Device Security
Legacy IoT Security
Table of Contents
Legacy IoT Security
Respond to security alerts by taking action, assigning them for investigation, resolving
them, and reactivating them in the Device Security portal.
Take Action when a Security Alert Occurs
There
are numerous ways to respond to a security alert. The action you
take depends of the remediation requirements of the situation:
- If a device was infected by malware or a virus, unplug the device immediately. If its continued use is essential, work with IT security to quarantine it from the rest of the network. You might need to modify firewall security policies to permit only traffic absolutely required for the device to function and block everything else while you work on a resolution.
- The resolution might require a software patch, and sometimes you might have to get the equipment vendor involved to patch it. If you must continue using the equipment, enforce a strong zero-trust policy until the patch is available.
- If an alert is generated by a security policy violation, you can send policy recommendations to the firewall so it only permits traffic resulting from normal device behavior.
- To assist in your analysis, Device Security provides alert log files (in .csv and .log formats), which contain several days’ worth of network connections involving the device that triggered an alert. You can also download the network traffic data that Device Security shows as a Sankey diagram and view it as an .xls spreadsheet.
Assign and Track Security Alerts
From the Alerts and Alert Details pages, you can assign a security alert to one or more people
for investigation. When you select an alert on , a set of actions appears at the top of the alerts table.
To assign an alert to someone to investigate, click . Enter an email address and comment and then
Assign.
If you assign an
alert to an external user—that is, someone who doesn’t have a Palo
Alto Networks user account and can’t log in to the Device Security
Portal—a PDF with alert details will be attached to the email.
You can also assign an alert occurrence to someone from the Alert Details page (alert_title) by clicking .
You can also add notes to an alert, which is a convenient way for you and your team to track the
progress of investigations of high-level alerts. From the Alerts page, select an
alert and then click . From the Alert Details page, click . The notes appear in the Alert Events list on the Alert Details
page.
Resolve and Reactivate Security Alerts
If you consider an alert acceptable, or if you address an alert, you may choose to
resolve the alert. An alert may be acceptable if it has a low severity
level, or the alert may be addressed if you assign it to a network security
administrator to investigate and fix. In either case, resolving an alert means you no
longer consider the alert a security risk. The alert disappears from devices' risk
score details, thereby reducing the device risk scores.
While you can resolve individual security alert occurrences, you can also resolve
security alert groups. Select the check box next to the alert group names and then click
Resolve at the top of the Alerts list.
After clicking Resolve, the Resolve Alert dialog box appears.
Select the reason for resolving the security alert. If you choose
No Action Needed, you can select one or more of the pre-defined
reasons. If you select any of pre-defined reasons for why no action is needed,
those reasons will appear in the Alert Events history description, but they do not
impact your deployment. To finish resolving
the alert, enter a comment to include in the Alert Events history, and then
Resolve.
The Resolve tool is useful for showing how many alerts got resolved in weekly or monthly
reports. The Alert Overview page also displays the number of resolved alerts and the
alerts trend based on your time filter. You can view resolved alerts in the Alerts list by
filtering for Resolved alerts.
To reactivate one or more alerts that were previously resolved,
set the filter above the Alerts list to
Resolved, select the alerts, and then click
Unresolve. In the Change Status dialog box, enter a
comment and then click Change.
When you reactivate an alert, the alert reappears in devices' risk score details. A
reactived alert can increase a device's risk score.
Suppress Security Alerts
If Device Security
raises a security alert for an expected event, you can suppress
future occurrences of the alert so no further resources need be
expended on them. You can suppress future alert detections for just
the device on which the alert was triggered or for all devices sharing
the same device profile, category, or device type. You can suppress
the alert indefinitely or for a limited length of time. In addition
to suppressing future alert detections, you can also mark the current
alert event as resolved.
To suppress an alert, log in to Device Security as a user with administrator or owner privileges and
select . Select the alert that you want to suppress and then click .
You
can select multiple alert instances if they are the same type of
alert (with the same alert name). When different alert types are
selected, the Suppress option becomes unavailable.
To suppress all future alert detections for the device or devices on which the alert was
triggered, add a comment, leave Resolve this alert selected,
and then click Save.
To suppress future alert detections on additional devices as well as this particular device,
expand Add more devices, choose one or more attributes in one
or more of the Tag, Category, Profile, and Device Type fields, set the length of
alert suppression, add a comment, and then click Save. Cortex XSOAR will suppress future alerts occurring on devices matching any of the chosen
attributes for the length of time specified.
After you create a suppression rule, it takes Device Security approximately 30 minutes to apply it
throughout the system to all the devices in your inventory. Device Security also adds
it to the rule table at .
Clicking a rule name opens the Suppress Alert configuration panel where you can view and edit
details. The Status column indicates two states. A rule is "In process" during the
initial 30-minute application period after it’s been created or modified. After
that, the status changes to "Success" indicating that Device Security has applied the
rule to all the targeted devices in its inventory.
After you create a rule, you can always modify it to include additional devices by modifying the
rule to encompass a wider range of devices. In fact, Device Security prompts you to do
this whenever you are about to suppress an alert on a device and there’s already a
suppression rule for this type of alert but it just doesn’t apply to this particular
device. It displays an information icon, which expands into a pop-up message when
you hover your cursor over it.
To add
just this device to the existing rule, optionally add a comment
and leave Resolve this alert selected, and
then click Save. To apply the suppression
rule to this device and others like it, expand View targeted
devices, modify the original rule to include the profile,
category, or device type that would make it apply to this and similar
devices, and then click Save.
To stop alert suppression, log in to Device Security as a user with administrator or owner
privileges and select . Select one or more rows in the table and then click
Release Suppression.
Because vulnerability scanners generate traffic that triggers lots of alerts, you
most likely want to suppress alerts for them. If you integrated Device Security
through Cortex XSOAR
with Qualys, Rapid7, or Tenable vulnerability scanners, Device Security
automatically imports the names and IP addresses of all scan engines, and the names
of all sites and vulnerability scan templates from the integrated product, and adds
them to the list of scanners on . The Source column indicates that a scanner was automatically
imported by displaying the integration product name: Qualys,
Rapid7, or Tenable. If you don't
want to automatically import this information to the scanners list, disable
Automatically Synchronize Scanners with IoT Security in
one of the following Cortex XSOAR jobs, depending on which integration
you're using: PANW IoT Get Qualys Scanners and Profiles, PANW IoT Get Rapid7
Scanners and Profiles, or PANW IoT Get Tenable Scanners and Profiles. Disabling this
setting doesn't automatically remove previously imported scanners from the list in
the Device Security portal. You must remove them manually by selecting them in
the list, clicking Remove from Scanner List, and then
clicking Continue at the prompt.
If you want to suppress alerts triggered by vulnerability scanners that are on your network but
not integrated with Device Security, create a list of scanner IP addresses and upload
it to Device Security. Click , click Add Scanners, and then download a CSV
template.
For each scanner, add
its IP address and optionally its MAC address and a comment.
Upload the file to Device Security. If IP addresses in the CSV file match those in the device
inventory, Device Security adds them to the scanner list and begins to suppress alerts
for them. (It can take up to an hour after the upload for alert suppression to
begin.) The Source column in the Scanners table indicates that a scanner was
manually uploaded by displaying User. If IP addresses are new
to Device Security, it adds them to the scanner list and it adds them to the inventory
as scanners after detecting network traffic for them. If there are duplicate
entries, Device Security skips them during the upload process. Finally, if there’s a
mismatch between the IP-and-MAC-address pairing for an uploaded scanner and the
pairing for a device in its inventory, Device Security does not upload it.