within the Palo Alto firewall, please submit a feature request to your local Palo Alto SE.  Thanks.

View solution in original post

5 REPLIES 5

L6 Presenter

Hi...It is possible that a user may retrieve the same threat multiple times via the same tcp/udp session.  We offer the 'count' field to reflect the number of times we saw the threat.  You can sort by 'count' to see the threat events in decreasing order but we don't have a filter criteria for the count value.  You could export the report and keep those events where the count is 12 or greater.

Thanks.

L4 Transporter

Hi,

Like it was said before we donot have the filter criteria for gettting the threats encountered in last 24 hours that conducted a minimum of 12 sessions for a critical severity.

As far a I understand, the closest we can acheive in your case is filter through the session ID and/or the threat id and monitor that threat ID consistently.

To do that, please ,look at the attachement, capture-session-id.PNG

Regards,

Parth

`

Not applicable

Basically what I'm requesting here, are simply 'fundamental components' for a  daily threat report log. Surely, this isn't the first time one of Palo  Alto's customers has requested a means by which to filter out the  hundreds, even thousands, of "one hit wonders" that regularly attempt to infiltrate their firewalls on a daily basis, in order to fous on the ones that are engaging in many-multiple, repeated sessions (e.g., indic. possible DoS, etcetera)?  That is, I can't be the 1st to request a filter  criteria for the count value?  Can I?  Really?...

The ability to search through events and notify the admin when the events exceed a certain threshold is typically performed by a SIM/SIEM tool.  We offer integration with SIM/SIEM vendors listed here:

https://live.paloaltonetworks.com/docs/DOC-1418

If you like to see this feature within the Palo Alto firewall, please submit a feature request to your local Palo Alto SE.  Thanks.

  • 1 accepted solution
  • 3111 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!