03-17-2023 09:24 AM
Please currently i'm studying the Palo Alto Networks next-generation firewalls Threat prevention module, and 'm interested in the list of the available signatures (description, severity ranking, Threat type, ). I found that threat vault can give this informations : https://threatvault.paloaltonetworks.com/ but for that we need to provide the specific UTID (Unique Threat ID).
Is there a way to get the list of all the available signatures for the Palo Alto Networks next-generation firewalls Threat prevention module ?
Waiting for the response, any help will be appreciated.
Have nice day,
03-17-2023 09:48 AM
I dont think one exists, however if it did, there would be tens of thousands, most likely. Learn the best practices around threat prevention, like updating the dynamic updates and applying the profiles to policies, etc.
03-17-2023 10:19 AM - edited 03-17-2023 10:19 AM
First of all thanks for the quick reply.
The reason behind my request is that i want to implement some alerts on SIEM level for the most critical signatures of the Threat prevention module of the PALO ALTO PAN-OS firewall. to be able to that i want to see the vailable signatures for this module.
Now based of the Threat Vault resource, is the information presented there is only for the "Palo Alto Networks next-generation firewalls Threat prevention signatures" or there is another solution (XDR, ...ect). and if it is the case maybe we can found the class ID for the signatures related to the Firewall threat prevention module!
Thanks in advance for the help,
03-17-2023 10:25 AM
I gotcha. I kinda do a similar thing. However first with the threat signatures, I block anything that is medium or higher. Then on my SIEM, I have it only alert on Critical severity events.
03-17-2023 10:57 AM
That's great thanks for sharing, so your approach based only on the criticality understood, and did you encounter lot of events on the SIEM level ? just to have an idea about the number of alerts triggered!
For me i want at first took a look into the signatures, types, coverage, criticality... etc and after that take a decision if you have any source that can help that will be appreciated man ^^,
03-17-2023 11:28 AM
Well I think I have a special case, because most of all my services that are externally accessible are whitelisted. But for those that are not, I dont get many. You kinda just have to filter through the noise. Since every environment is different, I would say start with your internal zones first when it comes to alerting. It should be reasonable quiet. Then add the external stuff and just start to recognize the 'noise' rather than anything else.
Here are a few things I use to try to limit my external exposure footprint.
The idea is to make is as difficult as possible for an adversary so they go after someone else. Also realize that most ways companies get compromised is from the inside, someone clicks a link or attachment, etc. so dont forget to secure that as well!
Hope this helps.
03-20-2023 06:00 AM
Anytime! Please dont hesitate to ask additional questions, etc.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!