Data Collection Guidance for Security Assurance
Objective
This article is intended to provide a list of minimum information requirements to begin diagnosis. This article can be used as a template when opening a new support case to ensure Palo Alto Networks can promptly begin extracting meaningful data.
Environment
Environmental Specifics and Considerations:
- How many user endpoints exist in the IT estate (total potential impact)?
- How many server endpoints exist in the IT estate (total potential impact)?
- What is the operating system mix in both the user and server estates?
- What cloud environments are in use, and are any cloud environments impacted or involved with the incident?
- Does the incident impact any 'special' environments - e.g. ICS/SCADA/PCI?
Procedure
Basic Details
- What is the suspected attack vector and type?
- What evidence provided context to your administrative/response team of a potential issue?
- Geographic location and number of sites impacted
Timeline Information
- Is the date/time of the initial attack known?
- When was the issue identified?
- Have the vector of attack and initially attacked infrastructure been identified?
Incident Details
- What is the nature of the incident (e.g. confirmed network intrusion)
- Is the incident currently impacting business operations?
- What confirmed indicators associated with the incident can be shared?
- What is the earliest known activity relating to the incident?
- Details on the point of entry and initially impacted hosts / infrastructure, if known.
- Were any user accounts compromised? Please provide User-IDs of compromised accounts.
- Known IP address of impacted system(s)
- Is the host publicly available via NAT? If so, please include that IP.
- Are there any key services that may make this system a prime target? Eg. Databases, web services, Remote Access server (RDP, Citrix, etc)
- Is there a known or suspected Threat Actor?
- Are there any known or suspicious IPs that may be related to the attack (Attacker IP)?
- If actor is still believed to be on the network, does the client have an established out-of-band communications channel?
Topology Diagram or Overview
- While a complete topology is not required, it is important for us to understand the location of the firewall in reference to the impacted host(s). Diagram can be supplemented or replaced with concise written description of topology.
Malware/IOC Data
- Samples
- Hashes
Data from your Firewall
Tech Support File(s)
- Generate and upload Tech Support files for devices in path to impacted devices at time of issue.
- If Panorama is used to manage the device(s) collect TS file from this device also.
- How to generate a tech support file: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRlCAK
Firewall Logs
Export logs from the device starting 2 hours prior to the suspected attack for each category listed below (where enabled) based on IP address information and timestamp details outlined above. Before exporting any logs verify csv lines setting is set to its max value.
- How to Increase Max Rows: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaPCAS
- Basics of Traffic Monitor Filtering: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSlCAK
Categories include:
- Data filtering
- Traffic
- Threat
- URL
- User-ID (if lateral movement is suspected)
- Wildfire
Note: It is important to understand your deployments log retention policy as well as capacity so that no data is lost. Administrators may need to take additional actions such as exporting data from firewalls or other logging servers to assure continuity of data for the duration of the investigation.
Additional Information
Information Sources and Data Collection options:
- Nature and deployment coverage by Palo Alto Networks products
- What non-PAN security tooling exists in the environment (e.g. DLP, SIEM, IDS, AV, EDR etc.)?
- Are any other major sources of log data available (e.g. netflow, proxy logs, DNS logs)?
- What approved remote access methods exist to access the network(s) for live data collection?
3rd Party Resources and Contacts:
- Are any elements of the IT environment managed by third parties (e.g. IT MSPs)
- Are other parties already involved in or briefed on the response?
- Have any information regulators or financial regulators been notified?
Additional Ways to Identify Meaningful Data
- Leverage the ACC to look for spikes or changes in traffic surrounding the attack
- How to use the Application Command Center (ACC): https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClnDCAS
- Threat Monitor Report
- How to use the Threat Monitor Report: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/use-the-app-scope-reports/threat-monitor-report.html