Threats Dashboards¶
The Threats dashboards show threat and incident logs from Palo Alto. Dashboards contain information on Cortex XDR, Malware, and Network, SaaS, IoT, and Email Security.
Cortex XDR Incidents¶
Dashboard can be filtered by incident ID, severity, and status.
Dashboard uses sourcetype pan:xdr_incident
| Panel | Description |
|---|---|
| Unique Incidents | Displays total number of unique incident IDs. |
| New Incidents | Displays total number of unique incident IDs with status of new |
| Starred Incidents | Displays total number of unique incident IDs with starred set to true |
| Incident Severity Over Time | Displays time chart of count of incident IDs by levels of severity |
| Incidents by Status | Displays percentage of incident statuses. Options are new, under_investigation, resolved_known_issue, resolved_false_positive, resolved_true_positive resolved_security_testing, resolved_other, resolved_auto. |
| Incidents by Assignee | Displays percentage of user assigned to incidents. Displays full name of user, if no name is found, UNASSIGNED is used. |
| Starred Incident Feed | Displays table with information of starred Incident IDs. Click Open in XDR to navigate to the incident in XDR. |
| Incident Feed | Displays table with information of all Incident IDs. Click Open in XDR to navigate to the incident in XDR. |
Malware¶
Dashboard can be filtered by log subtype, serial number, virtual system, source ip, destination ip, filename, user, severity, application, and action.
Dashboard uses the Palo Alto Networks Firewall Logs datamodel.
| Panel | Description |
|---|---|
| Top Domains Serving Malware | Displays most common destination name and IP |
| Malware Events by Product | Displays percentage of products |
| Malware Events by Action | Displays percentage of actions taken from malware events |
| Malware Delivery and Installation | Displays information on logs with log_subtype virus or wildfire-virus |
| Command and Control Traffic | Displays information on logs with log_subtype spyware |
Network Security¶
Dashboard can be filtered by log subtype, serial number, virtual system, source ip, destination ip, threat, severity, and application.
Dashboard uses the Palo Alto Networks Firewall Logs datamodel.
| Panel | Description |
|---|---|
| Top Correlation Events | Displays count of Threat events under log subtype correlation |
| Top 20 Vulnerability Events | Displays 20 most common threats under log subtype vulnerability |
| Top 20 Virus and Malware Events | Displays 20 most common virus and malware events under log subtype virus |
| DNS Sinkhole | Displays information on DNS sinkhole events. Searches for vendor action sinkhole |
| Top 10 Apps With Threats By Severity | Displays chart of total count of app events by severity. |
| Threats By Source Location | Displays map of client IP locations related to threat events. |
SaaS Security¶
Dashboard can be filtered by serial number, virtual system, client IP, destination IP, source user, application, and action.
Dashboard uses the Palo Alto Networks Firewall Logs datamodel.
| Panel | Description |
|---|---|
| Blocked | Displays count of block files events. |
| Security Events | Displays total count of SaaS events. |
| Allowed | Displays count of allowed file events. |
| Malicious SaaS Files | Displays information on malicious files found with category malware or malicious in logs. |
| SaaS Apps Over Time | Displays time chart of total count of SaaS app events. |
| SaaS Threats by Type | Displays time chart of total count of SaaS threat events by log subtype. |
IoT Security¶
Dashboard can be filtered by rick level, name, and vulnerability CVE.
Dashboard uses sourcetypes pan:iot_alert and pan:iot_vulnerability
| Panel | Description |
|---|---|
| Active Alerts | Total number of unique alert IDs |
| Vulnerabilities | Total number of unique ticket IDs |
| Alerts | Displays time chart of count of alerts by device category to which the alert belongs to. |
| Category | Displays table of device categories found in logs. |
| Vulnerabilities | Displays information on vulnerabilities. Click Details to navigate to the vulnerability in Palo Alto. |
Email Security¶
Dashboard can be filtered by serial number, virtual system, client IP, destination IP, source user, application.
Dashboard uses the Palo Alto Networks Firewall Logs datamodel, searching for subcategory email
| Panel | Description |
|---|---|
| Inbound SMTP Emails per Minute | Display number of smtp inbound emails per minute. |
| Email Threats Per Minute | Display number of email events in sourcetype pan:threat per minute. |
| Outbound SMTP Emails per Minute | Display number of smtp outbound emails per minute. |
| Threats By Source Location | Display count of threats by client IP. Displays map using geo location of client IP. |
| Email Apps With Threats By Severity | Displays 10 most common email apps found in logs by severity. |
| Top Email Threats Source | Displays information on email threats sorted by count. |
| Large Email Senders | Displays information on bytes out, user, sender, and IP address of email. |