Sessions and Submissions

Use firewall sessions and submissions to products such as XDR and Prisma Cloud, in conjunction with Cortex XSOAR, to find threats and protect your network.
The
Sessions & Submissions
tab enables you to use your sessions and submissions data for investigation and analysis. Sessions and submissions data is available for customers with a TIM license and at least one of the following products:
  • Palo Alto Networks Firewall
  • WildFire
  • Cortex XDR
  • Prisma SaaS
  • Prisma Access
Sessions
refers to firewall sessions, while
Submissions
refers to logs of samples reported to Wildfire from other Palo Alto Networks products. Sessions data shows you connections from one endpoint to another, and submissions data shows you if a file was found on a specific endpoint.
With
Sessions & Submissions
data, you can take steps to block external IP addresses that are the sources of malicious files and threat campaigns. You can also find compromised machines within your network, isolate them as needed, and take remediation steps.
For example, you can search for a file hash in the
Sessions & Submissions
tab. If the file appeared in one or more sessions or submissions, you can see when and where that occurred. Firewall session data enables you to view the source IP and the destination IP for each session that included the file. If you have Cortex XDR, you can see which XDR agent(s) reported the file and which computer(s) are affected.
Known limitation: When searching on the
Sessions & Submissions
page for relationships
-relationships""
, some results may appear without their specific relationships listed, due to internal relationship permissions.
(
Multi-tenant
)
Sessions & Submissions
data is not available for Multi-tenant deployments.

Sessions & Submissions Search

You can use Unit 42 Intel data to build complex searches for sessions and submissions with similar characteristics. From within the
Session Summary
page, any of the items listed in the
Basic Information
,
Sample Information
, or
Metadata
sections can be used to create a new search for similar sessions and submissions. For example, you can create a new search that includes a specific destination IP and a specific file name that you found together in a session.
To build a new search, hover your cursor over the end of the desired row. A drill-down button appears. When you click the button, two search options are displayed.
  • Add to Sessions & Submissions Search
    Adds selected information to a Sessions & Submissions search. After choosing
    Add to Sessions & Submissions search
    , a pop up appears at the bottom of the screen:
    Your selected terms were added to Sessions Analysis Search. Go to Sessions Analysis tab to apply the added terms
    . If you click on the link, you go to the
    Sessions & Submissions
    tab where you can edit or run your search for sessions and submissions that exhibited the same behavior. You can also
    Add to Saved Queries
    . If you do not click the link, the popup will disappear and you can continue to add additional items to the search. To run the search without clicking on the popup link, go to the
    Threat Intel
    page and click on the
    Sessions & Submissions
    tab.
  • Create New Sessions & Submissions Search
    Clears any search characteristics you have already added and starts a new Sessions & Submissions search with the selected characteristic(s). After choosing this option, a pop up appears at the bottom of the screen:
    Your selected terms were added to Sessions Analysis Search. Go to Sessions Analysis tab to apply the added terms
    . If you click on the link, you go to the
    Sessions & Submissions
    tab where you can edit or run your search for sessions and submissions that exhibited the same behavior. You can also
    Add to Saved Queries
    . If you do not click the link, the popup will disappear and you can continue to add additional items to the search. To run the search without clicking on the popup link, go to the
    Threat Intel
    page and click on the
    Sessions & Submissions
    tab.

Recommended For You