Data Collection Guidance for Security Assurance

• How many user endpoints exist in the IT estate (total potential impact)?
• How many server endpoints exist in the IT estate (total potential impact)? 
• What is the operating system mix in both the user and server estates? 
• What cloud environments are in use, and are any cloud environments impacted or involved with the incident?
• Does the incident impact any 'special' environments - e.g. ICS/SCADA/PCI?

Basic Details

• What is the suspected attack vector and type?
• What evidence provided context to your administrative/response team of a potential issue?
• Geographic location and number of sites impacted

Timeline Information

• Is the date/time of the initial attack known?
• When was the issue identified?
• Have the vector of attack and initially attacked infrastructure been identified?

Incident Details

• What is the nature of the incident (e.g. confirmed network intrusion)
• Is the incident currently impacting business operations?
• What confirmed indicators associated with the incident can be shared?
• What is the earliest known activity relating to the incident?
• Details on the point of entry and initially impacted hosts / infrastructure, if known.

• Were any user accounts compromised? Please provide User-IDs of compromised accounts.
• Known IP address of impacted system(s)
  • Is the host publicly available via NAT? If so, please include that IP.
  • Are there any key services that may make this system a prime target? Eg. Databases, web services, Remote Access server (RDP, Citrix, etc)

• Is there a known or suspected Threat Actor?
• Are there any known or suspicious IPs that may be related to the attack (Attacker IP)?
• If actor is still believed to be on the network, does the client have an established out-of-band communications channel?

Topology Diagram or Overview

• While a complete topology is not required, it is important for us to understand the location of the firewall in reference to the impacted host(s). Diagram can be supplemented or replaced with concise written description of topology. 

Malware/IOC Data

• Samples
• Hashes

Data from your Firewall

Tech Support File(s)

• Generate and upload Tech Support files for devices in path to impacted devices at time of issue. 
• If Panorama is used to manage the device(s) collect TS file from this device also.
• How to generate a tech support file: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRlCAK

Firewall Logs

Export logs from the device starting 2 hours prior to the suspected attack for each category listed below (where enabled) based on IP address information and timestamp details outlined above. Before exporting any logs verify csv lines setting is set to its max value.

• How to Increase Max Rows: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaPCAS
• Basics of Traffic Monitor Filtering: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSlCAK

Categories include:

• Data filtering
• Traffic
• Threat
• URL
• User-ID  (if lateral movement is suspected)
• Wildfire

Note: It is important to understand your deployments log retention policy as well as capacity so that no data is lost. Administrators may need to take additional actions such as exporting data from firewalls or other logging servers to assure continuity of data for the duration of the investigation.