Sessions and Submissions
Use firewall sessions and submissions to products such
as XDR and Prisma Cloud, in conjunction with Cortex XSOAR, to find
threats and protect your network.
The
Sessions & Submissions
tab
enables you to use your sessions and submissions data for investigation
and analysis. Sessions and submissions data is available for customers
with a TIM license and at least one of the following products:- Palo Alto Networks Firewall
- WildFire
- Cortex XDR
- Prisma SaaS
- Prisma Access
Sessions
refers to firewall sessions,
while Submissions
refers to logs of samples
reported to Wildfire from other Palo Alto Networks products. Sessions
data shows you connections from one endpoint to another, and submissions
data shows you if a file was found on a specific endpoint.With
Sessions & Submissions
data,
you can take steps to block external IP addresses that are the sources
of malicious files and threat campaigns. You can also find compromised
machines within your network, isolate them as needed, and take remediation
steps. For example, you can search for a file hash in the
Sessions
& Submissions
tab. If the file appeared in one or
more sessions or submissions, you can see when and where that occurred.
Firewall session data enables you to view the source IP and the
destination IP for each session that included the file. If you have
Cortex XDR, you can see which XDR agent(s) reported the file and
which computer(s) are affected.Known limitation: When searching on the
Sessions
& Submissions
page for relationships -relationships""
,
some results may appear without their specific relationships listed,
due to internal relationship permissions.(
Multi-tenant
) Sessions & Submissions
data
is not available for Multi-tenant deployments.Sessions & Submissions Search
You can use Unit 42 Intel data to build complex searches
for sessions and submissions with similar characteristics. From
within the
Session Summary
page, any of the
items listed in the Basic Information
, Sample
Information
, or Metadata
sections
can be used to create a new search for similar sessions and submissions.
For example, you can create a new search that includes a specific
destination IP and a specific file name that you found together
in a session.To build a new search, hover your cursor over the end of the
desired row. A drill-down button appears. When you click the button,
two search options are displayed.
- Add to Sessions & Submissions SearchAdds selected information to a Sessions & Submissions search. After choosingAdd to Sessions & Submissions search, a pop up appears at the bottom of the screen:Your selected terms were added to Sessions Analysis Search. Go to Sessions Analysis tab to apply the added terms. If you click on the link, you go to theSessions & Submissionstab where you can edit or run your search for sessions and submissions that exhibited the same behavior. You can alsoAdd to Saved Queries. If you do not click the link, the popup will disappear and you can continue to add additional items to the search. To run the search without clicking on the popup link, go to theThreat Intelpage and click on theSessions & Submissionstab.
- Create New Sessions & Submissions SearchClears any search characteristics you have already added and starts a new Sessions & Submissions search with the selected characteristic(s). After choosing this option, a pop up appears at the bottom of the screen:Your selected terms were added to Sessions Analysis Search. Go to Sessions Analysis tab to apply the added terms. If you click on the link, you go to theSessions & Submissionstab where you can edit or run your search for sessions and submissions that exhibited the same behavior. You can alsoAdd to Saved Queries. If you do not click the link, the popup will disappear and you can continue to add additional items to the search. To run the search without clicking on the popup link, go to theThreat Intelpage and click on theSessions & Submissionstab.
