Prasad Digraskar

Solution Architect

Security Reports SOP

SecurView System Pvt ltd,

Amar Apex 1st floor, Baner Road, Pune
www.securview.com
Contents
1. Manage Reporting ............................................................................................................................ 2
1.1. Report Types ................................................................................................................................. 2
1.1.1. Predefined Reports ................................................................................................................... 3
1.1.1.1. Application Reports:.............................................................................................................. 5
1.1.1.2. SaaS Application Usage Report ............................................................................................. 5
1.1.1.3. Traffic Reports:...................................................................................................................... 7
1.1.1.4. URL Filtering Reports: ........................................................................................................... 7
1.1.2. User or Group Activity Reports ................................................................................................. 8
1.1.3. Custom reports ....................................................................................................................... 10
1.1.4. Botnet Reports ........................................................................................................................ 17
1.1.5. PDF Summary Reports ............................................................................................................ 19
1.2. Disable Pre-define Reports ......................................................................................................... 20

1
Palo Alto Security Reports v.1.0
 1. Manage Reporting
The reporting capabilities on the firewall allow you to keep a pulse on your network, validate
your policies, and focus your efforts on maintaining network security for keeping your users safe
and productive.
After configuring the firewall, enabling security policies and profiles, you can sit back and focus
on other tasks, knowing that your network is secure. A good way to keep that peace of mind
without constantly checking logs and searching for anomalies is to use scheduled reports to keep
you posted on everything happening in your network.

1.1. Report Types

The firewall includes predefined reports that you can use as-is, or you can build custom reports
that meet your needs for specific data and actionable tasks, or you can combine predefined and
custom reports to compile information you need. The firewall provides the following types of
reports:
Predefined Reports —Allow you to view a quick summary of the traffic on your network. A suite
of predefined reports are available in four categories—Applications, Traffic, Threat, and URL
Filtering.
User or Group Activity Reports —Allow you to schedule or create an on-demand report on the
application use and URL activity for a specific user or for a user group. The report includes the
URL categories and an estimated browse time calculation for individual users.
Custom Reports —Create and schedule custom reports that show exactly the information you
want to see by filtering on conditions and columns to include. You can also include query builders
for more specific drill down on report data.
PDF Summary Reports —Aggregate up to 18 predefined or custom reports/graphs from Threat,
Application, Trend, Traffic, and URL Filtering categories into one PDF document.
Botnet Reports —Allow you to use behavior-based mechanisms to identify potential botnet-
infected hosts in the network.
Report Groups —Combine custom and predefined reports into report groups and compile a
single PDF that is emailed to one or more recipients
Reports can be generated on demand, on a recurring schedule, and can be scheduled for email
delivery.

2
Palo Alto Security Reports v.1.0
 1.1.1. Predefined Reports

The firewall provides an assortment of over 40 predefined reports that it generates every day.
You can view these reports directly on the firewall. You can also view custom reports.
About 200 MB of storage is allocated for saving reports on the firewall. You can’t configure this
limit but you can Configure the Report Expiration Period: the firewall will automatically delete
reports that exceed the period. Keep in mind that when the firewall reaches its storage limit, it
automatically deletes older reports to create space even if you don’t set an expiration period.
Another way to conserve system resources on the firewall is to Disable Predefined Reports. For
long-term retention of reports, you can export the reports or Schedule Reports for Email Delivery.
The reports are grouped into sections (types) on the right-hand side of the page: Custom
Reports, Application Reports, Traffic Reports, Threat Reports, URL Filtering Reports, and PDF
Summary Reports.
To view Reports:
Select Monitor > Reports

To view the reports, click the report names on the right (Custom Reports, Application Reports, Traffic
Reports, Threat Reports, URL Filtering Reports, and PDF Summary Reports). Note that Custom Reports
won't be listed if you haven't created any.

3
Palo Alto Security Reports v.1.0
By default, all reports are displayed for the previous calendar day. To view reports for any of the previous
days, select a report generation date from the select drop-down list at the bottom-right of the page.

The reports are listed in sections. You can view the information in each report for the selected time period.
To export the log in CSV format, click Export to CSV. To open the log information in PDF format, click
Export to PDF.

4
Palo Alto Security Reports v.1.0
 1.1.1.1. Application Reports:
Application report gives you information about top application with the most sessions, top-denied-
applications, top application categories with the most sessions. To view application report, select Monitor
> Reports and under the Application Reports section, choose one of the reports. You can generate reports
on Applications, Application categories, Technology categories, HTTP application, SaaS Application usage,
Denied applications.

1.1.1.2. SaaS Application Usage Report

The SaaS Application Usage report enables you to assess and subsequently mitigate the risks to your
enterprise's data when taking advantage of SaaS applications. The report will also help you assess risks to
the security of your enterprise network, such as the delivery of malware through SaaS applications
adopted by your users.

5
Palo Alto Security Reports v.1.0
Use the report to gain visibility into the SaaS application traffic that is running on your network. The report
identifies the application name and subcategory of each SaaS application and details the number of
sessions and bytes for each application on the selected date. In addition, the report identifies the number
of threats detected in each of the applications.

To investigate any suspicious traffic, click the application name or category to view more details in
the Application Command Center.

6
Palo Alto Security Reports v.1.0
 1.1.1.3. Traffic Reports:
The Traffic report gives the information about top security rules, source, destination, countries with the
most sessions.

1.1.1.4. URL Filtering Reports:

To view the default URL filtering reports, select Monitor > Reports and under the URL Filtering
Reports section, choose one of the reports. You can generate reports on URL Categories, URL users, Web
Sites accessed, Blocked Categories, and more. The reports are based on a 24-hour period and the day is
selected by choosing a day in the calendar section. You can also export the report to PDF, CSV, or XML.

7
Palo Alto Security Reports v.1.0
 1.1.2. User or Group Activity Reports
User/Group Activity reports summarize the web activity of individual users or user groups. Both reports
include the same information except for the Browsing Summary by URL Category and Browse time
calculations, which only the User Activity report includes.
You must configure User-ID on the firewall to access the list of users and user groups.
To Generate Group Activity Reports, follow the below procedure:

1. Select Monitor > PDF Reports > User Activity Report.

8
Palo Alto Security Reports v.1.0
 2. Click Add and then enter a Name for the report.
3. Create the report:
 User Activity Report—Select User and enter the Username or IP address (IPv4 or IPv6) of
the user.
 Group Activity Report—Select Group and select the Group Name of the user group.
4. Select the Time Period for the report.
5. Optionally, select the Include Detailed Browsing check box (default is cleared) to include detailed
URL logs in the report. The detailed browsing information can include a large volume of logs
(thousands of logs) for the selected user or user group and can make the report very large.
6. To run the report on demand, click Run Now.
7. To save the report configuration, click OK. You can’t save the output of User/Group Activity
reports on the firewall.

9
Palo Alto Security Reports v.1.0
 1.1.3. Custom reports

To Generate Custom Reports, follow the below procedure:

1. Select Monitor > Manage Custom Reports.

2. Click Add and then enter a Name for the report. To base a report on a predefined template,
click Load Template and choose the template. You can then edit the template and save it as a
custom report.
3. Select the Database to use for the report.
a. You'll notice there are two groups to choose from, summary and detailed, each containing
similar types of logs. The Summary Databases are optimized databases that collect
summarized data from the log files every 15 minutes, every hour, every day, and every
week, allowing reports to be created quickly. The Detailed Logs allow you to crawl the log
files in search of very specific data, but take longer to generate.

b. A difference between the Summary and Detailed URL database, for example, is that the
Summary Database can report which categories and domains were accessed x number of
times, while the Detailed Log can report exact URLs accessed from a certain source. For
most reports, we recommend using the Summary Databases.

4. After selecting the database to create your report, enable the schedule and set a timeframe. An
unscheduled report can be run only manually, but allows smaller timeframes, while a scheduled
report, which generates and stores reports historically, can be configured to automatically email
a daily, weekly or monthly report.

5. If you'd like to look at some sample reports, you can Load a Report Template from the
predefined reports, which you can then customize. Start by loading the Top Applications
template:

10
Palo Alto Security Reports v.1.0
 6. The Selected Columns and Database are automatically loaded from the template, you
need only to change the Name and Time Frame.

11
Palo Alto Security Reports v.1.0
 7. If you click the Run Now button, a sample report is generated.

12
Palo Alto Security Reports v.1.0
 8. If you head back to the Report Settings, you can add more details to the report by adding
the 'Threats' column, changing the 'Sort By' to Threats and gouping the data by Day.

9. You can also use the Query Builder to tune the report a little further. If you want to filter out
DNS and port mapper from the report, you can create a filter for application not equal to DNS
and port mapper.

13
Palo Alto Security Reports v.1.0
The report will now no longer contain these applications.

14
Palo Alto Security Reports v.1.0
 10. If you go ahead and click OK and Commit, the report will be added to the scheduled
reports jobs that run every night and become available in the custom reports viewer:
11. After you've created a few of these reports, you can go ahead and add them into a report
group.

12. The report group can then be added to an Email Scheduler so it is automatically mailed to
you and your coworkers.
13. If you haven't created an Email Server Profile before, it should look somewhat like this:

14 You can send a test email to make sure your configuration is working as expected before
committing and waiting for the first report to appear.

15
Palo Alto Security Reports v.1.0
 16
Palo Alto Security Reports v.1.0
 1.1.4. Botnet Reports
The botnet report enables you to use heuristic and behavior-based mechanisms to identify
potential malware- or botnet-infected hosts in your network. To evaluate botnet activity and
infected hosts, the firewall correlates user and network activity data in Threat, URL, and Data
Filtering logs with the list of malware URLs in PAN-DB, known dynamic DNS domain providers,
and domains registered within the last 30 days. You can configure the report to identify hosts
that visited those sites, as well as hosts that communicated with Internet Relay Chat (IRC) servers
or that used unknown applications. Malware often use dynamic DNS to avoid IP blacklisting, while
IRC servers often use bots for automated functions.
Configure a Botnet Report
You can schedule a botnet report or run it on demand. The firewall generates scheduled botnet
reports every 24 hours because behavior-based detection requires correlating traffic across
multiple logs over that timeframe.
1. Define the types of traffic that indicate possible botnet activity.
 Select Monitor > Botnet and click Configuration on the right side of the page.

 Enable and define the Count for each type of HTTP Traffic that the report will
include.

17
Palo Alto Security Reports v.1.0
 The Count values represent the minimum number of events of each traffic type
that must occur for the report to list the associated host with a higher confidence
score (higher likelihood of botnet infection). If the number of events is less than
the Count, the report will display a lower confidence score or (for certain traffic
types) won’t display an entry for the host. For example, if you set the Count to
three for Malware URL visit, then hosts that visit three or more known malware
URLs will have higher scores than hosts that visit less than three.
 Define the thresholds that determine whether the report will include hosts
associated with traffic involving Unknown TCP or Unknown UDP applications.
 Select the IRC check box to include traffic involving IRC servers.
 Click OK to save the report configuration.
2. Schedule the report or run it on demand.
 Click Report Setting on the right side of the page.
 Select a time interval for the report in the Test Run Time Frame drop-down.
 Select the No. of Rows to include in the report.
 (Optional) Add queries to the Query Builder to filter the report output by
attributes such as source/destination IP addresses, users, or zones.
 Select Scheduled to run the report daily or click Run Now to run the report
immediately.
 Click OK and Commit.

Interpret Botnet Report Output

The botnet report displays a line for each host that is associated with traffic you defined as
suspicious when configuring the report. For each host, the report displays a confidence score of
1 to 5 to indicate the likelihood of botnet infection, where 5 indicates the highest likelihood. The
scores correspond to threat severity levels: 1 is informational, 2 is low, 3 is medium, 4 is high,
and 5 is critical. The firewall bases the scores on:
Traffic type —Certain HTTP traffic types are more likely to involve botnet activity. For example,
the report assigns a higher confidence to hosts that visit known malware URLs than to hosts that
browse to IP domains instead of URLs, assuming you defined both those activities as suspicious.
Number of events —Hosts that are associated with a higher number of suspicious events will
have higher confidence scores based on the thresholds ( Count values) you define when
you Configure a Botnet Report.
Executable downloads —The report assigns a higher confidence to hosts that download
executable files. Executable files are a part of many infections and, when combined with the
other types of suspicious traffic, can help you prioritize your investigations of compromised
hosts.

18
Palo Alto Security Reports v.1.0
When reviewing the report output, you might find that the sources the firewall uses to evaluate
botnet activity (for example, the list of malware URLs in PAN-DB) have gaps. You might also find
that these sources identify traffic that you consider safe.

1.1.5. PDF Summary Reports

PDF summary reports contain information compiled from existing reports, based on data for the
top 5 in each category (instead of top 50). They also contain trend charts that are not available
in other reports.
1. Set up a PDF Summary Report.
 Select Monitor > PDF Reports > Manage PDF Summary.
 Click Add and then enter a Name for the report.
 Use the drop-down for each report group and select one or more of the elements
to design the PDF Summary Report. You can include a maximum of 18 report
elements.

 Click OK to save the report.

2. To download and view the PDF Summary Report

Select Monitor > Reports > PDF Summary Report.

19
Palo Alto Security Reports v.1.0
 1.2. Disable Pre-define Reports

In some scenarios, it may be desirable to disable the predefined reports that are on the Palo Alto
Networks devices. For example, the device may be busy and the predefined reports generate
more management plane (MP) CPU usage. Another reason to disable the predefined reports is
the configuration and use of custom reports.
In PAN-OS, all reports (predefined reports, specific reports, group of reports) can be disabled by
a Palo Alto Networks firewall administrator.
Steps to disable predefined reports

On the web UI:

1. Go to Device > Setup > Management on the firewall

2. Select Logging and Reporting Settings and go to the Log Export and Reporting tab
3. Uncheck the reports that are not needed, or choose Deselect All to stop all predefined
report generation
4. Commit the changes

20
Palo Alto Security Reports v.1.0