IDS Alerts

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IDS Alerts

L2 Linker

Hi,

I have been by auditors to submit IDS log alerts from Panorama, i know the best practice is to use Microsoft Sentinel. Has anyone done directly using Panorama and which severity is selected to minimize impact on the smtp server.

1 REPLY 1

Cyber Elite

Hello @MP-Firewall

 

thanks for posting!

 

You asked a broad question. I will try to break it down.

 

- I went through audits myself and what I took out of it in general auditors do not care from where data/reports come from as long as it provides enough proof. Under assumption that all your Firewalls are sending logs to Panorama, you can leverage Panorama's out of the box reports to start with. You can generate them from Panorama by navigating to: MONITOR > Reports > Threat Reports. There you will find many out of box reports. Auditors are likely going to ask something more specific or customed to your environment. This is where you can use custom reports under MONITOR > Manage Custom Reports. I have seen cases where auditors ask for detailed log samples. You will find them under: MONITOR > Logs > Threat. In all of these cases you reply on Panorama internal storage to give you enough retention to provide logs or generate reports. Here is a KB for reference with instructions to run predefined reports: Tips & Tricks: Scheduled predefined reports. In the case auditors asked you to provide reports / logs beyond Panorama retention period, you will have to rely on external logging / SIEM.

- You already mentioned Microsoft Sentinel in your post. Unless you are already using Sentinel in your environment, I would not necessarily focused only on this SIEM. Based on my experience auditors are not after what SIEM you are using, but what data you can provide them. If you plan to send logs from Panorama to Sentinel, make sure your table is set to retention that is long enough to fulfill audit requirements. Sentinel offers cost effective solution with Data Lake tier that allows long retention with relatively low cost at the expense of losing some of the capabilities offered in Analytics tier.

- You mentioned in your post SMTP server. If you plan to send either logs or reports by email you can refer to this KB for more details: What more can my firewall do? Forward log files and reports. When it comes to Threat logs, I would at least exclude informational severity and preferably low severity as well. This will help to reduce noise in logs / reports and loading on SMTP server to process sheer volume of traffic. From medium severity it is where interesting detections come in. Medium and higher severity includes events related to SCAN, RCE, Brute Forcing, etc.

- Lastly, you did not mentioned what specific audit you are going through or what the scope or compliance is. When it comes to Threat logs Firewall can detect/block only what it can see. If you do not have decryption configured, then your Threat logs will not show much. To auditors it might look like your environment does not have any attacks while in reality Firewall is not able to detect it.

 

Kind Regards

Pavel    

Help the community: Like helpful comments and mark solutions.
  • 32 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!