Active Dashboards¶
The Active dashboards show activity in Palo Alto. Dashboards contain information on SaaS, File, Web, IoT and GlobalProtect activities.
User Behavior¶
Dashboard can be filtered by Serial Number, Virtual Systems(Vsys), User, Log Subtype, Source IP, Destination IP, Hostname, Application, and Web Category.
Dashboard uses the Palo Alto Networks Firewall Logs datamodel.
| Panel | Description |
|---|---|
| Traffic Events | Total number of traffic events. Counts number of sessions ended. Click the panel to navigate to the File Activity Dashboard. |
| File Events | Total number of file events. Counts the number of events in threat logs with subtype file. Click the panel to navigate to the File Activity Dashboard. |
| URL Events | Total number of URL events. Counts the number of events in threat logs with subtype url. Click the panel to navigate to the Web Activity Dashboard. |
| SaaS Events | Total number of SaaS Events. Counts the number events with application labeled as SaaS. SaaS applications are labeled using app_list.csv. Click the panel to navigate to the SaaS Activity Dashboard. |
| Top Hostnames | Displays most common hostnames in URL events. |
| Top Web Categories | Displays most common web categories in URL events. |
| Top Applications | Displays most common apps in URL events. |
| Files Blocked | Displays the user, app, and file name of blocked files in URL events. |
| Applications Not Using Default Port | Displays traffic events where default and destination ports are not the same. |
| Rare Applications | Displays the least common apps in traffic events. |
SaaS Activity¶
Dashboard can be filtered by Source IP, Destination IP, Serial Number, Vsys, Source User, Application, Category, and Action
Dashboard uses the Palo Alto Networks Firewall Logs datamodel.
| Panel | Description |
|---|---|
| SaaS Applications | Displays unique count of SaaS applications. |
| Users | Displays unique count of users using SaaS applications. |
| Megabytes | Displays number of bytes in and out used by SaaS applications. |
| SaaS Usage | Count of application activity by time. |
| SaaS Actions | Count of actions by time. |
| SaaS Distribution | Displays sparkline of sum of bytes by application, category, and subcategory |
| SaaS Statistics | Displays count of users, megabytes, and sessions by sanctioned and non-sanctioned SaaS |
| Sanctioned SaaS Applications | Displays count and percentage of sanctioned SaaS applications found in logs. Select an app to filter the dashboard. |
| Non-Sanctioned SaaS Applications | Displays count and percentage of Non-Sanctioned SaaS Applications found in logs. Select an App to filter the dashboard. |
| % SaaS Distribution | Displays percentage of Non-sanction vs. Sanctioned activity |
| Top File Sharing SaaS Apps | Most Common File Sharing Saas Apps based on activity. Click an app to filter the dashboard. |
| Top Categories - Sanctioned | Most Common categories for Santioned SaaS Apps. Click a sub-category to filter the dashboard. |
| Top Categories - Non-Sanctioned | Most Common categories for Non-Santioned SaaS Apps. Click a sub-category to filter the dashboard. |
File Activity¶
Dashboard can be filtered by log subtype, serial number, virtual system, source IP, destination IP, application, and direction.
Dashboard uses the Palo Alto Networks Firewall Logs datamodel.
| Panel | Description |
|---|---|
| Blocked | Displays count of blocked files. |
| Allowed | Displays count of allowed files. |
| Total | Displays total count of files in logs. |
| File Actions Over Time | Displays count of file actions (blocked, allowed) by time |
| Bytes Transferred Over Time | Displays count bytes in and out by time |
| File Direction | Displays percentage of file direction (server-to-client, client-to-server) |
| Top Zone File Activity | Display most common source/destination zones found in logs. |
| Top Apps | Displays the highest application activity |
| File Activity | Displays the highest file activity |
Web Activity¶
Dashboard can be filtered by serial number, virtual system, source IP, destination hostname, user, application, category, content type, and action.
Dashboard uses the Palo Alto Networks Firewall Logs datamodel, filtering events under URL logs.
| Panel | Description |
|---|---|
| Web Destinations | Displays count of destination names by app and category. |
| Categories | Displays count of activity by categories. Click a category to filter the dashboard. |
| Applications | Displays count of activity by applications. Click a category to filter the dashboard. |
| Content Type | Displays count of activity by content type. Click a content type to filter the dashboard. |
| Requests Over Time By Action | Displays count of URL requests over time |
| Methods Over Time | Displays count of method requests over time |
| Hostnames Block-Continue | Displays hostnames with action ‘block-continue’. Click a hostname to filter the dashboard |
| Top Referrers | Displays most common destination names that are not set to http_referrer_name |
| Top File Downloads | Displays most common file downloads |
| Decrypted Traffic | Displays source IP, user, destination name, category, and applications with flags set to decrypted |
IoT Activity¶
Dashboard uses using logs under sourcetype=pan:iot_device
| Panel | Description |
|---|---|
| Monitored Devices | Distinct count of devices |
| IoT Devices | Distinct count of devices with profile_type “IoT” |
| Applications | Distinct count of applications |
| Subnets | Distinct count of subnets |
| Devices by Profile Vertical | Count of devices by profile_vertical field |
| Devices by Profile Vertical | Distinct count of devices, profile, and categories |
| New Devices Seen in the Last 24 hours | Displays devices with earliest event found in the last 24 hours. |
GlobalProtect¶
Dasboard can be filtered by serial number, virtual system, source IP, user, and Portal/Gateway
Dashboard uses the Palo Alto Networks Firewall Logs datamodel.
| Panel | Description |
|---|---|
| Connection Events | Displays login and logout events with same event ID |
| Events by User | Displays GlobalProtect activity by user |
| Events by Source IP | Displays Source IP activity by user |
| Failed Login by User | Displays logins with action=failed by user |
| Connected by User | Displays top 20 users with log_subtype=”connected” |
| Total Users Logged In | Total amount of users with login events |
| Users Logged In | Displays users with log_subtype=”connected” or log_subtype=”logout” with latest_event=”gateway-connected” |
| User Location by Source IP | Displays user location using source IP |