How about dynamic IP tagging based on info from threat logs? https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions.html In a nutshell, you have a log forwarding profile that hits on whatever threats you want (medium and higher, etc.), and it can do several things: forwards to syslog/panorama/datalake, sends admin an email alert, sends SNMP trap, tags the IP. You will make an address group based on this tag and create a security rule that blocks this traffic, sends to an alert page, etc. The duration of block is determined in the log fwd profile.
... View more