Alto MONITOR Bedienungsanleitung PDF herunterladen (Seite 14)

158 Panorama Administrator’s Guide

Use Case: Respond to an Incident Using Panorama Monitor Network Activity

Use Case: Respond to an Incident Using Panorama

Network threats can originate from different vectors, including malware and spyware infections due to drive-by

downloads, phishing attacks, unpatched servers, and random or targeted denial of service (DoS) attacks, to name

a few methods of attack. The ability to react to a network attack or infection requires processes and systems that

alert the administrator to an attack and provide the necessary forensics evidence to track the source and

methods used to launch the attack.

The advantage that Panorama provides is a centralized and consolidated view of the patterns and logs collected

from the managed firewalls across your network. You can use the correlated attack information, alone or in

conjunction with the reports and logs generated from a Security Information Event Manager (SIEM), to

investigate how an attack was triggered and how to prevent future attacks and loss of damage to your network.

The questions that this use case probes are:

 How are you notified of an incident?

 How do you corroborate that the incident is not a false positive?

 What is your immediate course of action?

 How do you use the available information to reconstruct the sequence of events that preceded or followed

the triggering event?

 What are the changes you need to consider for securing your network?

This use case traces a specific incident and shows how the visibility tools on Panorama can help you respond to

the report.

 Incident Notification

 Review Threat Logs

 Review WildFire Logs

 Review Data Filtering Logs

 Update Security Policies

Incident Notification

There are several ways that you could be alerted to an incident depending on how you’ve configured the Palo

Alto Networks firewalls and which third-party tools are available for further analysis. You might receive an email

notification that was triggered by a log entry recorded to Panorama or to your syslog server, or you might be

informed through a specialized report generated on your SIEM solution, or a third-party paid service or agency

might notify you. For this example, let’s say that you receive an email notification from Panorama. The email

informs you of an event that was triggered by an alert for a

Zero Access gent.Gen Command And Control Traffic

that matched against a spyware signature. Also listed in the email are the IP address of the source and destination

for the session, a threat ID and the timestamp of when the event was logged.

1 2 ... 9 10 11 12 13 14 15 16 17 18

Keine Kommentare

Alto MONITOR Bedienungsanleitung Seite 14