Difference between revisions of "KHIKA App for PaloAlto Firewall"

From khika
Jump to navigation Jump to search
Line 1: Line 1:
 +
== Introduction ==
 +
 +
Most of the network devices, such as firewalls, switches, routers, web proxies etc send the traffic and user activity related information in the form of logs over syslog protocol. Some applications such as Oracle database server, Symantec antivirus server, EMC SAN Storage etc also support syslog protocol as syslog is very efficient and simple to integrate with. KHIKA Data Aggregator is pre-configured with syslog services on port 514.
 +
The key parts to get here are :
 +
#Enabling Syslog forwarding on the device
 +
#Install the KHIKA App for PaloAlto Firewall
 +
#Get data from your PaloAlto Firewall into KHIKA Aggregator
 +
 +
== Enabling Syslog forwarding on the device ==
 +
For help to enable the syslog forwarding go to link [[Getting Data into KHIKA#Enabling syslog forwarding on the device|here]]
 +
 +
== How to Install the KHIKA App for PaloAlto Firewall? ==
 +
 +
It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.
 +
 +
This section explains how to pick and install the KHIKA application for PaloAlto Firewall . Installing the application shall put together and activate the adapter (parser) that can handle PaloAlto Firewall data format, the dashboards and the alert rules preconfigured.
 +
 +
Go to “Applications” tab in the “Configure” menu.
 +
 +
[[File:application_tab.jpg|700px]]
 +
 +
Check whether the appropriate Workspace is selected.
 +
Note: Application is always loaded in a Workspace. Read the section on Workspaces to know more about KHIKA Workspaces.
 +
Also select your KHIKA aggregator name in the Node dropdown.
 +
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.
 +
 +
[[File:Application name.JPG|700px]]
 +
 +
Click on the “+” button. A pop up appears.
 +
 +
[[File:application_install.jpg|700px]]
 +
 +
User can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them.
 +
Similarly you can select contents from Alerts and Dashboards.
 +
 +
[[KHIKA Reports|What are KHIKA Reports]]
 +
[[KHIKA Dashboards|What are KHIKA Dashboards]]
 +
[[KHIKA Alerts|What are KHIKA Alerts]]
 +
 +
Click “OK” to proceed with the installation of the selected Application.
 +
After successful installation, following status should be displayed :
 +
 +
[[File:Application status.jpg|700px]]
 +
 +
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.
 +
 +
== How to get your PaloAlto Firewall into KHIKA ? ==
 +
 +
KHIKA recommends, popular syslog forwarding to monitor the PaloAlto Firewall.
 +
You must configure the network device (or the end node) to send its logs to KHIKA Data Aggregator by providing IP address of Data Aggregator and port 514 so that the device can send its logs to KHIKA syslog service. (Please refer the documentation of individual device/vendor/OEM to understand how to configure remote syslogging for the device. Many vendors support web based configuration these days and some vendors support command based configurations)
 +
 +
NOTE: You will have to repeat these steps on each of the APPLICATION that you wish to monitor using KHIKA.
 +
 +
== Adding the device in the Adaptor ==
 +
For help to adding a device in the adapter click [[Getting Data into KHIKA#Adding device details in the Adaptor|here]].
 +
 +
== Verifying SYSLOG data collection ==
 +
 +
For help to verifying syslog data collection click [[Getting Data into KHIKA#Verifying syslog data collection|here]].
 +
 +
 +
 
== How to check the output of KHIKA PaloAlto Firewall App ? ==
 
== How to check the output of KHIKA PaloAlto Firewall App ? ==
  

Revision as of 12:32, 19 June 2019

Contents

Introduction

Most of the network devices, such as firewalls, switches, routers, web proxies etc send the traffic and user activity related information in the form of logs over syslog protocol. Some applications such as Oracle database server, Symantec antivirus server, EMC SAN Storage etc also support syslog protocol as syslog is very efficient and simple to integrate with. KHIKA Data Aggregator is pre-configured with syslog services on port 514. The key parts to get here are :

  1. Enabling Syslog forwarding on the device
  2. Install the KHIKA App for PaloAlto Firewall
  3. Get data from your PaloAlto Firewall into KHIKA Aggregator

Enabling Syslog forwarding on the device

For help to enable the syslog forwarding go to link here

How to Install the KHIKA App for PaloAlto Firewall?

It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read how to configure KHIKA Data Aggregator and perform the pre-requisite steps.

This section explains how to pick and install the KHIKA application for PaloAlto Firewall . Installing the application shall put together and activate the adapter (parser) that can handle PaloAlto Firewall data format, the dashboards and the alert rules preconfigured.

Go to “Applications” tab in the “Configure” menu.

Application tab.jpg

Check whether the appropriate Workspace is selected. Note: Application is always loaded in a Workspace. Read the section on Workspaces to know more about KHIKA Workspaces. Also select your KHIKA aggregator name in the Node dropdown. This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.

Application name.JPG

Click on the “+” button. A pop up appears.

Application install.jpg

User can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. Similarly you can select contents from Alerts and Dashboards.

What are KHIKA Reports What are KHIKA Dashboards What are KHIKA Alerts

Click “OK” to proceed with the installation of the selected Application. After successful installation, following status should be displayed :

Application status.jpg

This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.

How to get your PaloAlto Firewall into KHIKA ?

KHIKA recommends, popular syslog forwarding to monitor the PaloAlto Firewall. You must configure the network device (or the end node) to send its logs to KHIKA Data Aggregator by providing IP address of Data Aggregator and port 514 so that the device can send its logs to KHIKA syslog service. (Please refer the documentation of individual device/vendor/OEM to understand how to configure remote syslogging for the device. Many vendors support web based configuration these days and some vendors support command based configurations)

NOTE: You will have to repeat these steps on each of the APPLICATION that you wish to monitor using KHIKA.

Adding the device in the Adaptor

For help to adding a device in the adapter click here.

Verifying SYSLOG data collection

For help to verifying syslog data collection click here.


How to check the output of KHIKA PaloAlto Firewall App ?

Paloalto Suspicious Communication Dashboard

Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This dashboard focuses on the paloalto firewall communication with suspicious IP(s) and its traffic status,action. You can filter and search information and create new ones too. For help with Dashboards, click here

Elements in the Dashboard are explained below :

Elements in "Paloalto Suspicious Communication" Dashboard
Visualization Description
Contribution of Action pie chart Contribution of differnt types of action like allow/deny on paloalto firewall.
MaliciousIP wise Action bar graph X axis : One or more Malicious IP(s)

Y axis : MaliciousIP wise Action and it's count

Source wise Hits bar graph X axis : One or more SourceIP(s)

Y axis : Source wise number of hits.

Destination wise Hits bar graph X axis : One or more DestinationIP(s)

Y axis : DestinationIP wise number of hits.

Source wise Source Location bar graph X axis : One or more SourceIP(s)

Y axis : SourceIP wise source location and it's count.

Destination wise Destination Location bar graph X axis : One or more DestinationIP(s)

Y axis : DestinationIP wise destination location and it's count.

Time trend Trend of login events over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Summary Table Detailed data with timestamp and count

Suggestion for useful interaction with this dashboard could be :

  1. Click on “MaliciousIP” in the "MaliciousIP wise Action" bar graph. This gets selected and shows the maliciousIP(s) wise action(s) on paloalto firewall.The next bar shall show source and destination wise hits and also source and destination wise location information of paloalto firewall.
  2. The next pie shall shows differnt types of action on paloalto firewall. Details of MaliciousIP can be seen in the summary table.How to remove this filter is explained here

Paloalto Config Summary Dashboard

Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one.It shall open the Dashboard.This dashboard shows the details about configuration changes made on the Palo Alto Firewall and commands executed by the user. You can filter and search information and create new ones too. For help with Dashboards, click here

Elements in the Dashboard are explained below :

Elements in "Paloalto Config Summary" Dashboard
Visualization Description
Contibution of Command pie chart Names and contribution of commands which were fired on paloalto firewall.
Admin wise Command bar graph X axis :One or more Admin users

Y axis : Commands fired by admin user and it's count.

Contribution of FW IP pie chart Contribution of number of firewall IP's.
FW IP wise Command bar graph X axis : One or more firewall IP's

Y axis : Commands fired by firewall IP's and it's count.

Contribution of Path pie chart Contribution of path of paloalto firewall
Contribution of Result pie chart Contribution of results like succeeded,submitted etc. of paloalto firewall.
Time trend Trend of login events over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Summary Table Detailed data with timestamp and count

A suggestion for useful interaction with this dashboard could be :

  1. Click on “Command” in the "Admin wise Command" bar graph. This gets selected and shows the Admin wise commands fired on paloalto firewall.The next bar shall show FWIP wise commands fired on paloalto firewall.
  2. The next pie shall shows contribution of result,command,path and FWIP of paloalto firewall. Details of command can be seen in the summary table.How to remove this filter is explained here


Paloalto User Authentications Dashboard

Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This dashboard shows the detail information about user login and logout activities and authentication failure activities on the Palo Alto firewall.

You can filter and search information and create new ones too. For help with Dashboards, click here

Elements in the Dashboard are explained below :

Elements in "Paloalto User Authentications" Dashboard
Visualization Description
Contribution of Source pie chart Contribution of different sources of paloalto firewall.
User wise Status bar graph X axis :One or more Users

Y Axis : User wise status and it's count.

Contribution of Status pie chart Contribution of status like authenticated,loggedin etc. on paloalto firewall.
Time trend Trend of login events over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Summary Table Detailed data with timestamp and count


Some suggestions for useful interaction with this dashboard could be :

  1. Click on “User” in the "User wise Status" bar graph. This gets selected and shows the user wise status on paloalto firewall.
  2. The next pie shall shows different types of status ,sources of paloalto firewall. Details of users activity can be seen in the summary table.How to remove this filter is explained here.

Paloalto System Summary Dashboard

Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This dashboard shows the detail information about the system activities on the Palo Alto Firewall.

You can filter and search information and create new ones too. For help with Dashboards, click here

Elements in the Dashboard are explained below :

Elements in "Paloalto System Summary" Dashboard
Visualization Description
Contribution of Severity pie chart Contribution of different types of severity like informational of paloalto firewall.
Contribution_of_Subtype pie chart Contribution of different types of subtypes of paloalto firewall.
Time trend Trend of login events over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Summary Table Detailed data with timestamp and count


Some suggestions for useful interaction with this dashboard could be :

  1. The next pie shall shows different types of severity and subtype of paloalto firewall.
  2. Details of system activity can be seen in the summary table.How to remove this filter is explained here

Paloalto Threats Detection By Application Dashboard

Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard.This dashboard shows the detail information of threats detected by Palo Alto Firewall like threat name, application name ,source country,source ip address,etc.

You can filter and search information and create new ones too. For help with Dashboards, click here

Elements in the Dashboard are explained below :

Elements in "Paloalto Threats Detection By Application" Dashboard
Visualization Description
Contribution of Action pie chart Contribution of the actions on paloalto firewall.
Contribution of Application pie chart Contribution of different types of application like web-browsing,ssl etc. on paloalto firewall.
ThreatName wise Action bar graph X axis : Different types of Threat

Y axis : ThreatName wise action performed and its count.

Source wise Threat bar graph X axis : One or more SourceIP(s)

Y axis : SourceIP wise Threat and it's count.

Destination wise Threat bar graph X axis : One or more DestinationIP(s)

Y axis : DestinationIP Threat and it's count.

Time trend Trend of login events over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Summary Table Detailed data with timestamp and count

Some suggestions for useful interaction with this dashboard could be :

  1. Click on “ThreatName” in the "ThreatName wise Action" bar graph. This gets selected and shows the ThreatName wise action performed on paloalto firewall.The next bar shall show SourceIP and DestinationIP wise threat and its count.
  2. The next pie shall shows differnt types of action and application on paloalto firewall. Details of threat information can be seen in the summary table.How to remove this filter is explained here

Paloalto Allowed External Source Dashboard

Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This dashboard shows the allowed external source traffic of Palo Alto firewall.

You can filter and search information and create new ones too. For help with Dashboards, click here

Elements in the Dashboard are explained below :

Elements in "Paloalto Allowed External Source" Dashboard
Visualization Description
Contribution of Source Location pie chart Contribution of source locations of paloalto firewall.
Source wise Hits bar graph X axis : one or more SourceIP(s)

Y axis : SourceIP wise number of hits.

Destination wise Hits bar graph X axis : one or more DestinationIP(s)

Y axis : DestinationIP wise number of hits.

Time trend Trend of login events over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Summary Table Detailed data with timestamp and count


A suggestion for useful interaction with this dashboard could be :

  1. The bar shall show SourceIP and DestinationIP wise number of hits.
  2. The next pie shall shows contribution of source locations.Details of information can be seen in the summary table.How to remove this filter is explained here

Paloalto Blocked External Source Dashboard

Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This dashboard shows the blocked external sources traffic of Palo Alto firewall.

You can filter and search information and create new ones too. For help with Dashboards, click here

Elements in the Dashboard are explained below :

Elements in "Paloalto Allowed External Source" Dashboard
Visualization Description
Contribution of Source Location pie chart Contribution of source locations of paloalto firewall.
Source wise Hits bar graph X axis : one or more SourceIP(s)

Y axis : SourceIP wise number of hits.

Destination wise Hits bar graph X axis : one or more DestinationIP(s)

Y axis : DestinationIP wise number of hits.

Time trend Trend of login events over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Summary Table Detailed data with timestamp and count


A suggestion for useful interaction with this dashboard could be :

  1. The bar shall show SourceIP and DestinationIP wise number of hits.
  2. The next pie shall shows contribution of source locations.Details of information can be seen in the summary table.How to remove this filter is explained here

PaloAlto Firewall Alerts

Alerts are generated when certain ciritical behaviour is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here Click on “Alert Dashboard” on left menu.

Certain alerts for paloalto firewall are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :

Alerts Description

Alert Details Table
Alert Name Description Suggested Resolution
Paloalto firewall communication with suspicious ip This alert is triggered when sent or receive bytes get exchange with malicious IP Communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration.

You can check the log for this communication by simply searching the malicious IP in the logs. You can also check which internal IP addresses are communicating with this IP address and track the real users behind those internal IP addresses.

If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.

If required, quarantine the affected internal servers till the time the issues are resolved.
Paloalto firewall host scan activity by malicious ip This alert is triggered when more than 10 connections happened from same malicious IP using different destination port, within one minute Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targetting one single IP address at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.

It is important to check the reputation of the external ip address and block the same if necessary.
Paloalto firewall successful host scan activity by malicious ip Alert triggered when more than 10 connections happened from same malicious IP and status is deny followed by a successful login status using different destination port, within one minute. Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targetting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on open ports.

It is important to check the reputation of the external ip address and block the same if necessary.

It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.
Paloalto firewall successful host scan activity This alert is triggered when more than 10 connections happened from same Source and Destination IP and status is deny followed by successful login status using different destination port, within one minute. Attacker tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targetting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on open ports.

It is important to check the reputation of the suspected ip address.

If the suspected ip address is external, you may consider blocking it.

If the suspected ip address is internal, you may need to verify the sanity of the corresponding device.

It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.

This may be a false positve.
Paloalto firewall sweep scan attack by malicious ip This alert is triggered when more than 10 connections happened from same malicious IP using different Destination IP's, within one minute. Bad ip addresses tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.

It is important to check the reputation of the external ip address and block the same if necessary.
Paloalto firewall successful sweep scan activity by malicious ip Alert triggered when more than 10 connections happened from same malicious IP and status is deny followed by a successful login status using different Destination IP, within one minute. Bad ip address tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker finds open port on one of ip addresses and is able to establish a connection.

It is important to check the reputation of the external ip address and block the same if necessary.

It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.
Paloalto firewall successful sweep scan activity Alert triggered when more than 10 connections happened from same malicious IP and status is deny followed by a successful login status using different Destination IP, within one minute. Attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on one of ip addresses

It is important to check the reputation of the suspected ip address.

If the suspected ip address is external, you may consider blocking it.

If the suspected ip address is internal, you may need to verify the sanity of the corresponding device.

It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.

This may be a false positve.
Paloalto firewall worm detected Alertis triggered when destination ports are('445','137','138','139') and "untrust-l3" value is available in traffic type of events. Log messages indicative of a worm are detected. Check the attacking IPs in question. Verify the reputation these IPs in reputation databased such as virustotal.com, ipvoid.com etc.
Paloalto firewall backdoor activity detected This alert is triggered when connection happened using vulnerable Destination ports like 3127,3198,6129,7080,within one minute. This event indicates that a traffic is generated from internal machine on vulnerable ports(3127,3198,6129,7080). Typically, these ports are used by attacker to exploit vulnerable programs listening on these ports.

Check is these ports are open and on what servers. Do you really need these ports opened?

Check what programs are running on these ports. Check vulnerability reports of the applications\nBlock these ports for external traffic, unless mandatory to keep them opened.

If you have to keep any of these ports opened, try to restrict the access to legitimte IPs.

If you get a suspicious IP repetatively trying to access these port, block the IP. Check the reputation of the IP on popular website such as ipvoid.com, virustotal.com etc.
Paloalto firewall host scan attack This alert is triggered when more than 10 connections happened from same Source and Destination IP using different destination port, within one minute. An attacker tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targetting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.

Unless it is a known and legitimate IP address performing the scan, it is important to block this IP. You may whitelist the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to supress the false positives.
Paloalto firewall communication with possible IOC or bad IP This alert is triggered when suspicious IP is communication with internal IP KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.

If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration.

You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.

Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com.

If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.

It is critical to block this rogue communication.
Paloalto firewall sweep scan attack This alert is triggered when more than 10 connections happened from same source IP to various Destination IP's,within one minute. An attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.

Unless it is a known and legitimate IP address performing scan, it is important to block this IP. You may whitelist the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to supress the false positives.
Paloalto firewall suspicious ip related activity from internal This alert is triggered when suspicious IP is communication with internal IP KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP from internal source.

If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration.

You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.

Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com

If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.

It is critical to block this rogue communication.
Paloalto firewall high ICMP request from single host This alert is triggered when 10 events of ICMP protocol is used by same source occured within 1 min ICMP probe is an old and established technique used by attackers as the first step that involves reconnaissance. This is used to check what IPs/Hosts are responding to the ping request so that further targeted can be launched on the responding IPs/Hots.

The probing IP, if not a legitimate IP, ,it should be blocked at the periphery.

Check the reputation of the probing IP in external reputation databases, such as VirtusTotal.com or IPVoid.com etc. If the reputation is found to be dubious or bad, you must block such IPs.