11-20-2024 12:21 AM - edited 11-20-2024 12:21 AM
As mentioned in New Features in Prisma Access 3.2 | Palo Alto Networks now Prisma Access should be able to even automatically block or lock bad users with UBA that do too many violations but there is no more info about this feature anywhere 🤔
I know that with XSOAR you can make a playbook based on the number of threat logs generated for a given time to block bad source ip or user but what about without it?
Also auto tagging is not an option as you can't say if 10 threat logs are seen for 1 minute from a user add tag and making a custom brute force signature that is triggered based of the number of requests ( https://docs.paloaltonetworks.com/advanced-threat-prevention/administration/configure-threat-prevent... ) is not for this as this will work only if the attacker does the same attack over and over again.
11-20-2024 01:48 AM
Hello!
It seems like you're trying to figure out how to block or lock users with excessive violations in Prisma Access 3.2 using User Behavior Analytics (UBA) without relying on XSOAR. While the documentation might not provide detailed information on this specific feature, you can still achieve this by setting up custom rules and actions.
You can configure auto-tagging to tag users or IP addresses based on specific criteria, such as the number of threat logs generated within a certain timeframe. Once tagged, you can create dynamic user groups or address groups that automatically include these users or IPs. Then, you can enforce security policies based on these groups to block or lock them.
11-20-2024 02:42 AM
Hello @Robert344Humphries ,
Thanks for the reply, so "You can configure auto-tagging to tag users or IP addresses based on specific criteria, such as the number of threat logs generated within a certain timeframe." you mean that this functionality is in Prisma Access the latest version as before on the NGFW, where you could have matched on a single log entry but not the number of log entries for a period of time ?
As shown in the below link what should the filter criteria look like to match couple of times (for example if there are 10 logs in 5 minutes) the threat log by source ip or user id?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
