: Act on Security Alerts
Focus
Focus

Act on Security Alerts

Table of Contents

Act on Security Alerts

Respond to security alerts by taking action, assigning them for investigation, resolving them, and reactivating them.
After you learn about a security alert, one of the first steps is to read the details and confirm that the event that triggered it actually occurred, possibly by checking firewall event log entries. After confirming the alert, you must quickly assess its importance and urgency, identify the type of equipment impacted, and then decide how to respond and with whom to engage. The responder might be IT security, clinical engineering, a third-party network security service provider, or perhaps the device vendor or manufacturer. Find the responsible party and contact them about the alert.

Take Action when a Security Alert Occurs

There are numerous ways to respond to a security alert. The action you take depends of the remediation requirements of the situation:
  • If a device was infected by malware or a virus, unplug the device immediately. If its continued use is essential, work with IT security to quarantine it from the rest of the network. You might need to modify firewall security policies to permit only traffic absolutely required for the device to function and block everything else while you work on a resolution.
  • The resolution might require a software patch, and sometimes you might have to get the equipment vendor involved to patch it. If you must continue using the equipment, enforce a strong zero-trust policy until the patch is available.
  • If an alert is generated by a security policy violation, you can send policy recommendations to the firewall so it only permits traffic resulting from normal device behavior.
  • To assist in your analysis,
    IoT Security
    provides alert log files (in .csv and .log formats), which contain several days’ worth of network connections involving the device that triggered an alert. You can also download the network traffic data that
    IoT Security
    shows as a Sankey diagram and view it as an .xls spreadsheet.

Assign and Track Security Alerts

From the Alerts and Alert Details pages, you can assign a security alert to one or more people for investigation. When you select an alert on
Alerts
Security Alerts
All Alerts
, a set of actions appears at the top of the alerts table.
To assign an alert to someone to investigate, click
More
Assign
. Enter an email address and comment and then
Assign
.
If you assign an alert to an external user—that is, someone who doesn’t have a Palo Alto Networks user account and can’t log in to the
IoT Security
Portal—a PDF with alert details will be attached to the email.
You can also assign an alert occurrence to someone from the Alert Details page (
Alerts
Security Alerts
All Alerts
alert_title
) by clicking
Action
Assign
.
You can also add notes to an alert, which is a convenient way for you and your team to track the progress of investigations of high-level alerts. From the Alerts page, select an alert and then click
More
Add notes
. From the Alert Details page, click
Action
Add Notes
. The notes appear in the Alert Events list on the Alert Details page.

Resolve and Reactivate Security Alerts

You resolve a security alert either by accepting it or by addressing the issue in some way, perhaps by assigning it to a network security administrator to investigate and fix.
The Resolve tool is useful for showing how many alerts got resolved in weekly or monthly reports.
If you consider one or more alerts acceptable, such as one at a low severity level, you can resolve them. It is not necessary to resolve each alert occurrence individually. You can select the check box next to the alert group names and then click
Resolve
at the top of the Alerts list.
After clicking
Resolve
, the Resolve Alert dialog box appears. Select the reason for resolving it, add a comment, and then
Resolve
.
If you later decide to reactivate one or more alerts that were previously marked as resolved, you can do so by setting the filter above the Alerts list to
Resolved
, selecting the alerts, and then clicking
Unresolve
. In the Change Status dialog box, enter a comment and then click
Change
.

Suppress Security Alerts

If
IoT Security
raises a security alert for an expected event, you can suppress future occurrences of the alert so no further resources need be expended on them. You can suppress future alert detections for just the device on which the alert was triggered or for all devices sharing the same device profile, category, or device type. You can suppress the alert indefinitely or for a limited length of time. In addition to suppressing future alert detections, you can also mark the current alert event as resolved.
To suppress an alert, log in to
IoT Security
as a user with administrator or owner privileges and select
Alerts
Security Alerts
All Alerts
. Select the alert that you want to suppress and then click
More
Suppress Alerts
.
You can select multiple alert instances if they are the same type of alert (with the same alert name). When different alert types are selected, the Suppress option becomes unavailable.
To suppress all future alert detections for the device or devices on which the alert was triggered, add a comment, leave
Resolve this alert
selected, and then click
Save
.
To suppress future alert detections on additional devices as well as this particular device, expand
Suppression Rule
, choose one or more attributes in one or more of the Tag, Category, Profile, and Device Type fields, set the length of alert suppression, add a comment, and then click
Save
.
Cortex XSOAR
will suppress future alerts occurring on devices matching any of the chosen attributes for the length of time specified.
After you create a suppression rule, it takes
IoT Security
approximately 30 minutes to apply it throughout the system to all the devices in your inventory.
IoT Security
also adds it to the rule table at
Alerts
Security Alerts
Suppression Rules
.
Clicking a rule name opens the Suppress Alert configuration panel where you can view and edit details. The Status column indicates two states. A rule is "In process" during the initial 30-minute application period after it’s been created or modified. After that, the status changes to "Success" indicating that
IoT Security
has applied the rule to all the targeted devices in its inventory.
After you create a rule, you can always modify it to include additional devices by modifying the rule to encompass a wider range of devices. In fact,
IoT Security
prompts you to do this whenever you are about to suppress an alert on a device and there’s already a suppression rule for this type of alert but it just doesn’t apply to this particular device. It displays an information icon, which expands into a pop-up message when you hover your cursor over it.
To add just this device to the existing rule, optionally add a comment and leave
Resolve this alert
selected, and then click
Save
. To apply the suppression rule to this device and others like it, expand
View targeted devices
, modify the original rule to include the profile, category, or device type that would make it apply to this and similar devices, and then click
Save
.
To stop alert suppression, log in to
IoT Security
as a user with administrator or owner privileges and select
Alerts
Security Alerts
Suppression Rules
. Select one or more rows in the table and then click
Release Suppression
.
Because vulnerability scanners generate traffic that triggers lots of alerts, you most likely want to suppress alerts for them. If you have an
IoT Security
Third-party Integrations Add-on license or a full-featured
Cortex XSOAR
server, you might have integrated
IoT Security
through
Cortex XSOAR
with Qualys, Rapid7, or Tenable vulnerability scanners. If so,
IoT Security
automatically imports the names and IP addresses of all scan engines, and the names of all sites and vulnerability scan templates from the integrated product and adds them to the list of scanners on
Settings
Scanners
. The Source column indicates that a scanner was automatically imported by displaying the integration product name:
Qualys
,
Rapid7
, or
Tenable
. If you don't want to automatically import this information to the scanners list, disable
Automatically Synchronize Scanners with IoT Security
in one of the following
Cortex XSOAR
jobs, depending on which integration you're using: PANW IoT Get Qualys Scanners and Profiles, PANW IoT Get Rapid7 Scanners and Profiles, or PANW IoT Get Tenable Scanners and Profiles. Disabling this setting doesn't automatically remove previously imported scanners from the list in the
IoT Security
portal. You must remove them manually by selecting them in the list, clicking
Remove from Scanner List
, and then clicking
Continue
at the prompt.
If you want to suppress alerts triggered by vulnerability scanners that are on your network but not integrated with
IoT Security
, create a list of scanner IP addresses and upload it to
IoT Security
. Click
Settings
Scanners
, click
Add Scanners
, and then download a CSV template.
For each scanner, add its IP address and optionally its MAC address and a comment.
Upload the file to
IoT Security
. If IP addresses in the CSV file match those in the device inventory,
IoT Security
adds them to the scanner list and begins to suppress alerts for them. (It can take up to an hour after the upload for alert suppression to begin.) The Source column in the Scanners table indicates that a scanner was manually uploaded by displaying
User
. If IP addresses are new to
IoT Security
, it adds them to the scanner list and it adds them to the inventory as scanners after detecting network traffic for them. If there are duplicate entries,
IoT Security
skips them during the upload process. Finally, if there’s a mismatch between the IP-and-MAC-address pairing for an uploaded scanner and the pairing for a device in its inventory,
IoT Security
does not upload it.

Recommended For You