Palo Alto Networks Knowledgebase: Data Collection Guidance for Security Assurance

Data Collection Guidance for Security Assurance

476
Created On 10/25/19 00:19 AM - Last Updated 12/05/19 17:41 PM
Objective
This article is intended to provide a list of minimum information requirements to begin diagnosis. This article can be used as a template when opening a new support case to ensure Palo Alto Networks can promptly begin extracting meaningful data.

Environment
Environmental Specifics and Considerations:
  • How many user endpoints exist in the IT estate (total potential impact)?
  • How many server endpoints exist in the IT estate (total potential impact)? 
  • What is the operating system mix in both the user and server estates? 
  • What cloud environments are in use, and are any cloud environments impacted or involved with the incident?
  • Does the incident impact any 'special' environments - e.g. ICS/SCADA/PCI?


Procedure

Basic Details

  • What is the suspected attack vector and type?
  • What evidence provided context to your administrative/response team of a potential issue?
  • Geographic location and number of sites impacted
 

Timeline Information

  • Is the date/time of the initial attack known?
  • When was the issue identified?
  • Have the vector of attack and initially attacked infrastructure been identified?
 

Incident Details

  • What is the nature of the incident (e.g. confirmed network intrusion)
  • Is the incident currently impacting business operations?
  • What confirmed indicators associated with the incident can be shared?
  • What is the earliest known activity relating to the incident?
  • Details on the point of entry and initially impacted hosts / infrastructure, if known.
Compromised Device Details
  • Were any user accounts compromised? Please provide User-IDs of compromised accounts.
  • Known IP address of impacted system(s)
    • Is the host publicly available via NAT? If so, please include that IP.
    • Are there any key services that may make this system a prime target? Eg. Databases, web services, Remote Access server (RDP, Citrix, etc)
Attacker Information
  • Is there a known or suspected Threat Actor?
  • Are there any known or suspicious IPs that may be related to the attack (Attacker IP)?
  • If actor is still believed to be on the network, does the client have an established out-of-band communications channel?
 

Topology Diagram or Overview

  • While a complete topology is not required, it is important for us to understand the location of the firewall in reference to the impacted host(s). Diagram can be supplemented or replaced with concise written description of topology. 

 

Malware/IOC Data

  • Samples
  • Hashes

 

Data from your Firewall

Tech Support File(s)

 

Firewall Logs

Export logs from the device starting 2 hours prior to the suspected attack for each category listed below (where enabled) based on IP address information and timestamp details outlined above. Before exporting any logs verify csv lines setting is set to its max value.

Categories include:

  • Data filtering
  • Traffic
  • Threat
  • URL
  • User-ID  (if lateral movement is suspected)
  • Wildfire

Note: It is important to understand your deployments log retention policy as well as capacity so that no data is lost. Administrators may need to take additional actions such as exporting data from firewalls or other logging servers to assure continuity of data for the duration of the investigation.

 


 



Additional Information

Information Sources and Data Collection options:

  • Nature and deployment coverage by Palo Alto Networks products
  • What non-PAN security tooling exists in the environment (e.g. DLP, SIEM, IDS, AV, EDR etc.)?
  • Are any other major sources of log data available (e.g. netflow, proxy logs, DNS logs)?
  • What approved remote access methods exist to access the network(s) for live data collection? 



3rd Party Resources and Contacts:

  • Are any elements of the IT environment managed by third parties (e.g. IT MSPs)
  • Are other parties already involved in or briefed on the response?
  • Have any information regulators or financial regulators been notified?
 

Additional Ways to Identify Meaningful Data



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNCcCAO&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments