Hostname stitching in NGFW alerts

Hostname stitching in NGFW alerts

655
Created On 05/15/25 22:05 PM - Last Modified 05/16/25 18:59 PM


Symptom


  • The customer wanted to know how Hostnames are attributed in NGFW alerts
  • NGFW Traffic logs do not have Hostname as a field
  • Scenario 1 - Some alerts displays no Hostname
  • Scenario 2 - Some alerts displays the Hostname with a warning "!"  

Environment


  • Cortex XDR
  • Cortex XSIAM
  • Next Generation Firewall (NGFW)

 

Cause


The NGFW logs do not contain Hostname details, the alert will stitch the information from a number of different sources. 

 

Scenario 1 - The alerts will display no Hostname.  The Hostname field will be empty.

 

Example of a NGFW alert displaying Hostname being empty even though a Host IP is identified

 

When querying information about this IP address, there is no sources to correlate the IP address.

 

Scenario 2 - The alerts displays the Hostname with a warning "!"  

 

Below is an example of log stitching done via the cortex agent.

 

If the NGFW was able to stitch the logs from an asset with an agent installed, it will show "Hostname inferred from Agent log based on previous IP connections"

 

  
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000fxZ7KAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail