- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-20-2024 12:21 AM - edited 11-20-2024 12:21 AM
As mentioned in New Features in Prisma Access 3.2 | Palo Alto Networks now Prisma Access should be able to even automatically block or lock bad users with UBA that do too many violations but there is no more info about this feature anywhere 🤔
I know that with XSOAR you can make a playbook based on the number of threat logs generated for a given time to block bad source ip or user but what about without it?
Also auto tagging is not an option as you can't say if 10 threat logs are seen for 1 minute from a user add tag and making a custom brute force signature that is triggered based of the number of requests ( https://docs.paloaltonetworks.com/advanced-threat-prevention/administration/configure-threat-prevent... ) is not for this as this will work only if the attacker does the same attack over and over again.
11-20-2024 02:42 AM
Hello @Robert344Humphries ,
Thanks for the reply, so "You can configure auto-tagging to tag users or IP addresses based on specific criteria, such as the number of threat logs generated within a certain timeframe." you mean that this functionality is in Prisma Access the latest version as before on the NGFW, where you could have matched on a single log entry but not the number of log entries for a period of time ?
As shown in the below link what should the filter criteria look like to match couple of times (for example if there are 10 logs in 5 minutes) the threat log by source ip or user id?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!