Threats - Palo Alto
About the threats area
The Threats view provides an overview of the triggered and defined alerts in your domain related to Palo Alto firewall activity.
When an alert is triggered in your domain, it will be registered here as a threat detected, whereas a threat definition will be the alerts defined with their corresponding conditions. The Firewall threats tab contains information on both Devo alerts as well as Palo Alto alerts as events.
The alerts in this view are designed to deal with specific Palo Alto firewall activity and can be found across Devo as well, such as in the Alerts area and the SecOps application.
Installation process
Exchange alert pack: Firewall
For a successful use of this application, we recommend the installation of this alert pack via Exchange.
Threats detected
Threat detections within the Devo 360 for Palo Alto application deliver full information on triggered alerts with descriptions and recommendations. This provides analysts with the full context of each Palo Alto firewall alert for informed analysis of the threat story.​ Threat detections include important information about threats, such as triggering situation, timeframe, prioritization, or source.
Threats activity
The alerts triggered over time, organized by priority, status, or name.
Threats metrics
The distribution of the alerts triggered in relation to each key aspect.
Threats table
The alerts triggered and all their details. If you click on the name of an alert definition, you will open a new window that provides extensive details on each triggered alert and cconsists of four different tabs:
Overview: Contains information on why, what, when, where and how the alert was triggered, the alert priority, dates, status, and actions.
Timeline: Plots the alerts triggered on an interactive timeline.
Queries: Provides the query that feeds the alert, which you can copy to your clipboard for further use.
Geolocation: Plots the location of events on an interactive map.
Firewall threats
Whereas the Threats detected tab provide information on Devo alerts, this tab contains data on alerts triggered in Palo Alto, providing detailed information on events Palo Alto considers as firewall threats. This gives a further notion of the overall firewall health. You can use the insights for further analysis and action.
Top 10 classifications:
The top 10 threats are extracted and classified by content type, destination locations, URL filenames and threat IDs.
Threats by IP location
Interactive maps providing an overview of threats by Source IP and Destination IP
Firewall threats over time
An interactive bar chart mapping threats over time. You can filter by Threat ID, Category, Severity, App or Direction.