I've really been enjoying the Palo Alto ability to update itself with threats prevention signatures almost instantly (depending on ones setup)
I've been checking the ACC more latly and have notice the following:
I'll make some notes here:
1) This is only appearing to user who are using the Global Protect to VPN into the corporate network.
2) the Victim host is our SharePoint FE
3) We currently have an issue where constant Event ID 1 are populated on the SharePoint FE due to a miss configured Performance Point Service which (AFAIK) as been removed from every aspect of our SharePoint (we currently don't use scorecard, etc)
4) I don't know if these two issue are related in some way.
So my question is as follows is there any way I can get more details on each hit of this threat event? It'd be nice to click on the session and it displayed each session and time the event occurred/got triggered. Since these events are being done by legit users while remoteing in I'm not majorly concerned since I'm sure it has something to with the complex inner SharePoint permission structure (Even posting on TechNet, no one was able to tell me how to query any web parts that might be using performance point to track that event..)
But even for future threat sessions it be nice to see when they occurred to help track who was doing what when.. etc... please and thanks!
Solved! Go to Solution.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!