Security Alert Overview

IoT Security uses multiple mechanisms for detecting security alerts.
All security alerts that IoT Security generates are based on one of these mechanisms:
  • Machine-learning algorithms that automatically learn normal device behavior and can, therefore, detect abnormal behavior.
  • Detection of specific traffic patterns—without the use of machine-learning algorithms. For example, IoT Security generates alerts if devices connect to websites that site-reputation services have associated with malware.
  • User-defined alert rules specifying activity that generates an alert when observed (blocking suspicious behavior), when not observed (allowing normal behavior), or when a device or group of devices goes offline for two hours (This period of time is not configurable.)
  • Threats on an IoT device detected by a Palo Alto Networks next-generation firewall are reported to IoT Security in the threat log.
IoT Security examines network traffic in real time, analyzing communications from and to every device on the network. It generates alerts if it detects irregular behavior or activity matching a policy.
IoT Security generates alerts for IoT devices only. It does not provide alerts, vulnerability detection, policy recommendations, and network behavior analysis for IT devices. For IT devices, IoT Security provides device identification only.
The Alerts and Alert Details pages in the IoT Security portal provide an overview of all generated alerts and detailed information about individual alerts for analysis and follow-up. IoT Security retains security alerts up to a maximum of one year.

Security Alerts Page

Security alerts pertain to device settings and network behavior that indicate possible security breaches:
  • Unsecure device settings (example: devices using the default username and password)
  • Suspicious behavior (example: excessive DNS lookup failures)
  • Reconnaissance or exploits (examples: port sweeps and EternalBlue SMB exploit attempts)
The Security Alerts page (
Alerts
Security Alerts
) displays two information panels followed by a table of alerts serially with customizable pagination, columns, and column order. You can filter the information in the table through a dialog box accessed by clicking the Filter icon ( ).

Security Alerts

At the top of the page are two information panels. Alert Summary shows all the alerts matching the filters set for device category, time, and response status (active alerts, resolved, assigned, unassigned, and all). You have a choice to display them by response status or by severity level. Alert Distribution breaks down the total number of alerts by device category or alert type (alerts raised because of a user policy or as a security risk).
At the bottom of the Security Alerts page is a table showing all alerts, or
alert instances
, organized by date up to the previous day, which is the last day for which IoT Security has a complete list of alerts.
The status of an alert begins in the Detected state. You can leave it there or set it to a different state to reflect where it is in the remediation process:
  • Detected
    : This is the state of a newly detected alert instance. It makes sense to keep it in this state if no action has been taken to investigate, remediate, or resolve it.
  • Investigating
    : Consider setting an alert instance in this state after preliminary work on it has started and it’s being verified, researched, and its impact analyzed.
  • Remediating
    : Consider setting an alert instance in this state while action is being taken to remediate it but has not yet completed.
  • Resolved
    : An alert instance becomes resolved either by mitigating the issue or by ignoring and accepting it.
To change the state of an alert instance, click the entry in the Status column and choose another state. When you resolve it, IoT Security prompts you to provide a reason for its resolution.
To assign an alert instance to someone to work on, select the check box for the instance, and then click
More
Assign
. Enter the username or email address of a user and then click
Assign
. The user then receives an email message that states that an alert was assigned to him or her and provides a link to it in the IoT Security portal for investigation.
The person to whom you assign an alert instance must have an IoT Security user account so that it can send a message to the appropriate email address.
IoT Security provides an option for copying the details of an alert instance and creating a work order for use with an asset management system. Select the check box for an instance, and then click
More
Copy Alert Information
. Select the sections of the alert description that you want to include in the work order, add additional instructions or relevant information in the Information field, and then click
Copy
to copy the text in those sections.
Paste the copied content into the description field in your asset management console as you manually create a work order there. You can then copy the work order number from the asset management console, paste it back in the Work order field in the Create work order manually dialog box in IoT Security, and then click
Save & Close
.
To add a note about an alert instance or the work being done on it, select the check box for the instance, and then click
More
Add notes
. Enter the note and then click
Add
.
To see previously added notes and any previous status changes that were made to an alert instance, click or hover your cursor over the entry in the Last Action column for it. An historical record about the response to the instance appears in a pop-up window.
You can set the number of rows you want to see on each page (from 5 to 200) and navigate among multiple pages.

Security Alert Details Page

Clicking the name of a security alert instance opens the Device Details page.
The Alert Details page is organized into three major sections. At the top is information about the incident itself. The client is always shown on the left, the server on the right, and a rightward pointing arrow between the two—solid if they formed a connection, dashed if a connection was only attempted. The protocol or protocols used in the connection—or attempted connection—are listed below the arrow. The device on which the alert was raised is shown inside a box color coded to match the severity of the alert. In this way, you can easily see device roles and where the alert occurred.
The client on the left formed a UDP connection with the Avaya IP phone in the server role on the right. The IP phone is the device that raised the alert.
The blue icon next to a device name (arrow pointing out of box) opens a new browser tab showing the Dynamic Topology Viewer with that device in focus (see IoT Security Device Details Page). There you can see how many other devices it communicates with and what they are. This can be extremely useful when investigating a compromised device because it can reveal the location of remote devices participating in the attack and local devices that might be targets of further attacks launched from the victim.
The reference links to a Palo Alto Networks knowledge base article about the Conficker worm.
The Impact section explains how the issue might impact the security of a user, device, or network. (Not all alerts have an Impact section.) The Recommendation section lists options for addressing the issue.
The second major section on the Alert Details page examines the impacted device and summarizes its security status.
You can learn about the identity and activity of the impacted device, its physical location (site), and its logical location on the network. In the Current Behaviors diagram, hover your cursor over any of the five small red circles or the information icon to see more information. The Security section provides security-related information about the device.
The third major section on the Alert Details page shows a snapshot of the network traffic of the impacted device in a Sankey diagram. The diagram includes the IP addresses of other endpoints and the applications used in their communications. The lines indicate various network connections. The ones in red represent the connection involved in the high-severity alert.
If a device has multiple alerts, all relevant lines are colored according to the severity of each one.

Recommended For You