Difference between revisions of "KHIKA App for PaloAlto Firewall"
Line 363: | Line 363: | ||
|This alert is triggered when suspicious IP is communication with internal IP | |This alert is triggered when suspicious IP is communication with internal IP | ||
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP from internal source.<br/><br/>If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration.<br/><br/>You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br/><br/>Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br/><br/>If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br/><br/>It is critical to block this rogue communication. | |KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP from internal source.<br/><br/>If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration.<br/><br/>You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br/><br/>Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br/><br/>If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br/><br/>It is critical to block this rogue communication. | ||
− | |||
− | |||
− | |||
− | |||
|- | |- | ||
|Paloalto firewall high ICMP request from single host | |Paloalto firewall high ICMP request from single host | ||
− | | | + | |This alert is triggered when 10 events of ICMP protocol is used by same source occured within 1 min |
|ICMP probe is an old and established technique used by attackers as the first step that involves reconnaissance. This is used to check what IPs/Hosts are responding to the ping request so that further targeted can be launched on the responding IPs/Hots.<br/><br/>The probing IP, if not a legitimate IP, ,it should be blocked at the periphery.<br/><br/>Check the reputation of the probing IP in external reputation databases, such as VirtusTotal.com or IPVoid.com etc. If the reputation is found to be dubious or bad, you must block such IPs. | |ICMP probe is an old and established technique used by attackers as the first step that involves reconnaissance. This is used to check what IPs/Hosts are responding to the ping request so that further targeted can be launched on the responding IPs/Hots.<br/><br/>The probing IP, if not a legitimate IP, ,it should be blocked at the periphery.<br/><br/>Check the reputation of the probing IP in external reputation databases, such as VirtusTotal.com or IPVoid.com etc. If the reputation is found to be dubious or bad, you must block such IPs. | ||
|} | |} |
Revision as of 09:16, 19 June 2019
Contents
- 1 How to check the output of KHIKA PaloAlto Firewall App ?
- 1.1 Paloalto Suspicious Communication Dashboard
- 1.2 Paloalto Config Summary Dashboard
- 1.3 Paloalto User Authentications Dashboard
- 1.4 Paloalto System Summary Dashboard
- 1.5 Paloalto Threats Detection By Application Dashboard
- 1.6 Paloalto Allowed External Source Dashboard
- 1.7 Paloalto Blocked External Source Dashboard
- 1.8 PaloAlto Firewall Alerts
How to check the output of KHIKA PaloAlto Firewall App ?
Paloalto Suspicious Communication Dashboard
Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This dashboard focuses on the paloalto firewall communication with suspicious IP(s) and its traffic status,action. You can filter and search information and create new ones too. For help with Dashboards, click here
Elements in the Dashboard are explained below :
Visualization | Description |
Contribution of Action pie chart | Contribution of differnt types of action like allow/deny on paloalto firewall. |
MaliciousIP wise Action bar graph | X axis : One or more Malicious IP(s) Y axis : MaliciousIP wise Action and it's count |
Source wise Hits bar graph | X axis : One or more SourceIP(s) Y axis : Source wise number of hits. |
Destination wise Hits bar graph | X axis : One or more DestinationIP(s) Y axis : SourceIP wise number of hits. |
Source wise Source Location bar graph | X axis : One or more SourceIP(s) Y axis : SourceIP wise source location and it's count. |
Destination wise Destination Location bar graph | X axis : One or more DestinationIP(s) Y axis : DestinationIP wise destination location and it's count. |
Time trend | Trend of login events over time. Useful to identify unusual spikes at a glance. X axis : date & time Y axis : count of events |
Summary Table | Detailed data with timestamp and count |
Suggestion for useful interaction with this dashboard could be :
- Click on “MaliciousIP” in the "MaliciousIP wise Action" bar graph. This gets selected and shows the maliciousIP(s) wise action(s) on paloalto firewall.The next bar shall show source and destination wise hits and also source and destination wise location information of paloalto firewall.
- The next pie shall shows differnt types of action on paloalto firewall. Details of MaliciousIP can be seen in the summary table.How to remove this filter is explained here
Paloalto Config Summary Dashboard
Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one.It shall open the Dashboard.This dashboard shows the details about configuration changes made on the Palo Alto Firewall and commands executed by the user. You can filter and search information and create new ones too. For help with Dashboards, click here
Elements in the Dashboard are explained below :
Visualization | Description |
Contibution of Command pie chart | Names and contribution of commands which were fired on paloalto firewall. |
Admin wise Command bar graph | X axis :One or more Admin users Y axis : Commands fired by admin user and it's count. |
Contribution of FW IP pie chart | Contribution of number of firewall IP's. |
FW IP wise Command bar graph | X axis : One or more firewall IP's Y axis : Commands fired by firewall IP's and it's count. |
Contribution of Path pie chart | Contribution of path of paloalto firewall |
Contribution of Result pie chart | Contribution of results like succeeded,submitted etc. of paloalto firewall. |
Time trend | Trend of login events over time. Useful to identify unusual spikes at a glance. X axis : date & time Y axis : count of events |
Summary Table | Detailed data with timestamp and count |
A suggestion for useful interaction with this dashboard could be :
- Click on “Command” in the "Admin wise Command" bar graph. This gets selected and shows the Admin wise commands fired on paloalto firewall.The next bar shall show FWIP wise commands fired on paloalto firewall.
- The next pie shall shows differnt types of result,command,path and FWIP of paloalto firewall. Details of commandcan be seen in the summary table.How to remove this filter is explained here
Paloalto User Authentications Dashboard
Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This dashboard shows the details information about user login and logout activities and authentication failure activities on the Palo Alto firewall.
You can filter and search information and create new ones too. For help with Dashboards, click here
Elements in the Dashboard are explained below :
Visualization | Description |
Contribution of Source pie chart | Contribution of differnt sources of paloalto firewall. |
User wise Staus bar graph | X axis :One or more Users Y Axis : User wise staus and it's count. |
Contribution of Status pie chart | Contribution of status like authenticated,loggedin etc. on paloalto firewall. |
Time trend | Trend of login events over time. Useful to identify unusual spikes at a glance. X axis : date & time Y axis : count of events |
Summary Table | Detailed data with timestamp and count |
Some suggestions for useful interaction with this dashboard could be :
- Click on “User” in the "User wise Staus" bar graph. This gets selected and shows the user wise status on paloalto firewall.
- The next pie shall shows differnt types of status ,sources of paloalto firewall. Details of users activity can be seen in the summary table.How to remove this filter is explained here.
Paloalto System Summary Dashboard
Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This dashboard shows the details information about the system activities on the Palo Alto Firewall.
You can filter and search information and create new ones too. For help with Dashboards, click here
Elements in the Dashboard are explained below :
Visualization | Description |
Contribution of Severity pie chart | Contribution of different types of severity like informational of paloalto firewall. |
Contribution_of_Subtype pie chart | Contribution of different types of subtypes of paloalto firewall. |
Time trend | Trend of login events over time. Useful to identify unusual spikes at a glance. X axis : date & time Y axis : count of events |
Summary Table | Detailed data with timestamp and count |
Some suggestions for useful interaction with this dashboard could be :
- The next pie shall shows differnt types of severity and subtype of paloalto firewall.
- Details of system activity can be seen in the summary table.How to remove this filter is explained here
Paloalto Threats Detection By Application Dashboard
Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This report focusses on the user activity on Linux servers. Which actions users have taken, programs used etc. Names and contribution of commands which were fired.
You can filter and search information and create new ones too. For help with Dashboards, click here
Elements in the Dashboard are explained below :
Visualization | Description |
Contribution of Action pie chart | Contribution of the actions on paloalto firewall. |
Contribution of Application pie chart | Contribution of differnt types of application like web-browsing,ssl etc. on paloalto firewall. |
ThreatName wise Action bar graph | X axis : Differnt types of Threat Y axis : Threatname wise action performed and its count. |
Source wise Threat bar graph | X axis : One or more SourceIP(s) Y axis : SourceIP wise Threat and it's count. |
Destination wise Threat bar graph | X axis : One or more DestinationIP(s) Y axis : DestinationIP Threat and it's count. |
Time trend | Trend of login events over time. Useful to identify unusual spikes at a glance. X axis : date & time Y axis : count of events |
Summary Table | Detailed data with timestamp and count |
Some suggestions for useful interaction with this dashboard could be :
- Click on “ThreatName” in the "ThreatName wise Action" bar graph. This gets selected and shows the ThreatName wise action performed on paloalto firewall.The next bar shall show SourceIP and DestinationIP wise threat and its count.
- The next pie shall shows differnt types of action and application on paloalto firewall. Details of threat information can be seen in the summary table.How to remove this filter is explained here
Paloalto Allowed External Source Dashboard
Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This dashboard shows the allowed external source traffic of Palo Alto firewall.
You can filter and search information and create new ones too. For help with Dashboards, click here
Elements in the Dashboard are explained below :
Visualization | Description |
Contribution of Source Location pie chart | Contribution of source locations of paloalto firewall. |
Source wise Hits bar graph | X axis : one or more SourceIP(s) Y axis : SourceIP wise number of hits. |
Destination wise Hits bar graph | X axis : one or more DestinationIP(s) Y axis : DestinationIP wise number of hits. |
Time trend | Trend of login events over time. Useful to identify unusual spikes at a glance. X axis : date & time Y axis : count of events |
Summary Table | Detailed data with timestamp and count |
A suggestion for useful interaction with this dashboard could be :
- The bar shall show SourceIP and DestinationIP wise number of hits.
- The next pie shall shows contribution of source locations.Details of information can be seen in the summary table.How to remove this filter is explained here
Paloalto Blocked External Source Dashboard
Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This dashboard shows the blocked external sources traffic of Palo Alto firewall.
You can filter and search information and create new ones too. For help with Dashboards, click here
Elements in the Dashboard are explained below :
Visualization | Description |
Contribution of Source Location pie chart | Contribution of source locations of paloalto firewall. |
Source wise Hits bar graph | X axis : one or more SourceIP(s) Y axis : SourceIP wise number of hits. |
Destination wise Hits bar graph | X axis : one or more DestinationIP(s) Y axis : DestinationIP wise number of hits. |
Time trend | Trend of login events over time. Useful to identify unusual spikes at a glance. X axis : date & time Y axis : count of events |
Summary Table | Detailed data with timestamp and count |
A suggestion for useful interaction with this dashboard could be :
- The bar shall show SourceIP and DestinationIP wise number of hits.
- The next pie shall shows contribution of source locations.Details of information can be seen in the summary table.How to remove this filter is explained here
PaloAlto Firewall Alerts
Alerts are generated when certain ciritical behaviour is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here Click on “Alert Dashboard” on left menu.
Certain alerts for paloalto firewall are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :
Alerts Description
Alert Name | Description | Suggested Resolution |
Paloalto firewall communication with suspicious ip | This alert is triggered when sent or receive bytes get exchange with malicious IP | Communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. You can check the log for this communication by simply searching the malicious IP in the logs. You can also check which internal IP addresses are communicating with this IP address and track the real users behind those internal IP addresses. If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication. If required, quarantine the affected internal servers till the time the issues are resolved. |
Paloalto firewall host scan activity by malicious ip | This is triggered when more than 10 connections happened from same malicious IP using different destination port, within one minute | Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targetting one single IP address at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle. It is important to check the reputation of the external ip address and block the same if necessary. |
Paloalto firewall successful host scan activity by malicious ip | Alert triggered when more than 10 connections happened from same malicious IP and status is deny followed by a successful login status using different destination port, within one minute. | Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targetting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on open ports. It is important to check the reputation of the external ip address and block the same if necessary. It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved. |
Paloalto firewall successful host scan activity | This alert is triggered when more than 10 connections happened from same Source and Destination IP and status is deny followed by successful login status using different destination port, within one minute. | Attacker tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targetting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on open ports. It is important to check the reputation of the suspected ip address. If the suspected ip address is external, you may consider blocking it. If the suspected ip address is internal, you may need to verify the sanity of the corresponding device. It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved. This may be a false positve. |
Paloalto firewall sweep scan attack by malicious ip | This alert is triggered when more than 10 connections happened from same malicious IP using different Destination IP's, within one minute. | Bad ip addresses tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle. It is important to check the reputation of the external ip address and block the same if necessary. |
Paloalto firewall successful sweep scan activity by malicious ip | Alert triggered when more than 10 connections happened from same malicious IP and status is deny followed by a successful login status using different Destination IP, within one minute. | Bad ip address tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker finds open port on one of ip addresses and is able to establish a connection. It is important to check the reputation of the external ip address and block the same if necessary. It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved. |
Paloalto firewall successful sweep scan activity | Alert triggered when more than 10 connections happened from same malicious IP and status is deny followed by a successful login status using different Destination IP, within one minute. | Attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on one of ip addresses It is important to check the reputation of the suspected ip address. If the suspected ip address is external, you may consider blocking it. If the suspected ip address is internal, you may need to verify the sanity of the corresponding device. It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved. This may be a false positve. |
Paloalto firewall worm detected | Alert triggered when destination ports are('445','137','138','139') and "untrust-l3" value is avialable in traffic type of events. | Log messages indicative of a worm are detected. Check the attacking IPs in question. Verify the reputation these IPs in reputation databased such as virustotal.com, ipvoid.com etc. |
Paloalto firewall backdoor activity detected | This alert is triggered when connection happened using vulnerable Destination ports like 3127,3198,6129,7080,within one minute. | This event indicates that a traffic is generated from internal machine on vulnerable ports(3127,3198,6129,7080). Typically, these ports are used by attacker to exploit vulnerable programs listening on these ports. Check is these ports are open and on what servers. Do you really need these ports opened? Check what programs are running on these ports. Check vulnerability reports of the applications\nBlock these ports for external traffic, unless mandatory to keep them opened. If you have to keep any of these ports opened, try to restrict the access to legitimte IPs. If you get a suspicious IP repetatively trying to access these port, block the IP. Check the reputation of the IP on popular website such as ipvoid.com, virustotal.com etc. |
Paloalto firewall host scan attack | This alert is triggered when more than 10 connections happened from same Source and Destination IP using different destination port, within one minute. | An attacker tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targetting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle. Unless it is a known and legitimate IP address performing the scan, it is important to block this IP. You may whitelist the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to supress the false positives. |
Paloalto firewall communication with possible IOC or bad IP | This alert is triggered when suspicious IP is communication with internal IP | KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through. If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses. Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com. If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication. It is critical to block this rogue communication. |
Paloalto firewall sweep scan attack | This alert is triggered when more than 10 connections happened from same source IP to various Destination IP's,within one minute. | An attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle. Unless it is a known and legitimate IP address performing scan, it is important to block this IP. You may whitelist the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to supress the false positives. |
Paloalto firewall suspicious ip related activity from internal | This alert is triggered when suspicious IP is communication with internal IP | KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP from internal source. If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses. Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication. It is critical to block this rogue communication. |
Paloalto firewall high ICMP request from single host | This alert is triggered when 10 events of ICMP protocol is used by same source occured within 1 min | ICMP probe is an old and established technique used by attackers as the first step that involves reconnaissance. This is used to check what IPs/Hosts are responding to the ping request so that further targeted can be launched on the responding IPs/Hots. The probing IP, if not a legitimate IP, ,it should be blocked at the periphery. Check the reputation of the probing IP in external reputation databases, such as VirtusTotal.com or IPVoid.com etc. If the reputation is found to be dubious or bad, you must block such IPs. |