Security Alert Overview
IoT Security uses multiple mechanisms for detecting security
alerts.
All security alerts that IoT Security
generates are based on one of these mechanisms:
- Machine-learning algorithms that automatically learn normal device behavior and can, therefore, detect abnormal behavior.
- Detection of specific traffic patterns—without the use of machine-learning algorithms. For example, IoT Security generates alerts if devices connect to websites that site-reputation services have associated with malware.
- User-defined alert rules specifying activity that generates an alert when observed (blocking suspicious behavior), when not observed (allowing normal behavior), or when a device or group of devices goes offline for two hours (This period of time is not configurable.)
- Threats on an IoT device detected by a Palo Alto Networks next-generation firewall are reported to IoT Security in the threat log.
IoT Security examines network traffic in real time, analyzing
communications from and to every device on the network. It generates
alerts if it detects irregular behavior or activity matching a policy.
IoT Security generates alerts for IoT devices only. It
does not provide alerts, vulnerability detection, policy recommendations,
and network behavior analysis for IT devices. For IT devices, IoT
Security provides device identification only.
The Alerts and Alert Details pages in the IoT Security portal
provide an overview of all generated alerts and detailed information
about individual alerts for analysis and follow-up. IoT Security
retains security alerts up to a maximum of one year.
Security Alerts Page
Security alerts pertain
to device settings and network behavior that indicate possible security
breaches:
- Unsecure device settings (example: devices using the default username and password)
- Suspicious behavior (example: excessive DNS lookup failures)
- Reconnaissance or exploits (examples: port sweeps and EternalBlue SMB exploit attempts)
The Security Alerts page ()
displays two information panels followed by a table of alerts serially
with customizable pagination, columns, and column order. You can
filter the information in the table through a dialog box accessed by
clicking the Filter icon (
).
).Security Alerts
At
the top of the page are two information panels. Alert Summary shows
all the alerts matching the filters set for device category, time,
and response status (active alerts, resolved, assigned, unassigned,
and all). You have a choice to display them by response status or
by severity level. Alert Distribution breaks down the total number
of alerts by device category or alert type (alerts raised because
of a user policy or as a security risk).
At the bottom of
the Security Alerts page is a table showing all alerts, or
alert
instances
, organized by date up to the previous day, which is
the last day for which IoT Security has a complete list of alerts.The
status of an alert begins in the Detected state. You can leave it
there or set it to a different state to reflect where it is in the
remediation process:
- Detected: This is the state of a newly detected alert instance. It makes sense to keep it in this state if no action has been taken to investigate, remediate, or resolve it.
- Investigating: Consider setting an alert instance in this state after preliminary work on it has started and it’s being verified, researched, and its impact analyzed.
- Remediating: Consider setting an alert instance in this state while action is being taken to remediate it but has not yet completed.
- Resolved: An alert instance becomes resolved either by mitigating the issue or by ignoring and accepting it.
To
change the state of an alert instance, click the entry in the Status
column and choose another state. When you resolve it, IoT Security
prompts you to provide a reason for its resolution.
To assign
an alert instance to someone to work on, select the check box for
the instance, and then click . Enter the username
or email address of a user and then click
Assign
.
The user then receives an email message that states that an alert
was assigned to him or her and provides a link to it in the IoT
Security portal for investigation.The person to whom
you assign an alert instance must have an IoT Security user account
so that it can send a message to the appropriate email address.
IoT
Security provides an option for copying the details of an alert
instance and creating a work order for use with an asset management
system. Select the check box for an instance, and then click .
Select the sections of the alert description that you want to include
in the work order, add additional instructions or relevant information
in the Information field, and then click
Copy
to
copy the text in those sections.
Paste the
copied content into the description field in your asset management
console as you manually create a work order there. You can then
copy the work order number from the asset management console, paste
it back in the Work order field in the Create work order manually
dialog box in IoT Security, and then click
Save &
Close
.To add a note about an alert instance or
the work being done on it, select the check box for the instance,
and then click . Enter the note and then click
Add
.To
see previously added notes and any previous status changes that
were made to an alert instance, click or hover your cursor over
the entry in the Last Action column for it. An historical record
about the response to the instance appears in a pop-up window.
You
can set the number of rows you want to see on each page (from 5
to 200) and navigate among multiple pages.
Security Alert Details Page
Clicking the
name of a security alert instance opens the Device Details page.
The
Alert Details page is organized into three major sections. At the
top is information about the incident itself. The client is always
shown on the left, the server on the right, and a rightward pointing
arrow between the two—solid if they formed a connection, dashed
if a connection was only attempted. The protocol or protocols used
in the connection—or attempted connection—are listed below the arrow.
The device on which the alert was raised is shown inside a box color
coded to match the severity of the alert. In this way, you can easily
see device roles and where the alert occurred.
The client
on the left formed a UDP connection with the Avaya IP phone in the
server role on the right. The IP phone is the device that raised
the alert.
The blue icon next to a device name (arrow pointing
out of box) opens a new browser tab showing the Dynamic Topology
Viewer with that device in focus (see IoT Security Device Details Page). There
you can see how many other devices it communicates with and what
they are. This can be extremely useful when investigating a compromised
device because it can reveal the location of remote devices participating
in the attack and local devices that might be targets of further
attacks launched from the victim.
The reference links to a
Palo Alto Networks knowledge base article about the Conficker worm.
The Impact section explains
how the issue might impact the security of a user, device, or network.
(Not all alerts have an Impact section.) The Recommendation section
lists options for addressing the issue.
The second major section
on the Alert Details page examines the impacted device and summarizes
its security status.
You can
learn about the identity and activity of the impacted device, its
physical location (site), and its logical location on the network.
In the Current Behaviors diagram, hover your cursor over any of
the five small red circles or the information icon to see more information.
The Security section provides security-related information about
the device.
The third major section on the Alert Details page
shows a snapshot of the network traffic of the impacted device in
a Sankey diagram. The diagram includes the IP addresses of other
endpoints and the applications used in their communications. The
lines indicate various network connections. The ones in red represent
the connection involved in the high-severity alert.
If
a device has multiple alerts, all relevant lines are colored according
to the severity of each one.
