Palo Alto Networks next-generation firewalls Threat prevention signatures

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo Alto Networks next-generation firewalls Threat prevention signatures

L1 Bithead

Hello.

 

Please currently i'm studying the Palo Alto Networks next-generation firewalls Threat prevention module, and 'm interested in the list of the available signatures (description, severity ranking, Threat type, ). I found that threat vault can give this informations : https://threatvault.paloaltonetworks.com/ but for that we need to provide the specific UTID (Unique Threat ID). 

Is there a way to get the list of all the available signatures for the Palo Alto Networks next-generation firewalls Threat prevention module ?

 

Waiting for the response, any help will be appreciated.

 

Have nice day,

Cordially. 

7 REPLIES 7

Cyber Elite
Cyber Elite

Hello,

I dont think one exists, however if it did, there would be tens of thousands, most likely. Learn the best practices around threat prevention, like updating the dynamic updates and applying the profiles to policies, etc.

 

Regards,

L1 Bithead

Hello,

First of all thanks for the quick reply.

The reason behind my request is that i want to implement some alerts  on SIEM level for the most critical signatures of the Threat prevention module of the PALO ALTO  PAN-OS firewall. to be able to that i want to see the vailable signatures for this module.

 

Now based of the Threat Vault resource, is the information presented there is only for the "Palo Alto Networks next-generation firewalls Threat prevention signatures" or there is another solution (XDR, ...ect). and if it is the case maybe we can found the class ID for the signatures related to the Firewall threat prevention module!

 

Thanks in advance for the help,

 

Best regards,

Cyber Elite
Cyber Elite

Hello,

I gotcha. I kinda do a similar thing. However first with the threat signatures, I block anything that is medium or higher. Then on my SIEM, I have it only alert on Critical severity events.

 

Regards,

L1 Bithead

Hello,

 

That's great thanks for sharing, so your approach based only on the criticality understood, and did you encounter lot of events on the SIEM level ? just to have an idea about the number of alerts triggered!

 

For me i want at first took a look into the signatures, types, coverage, criticality... etc and after that take a decision if you have any source that can help that will be appreciated man ^^,

 

King regards,

 

Cyber Elite
Cyber Elite

Hello,

Well I think I have a special case, because most of all my services that are externally accessible are whitelisted. But for those that are not, I dont get many. You kinda just have to filter through the noise. Since every environment is different, I would say start with your internal zones first when it comes to alerting. It should be reasonable quiet. Then add the external stuff and just start to recognize the 'noise' rather than anything else.

Here are a few things I use to try to limit my external exposure footprint.

  • Whitelist countries that can connect to my external IP's
    • We only allow the US
  • Use the External Dynamic Lists to help block others
  • Make sure to use Applications instead of ports (sometimes not possible)
    • SSL instead of 443, etc
  • Enable Telemetry
    • This allows usage stats to be sent to Palo Alto so they can use their Machine learning to create new threat profies etc. This helps everyone out (kind of a way to giving back to the community)

The idea is to make is as difficult as possible for an adversary so they go after someone else. Also realize that most ways companies get compromised is from the inside, someone clicks a link or attachment, etc. so dont forget to secure that as well!

 

Hope this helps.

L1 Bithead

Hello,

 

Thank you very much for taking the time to answer and also for the valuable informations that you shared with us 😉,

 

Yes, this really helpful man,

 

Best regards,

Cyber Elite
Cyber Elite

Anytime! Please dont hesitate to ask additional questions, etc.

  • 1501 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!