Act on Security Alerts
Respond to security alerts by taking action, assigning
them for investigation, resolving them, and reactivating them.
After you learn about a security alert,
one of the first steps is to read the details and confirm that the
event that triggered it actually occurred, possibly by checking
firewall event log entries. After confirming the alert, you must
quickly assess its importance and urgency, identify the type of
equipment impacted, and then decide how to respond and with whom
to engage. The responder might be IT security, clinical engineering,
a third-party network security service provider, or perhaps the
device vendor or manufacturer. Find the responsible party and contact
them about the alert.
Take Action when a Security Alert Occurs
There
are numerous ways to respond to a security alert. The action you
take depends of the remediation requirements of the situation:
- If a device was infected by malware or a virus, unplug the device immediately. If its continued use is essential, work with IT security to quarantine it from the rest of the network. You might need to modify firewall security policies to permit only traffic absolutely required for the device to function and block everything else while you work on a resolution.
- The resolution might require a software patch, and sometimes you might have to get the equipment vendor involved to patch it. If you must continue using the equipment, enforce a strong zero-trust policy until the patch is available.
- If an alert is generated by a security policy violation, you can send policy recommendations to the firewall so it only permits traffic resulting from normal device behavior.
- To assist in your analysis, IoT Security provides alert log files (in .csv and .log formats), which contain several days’ worth of network connections involving the device that triggered an alert. You can also download the network traffic data that IoT Security shows as a Sankey diagram and view it as an .xls spreadsheet.
Assign and Track Security Alerts
From
the Alerts and Alert Details pages, you can assign a security alert
to one or more people for investigation. When you select an alert
on the Alerts page, a set of actions appears at the top of the alerts
table.
To assign
an alert to someone to investigate, click
Assign
.
Enter an email address and comment and then Submit
.
If you assign an
alert to an external user—that is, someone who doesn’t have a Palo
Alto Networks user account and can’t log in to the IoT Security
Portal—a PDF with alert details will be attached to the email.
You
can also assign an alert occurrence to someone from the Alert Details
page by clicking Action > Assign.
You can also add notes to
an alert, which is a convenient way for you and your team to track
the progress of investigations of high-level alerts. From the Alerts
page, select an alert with a single occurrence and then
Add
Notes
. From the Alert Details page, click .
The notes appear in the Alert Events list on the Alert Details page.
Resolve and Reactivate Security Alerts
You
resolve a security alert either by accepting it or by addressing
the issue in some way, perhaps by assigning it to a network security
administrator to investigate and fix.
The Resolve tool is
useful for showing how many alerts got resolved in weekly or monthly
reports.
If you consider one or more alerts acceptable, such
as one at a low severity level, you can resolve them, which moves
them from the Active Alerts list to Resolved Alerts. It is not necessary
to resolve each alert occurrence individually. You can select the
check box next to the alert group names and then click
Resolve
at
the top of the Alerts list.
To
resolve multiple alerts, set the alert type filter at the top of
the page to
Active Alerts
.After
clicking
Resolve
, the Resolve Alert dialog
box appears. Select the reason for resolving it, add a comment,
and then Submit
.
If you
later decide to reactivate an alert that was previously marked as
resolved, you can do so by selecting it and then clicking
Mark
as Active
at the top of the Alerts list.
To reactivate multiple
alerts, set the alert type filter at the top of the page to Resolved Alerts.
Suppress Security Alerts
If IoT Security
raises a security alert for an expected event, you can suppress
future occurrences of the alert so no further resources need be
expended on them. You can suppress future alert detections for just
the device on which the alert was triggered or for all devices sharing
the same device profile, category, or device type. You can suppress
the alert indefinitely or for a limited length of time. In addition
to suppressing future alert detections, you can also mark the current
alert event as resolved.
To suppress an alert, log in to IoT
Security as a user with administrator or owner privileges and select .
Select an alert and then click .
You
can select multiple alert instances if they are the same type of
alert (with the same alert name). When different alert types are
selected, the Suppress option becomes unavailable.
To
suppress all future alert detections for just the device on which
the alert was triggered, click
Suppress
,
optionally add a comment and leave Resolve this alert
selected,
and then click Save
.
To suppress
future alert detections on additional devices as well as this particular
device, expand
Add more devices
, choose one
or more attributes in one or more of the Category, Profile, and
Device Type fields, set the length of alert suppression, and then
click Save
. IoT Security will suppress future
alerts occurring on devices matching any of the chosen attributes
for the length of time specified.
After you
create a suppression rule, it takes IoT Security approximately 30
minutes to apply it throughout the system to all the devices in
your inventory. IoT Security also adds it to the rule table at .
Clicking a rule name
open the "Suppress Alerts" configuration panel again where you can
view and edit details. The Status column indicates two states. A
rule is "In process" during the initial 30-minute application period
after it’s been created or modified. After that, the status changes
to "Success" indicating that IoT Security has applied the rule to
all the targeted devices in its inventory.
After you create
a rule, you can always modify it to include additional devices.
You can add devices singly to an existing rule or you can modify
the rule to encompass a range of devices. In fact, IoT Security
prompts you to do this whenever you are about to suppress an alert
on a device and there’s already a suppression rule for this type
of alert but it just doesn’t apply to this particular device. It
displays an information icon, which expands into a text pop-up when
you hover your cursor over it.
To add
just this device to the existing rule, optionally add a comment
and leave
Resolve this alert
selected, and
then click Save
. To apply the suppression
rule to this device and others like it, expand View targeted
devices
, modify the original rule to include the profile,
category, or device type that would make it apply to this and similar
devices, and then click Save
.To stop
alert suppression, log in to IoT Security as a user with administrator
or owner privileges and select .
Select one or more rows in the table and then click
Release
Suppression
.Because vulnerability scanners generate
traffic that triggers lots of alerts, you most likely want to suppress alerts
for them. To suppress alerts triggered by vulnerability scanner
activity, create a list of scanner IP addresses and upload it to
IoT Security. Click , click
Add
Scanners
, and then download a CSV template.
For each scanner, add
its IP address and optionally its MAC address and a comment.
Upload
the file to IoT Security. If IP addresses in the CSV file match
those in the device inventory, IoT Security adds them to the scanner
list and begins to suppress alerts for them. (It can take up to
an hour after the upload for alert suppression to begin.) If IP
addresses are new to IoT Security, it adds them to the scanner list and
it adds them to the inventory as scanners after detecting network
traffic for them. If there are duplicate entries, IoT Security skips
them during the upload process. Finally, if there’s a mismatch between
the IP-and-MAC-address pairing for an uploaded scanner and the pairing
for a device in its inventory, IoT Security does not upload it.
