Act on Security Alerts

Respond to security alerts by taking action, assigning them for investigation, resolving them, and reactivating them.
After you learn about a security alert, one of the first steps is to read the details and confirm that the event that triggered it actually occurred, possibly by checking firewall event log entries. After confirming the alert, you must quickly assess its importance and urgency, identify the type of equipment impacted, and then decide how to respond and with whom to engage. The responder might be IT security, clinical engineering, a third-party network security service provider, or perhaps the device vendor or manufacturer. Find the responsible party and contact them about the alert.

Take Action when a Security Alert Occurs

There are numerous ways to respond to a security alert. The action you take depends of the remediation requirements of the situation:
  • If a device was infected by malware or a virus, unplug the device immediately. If its continued use is essential, work with IT security to quarantine it from the rest of the network. You might need to modify firewall security policies to permit only traffic absolutely required for the device to function and block everything else while you work on a resolution.
  • The resolution might require a software patch, and sometimes you might have to get the equipment vendor involved to patch it. If you must continue using the equipment, enforce a strong zero-trust policy until the patch is available.
  • If an alert is generated by a security policy violation, you can send policy recommendations to the firewall so it only permits traffic resulting from normal device behavior.
  • To assist in your analysis, IoT Security provides alert log files (in .csv and .log formats), which contain several days’ worth of network connections involving the device that triggered an alert. You can also download the network traffic data that IoT Security shows as a Sankey diagram and view it as an .xls spreadsheet.

Assign and Track Security Alerts

From the Alerts and Alert Details pages, you can assign a security alert to one or more people for investigation. When you select an alert on the Alerts page, a set of actions appears at the top of the alerts table.
To assign an alert to someone to investigate, click
Assign
. Enter an email address and comment and then
Submit
.
If you assign an alert to an external user—that is, someone who doesn’t have a Palo Alto Networks user account and can’t log in to the IoT Security Portal—a PDF with alert details will be attached to the email.
You can also assign an alert occurrence to someone from the Alert Details page by clicking Action > Assign.
You can also add notes to an alert, which is a convenient way for you and your team to track the progress of investigations of high-level alerts. From the Alerts page, select an alert with a single occurrence and then
Add Notes
. From the Alert Details page, click
Action
Add Notes
. The notes appear in the Alert Events list on the Alert Details page.

Resolve and Reactivate Security Alerts

You resolve a security alert either by accepting it or by addressing the issue in some way, perhaps by assigning it to a network security administrator to investigate and fix.
The Resolve tool is useful for showing how many alerts got resolved in weekly or monthly reports.
If you consider one or more alerts acceptable, such as one at a low severity level, you can resolve them, which moves them from the Active Alerts list to Resolved Alerts. It is not necessary to resolve each alert occurrence individually. You can select the check box next to the alert group names and then click
Resolve
at the top of the Alerts list.
To resolve multiple alerts, set the alert type filter at the top of the page to
Active Alerts
.
After clicking
Resolve
, the Resolve Alert dialog box appears. Select the reason for resolving it, add a comment, and then
Submit
.
If you later decide to reactivate an alert that was previously marked as resolved, you can do so by selecting it and then clicking
Mark as Active
at the top of the Alerts list.
To reactivate multiple alerts, set the alert type filter at the top of the page to Resolved Alerts.

Suppress Security Alerts

If IoT Security raises a security alert for an expected event, you can suppress future occurrences of the alert so no further resources need be expended on them. You can suppress future alert detections for just the device on which the alert was triggered or for all devices sharing the same device profile, category, or device type. You can suppress the alert indefinitely or for a limited length of time. In addition to suppressing future alert detections, you can also mark the current alert event as resolved.
To suppress an alert, log in to IoT Security as a user with administrator or owner privileges and navigate to
Alerts
Security Alerts
. Select an alert and then click
More
Suppress
.
You can select multiple alert instances if they are the same type of alert (with the same alert name). When different alert types are selected, the Suppress option becomes unavailable.
To suppress all future alert detections for just the device on which the alert was triggered, click
Suppress
, optionally add a comment and leave
Resolve this alert
selected, and then click
Save
.
To suppress future alert detections on additional devices as well as this particular device, expand
Add more devices
, choose one or more attributes in one or more of the Category, Profile, and Device Type fields, set the length of alert suppression, and then click
Save
. IoT Security will suppress future alerts occurring on devices matching any of the chosen attributes for the length of time specified.
After you create a suppression rule, it takes IoT Security approximately 30 minutes to apply it throughout the system to all the devices in your inventory. IoT Security also adds it to the rule table at
Alerts
Alert Rules > Suppression Rules
.
Clicking a rule name open the "Suppress Alerts" configuration panel again where you can view and edit details. The Status column indicates two states. A rule is "In process" during the initial 30-minute application period after it’s been created or modified. After that, the status changes to "Success" indicating that IoT Security has applied the rule to all the targeted devices in its inventory.
After you create a rule, you can always modify it to include additional devices. You can add devices singly to an existing rule or you can modify the rule to encompass a range of devices. In fact, IoT Security prompts you to do this whenever you are about to suppress an alert on a device and there’s already a suppression rule for this type of alert but it just doesn’t apply to this particular device. It displays an information icon, which expands into a text pop-up when you hover your cursor over it.
To add just this device to the existing rule, optionally add a comment and leave
Resolve this alert
selected, and then click
Save
. To apply the suppression rule to this device and others like it, expand
View targeted devices
, modify the original rule to include the profile, category, or device type that would make it apply to this and similar devices, and then click
Save
.
To stop alert suppression, log in to IoT Security as a user with administrator or owner privileges and navigate to
Alerts
Alert Rules > Suppression Rules
. Select one or more rows in the table and then click
Release Suppression
.
Because vulnerability scanners generate traffic that triggers lots of alerts, you most likely want to suppress alerts for them. To suppress alerts triggered by vulnerability scanner activity, create a list of scanner IP addresses and upload it to IoT Security. Click
Administration
Scanners
, click
Add Scanners
, and then download a CSV template.
For each scanner, add its IP address and optionally its MAC address and a comment.
Upload the file to IoT Security. If IP addresses in the CSV file match those in the device inventory, IoT Security adds them to the scanner list and begins to suppress alerts for them. (It can take up to an hour after the upload for alert suppression to begin.) If IP addresses are new to IoT Security, it adds them to the scanner list and it adds them to the inventory as scanners after detecting network traffic for them. If there are duplicate entries, IoT Security skips them during the upload process. Finally, if there’s a mismatch between the IP-and-MAC-address pairing for an uploaded scanner and the pairing for a device in its inventory, IoT Security does not upload it.

Recommended For You