Threat Prevention inspection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Threat Prevention inspection

L2 Linker

Hey there,

I've really been enjoying the Palo Alto ability to update itself with threats prevention signatures almost instantly (depending on ones setup)

I've been checking the ACC more latly and have notice the following:

I'll make some notes here:

1) This is only appearing to user who are using the Global Protect to VPN into the corporate network.

2) the Victim host is our SharePoint FE

3) We currently have an issue where constant Event ID 1 are populated on the SharePoint FE due to a miss configured Performance Point Service which (AFAIK) as been removed from every aspect of our SharePoint (we currently don't use scorecard, etc)

4) I don't know if these two issue are related in some way.

So my question is as follows is there any way I can get more details on each hit of this threat event? It'd be nice to click on the session and it displayed each session and time the event occurred/got triggered. Since these events are being done by legit users while remoteing in I'm not majorly concerned since I'm sure it has something to with the complex inner SharePoint permission structure (Even posting on TechNet, no one was able to tell me how to query any web parts that might be using performance point to track that event..)

But even for future threat sessions it be nice to see when they occurred to help track who was doing what when.. etc... please and thanks!

1 accepted solution

Accepted Solutions

L6 Presenter

hi,

you have to filter and find these threats on Monitor/threat logs

so each session detail is there.if it is not enough , you may open packet capture for the related security profile.

View solution in original post

2 REPLIES 2

L6 Presenter

hi,

you have to filter and find these threats on Monitor/threat logs

so each session detail is there.if it is not enough , you may open packet capture for the related security profile.

Thnaks, That'll do panos.... That'll do

  • 1 accepted solution
  • 2181 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!