I'm looking to output feeds to a format that I can ingest in some log analysis tools, and need to output fields that I have defined in miners. Is there any information on how to access that data and output it?
Regulatory Technology (RegTech) is becoming more of a tool to help organisations comply with automation and regulatory requirements, but Palo Alto Networks believes that they should be aware of how it will affect cybersecurity and the implications on busines operations.
In an environment where both Terminal Services (TS) Agent and User Identification (User-ID) Agent are used to ascertain which users are logged on to certain systems, some precautions need to be taken to prevent incorrect mapping of users, mainly regarding the terminal servers, where multiple users can be logged on
This week's Tips and Tricks is going to be brief. I've already covered the ACC in previous articles (linked at the bottom) but there are 3 common support questions I would like to highlight. Question: How does the ACC work? – where does it gather the data from? Answer:
Symptoms When anyone does a trace-route to a server behind the Palo Alto Networks firewall, the outside interface IP should not be displayed in the trace results. When internal users go to the internet, the Palo Alto Networks inside interface should not be displayed in trace results. Want to hide the Palo Alto
Unit 42 recently observed a 9002 Trojan delivered using a combination of shortened links and a shared file hosted on Google Drive. The delivery method also uses an actor-controlled server hosting a custom redirection script to track successful clicks by targeted email addresses. The infrastructure associated with this 9002 Trojan sample was also found to have previous ties to attacks on Myanmar and other Asian countries that used Poison Ivy as the payload, including a recent, and possibly ongoing campaign against Taiwan.
Symptoms LLDP enabled on the interface but other devices are unable to see info related to the Palo Alto Networks firewall. Diagnosis Make sure you also have enabled LLDP globally to make this protocol work. Solution About the LLDP protocol The Link Layer Discovery Protocol (LLDP) is a vendor-neutral
I started building out a very simple dev (read: unhardened) docker build for MineMeld here: https://github.com/swannysec/MineMeldDocker Looks like it won't start up correctly inside a container and I think it might be related to the use of UNIX sockets and/or something to do with supervisor. Anyway, feel free to take
Until recently, the healthcare industry has been up in arms on whether ransomware infections should be considered reportable Health Insurance Portability and Accountability Act (HIPAA) breaches. The argument for considering ransomware a HIPAA breach was centered on the fact that covered entities lose control of protected health information (PHI). A counterargument is that ransomware is not known to exfiltrate data outside the network, and hence should not be considered a HIPAA breach. The U.S. Health and Human Services (HHS) Office for Civil Rights finally weighed in on the discussion with …
In this week's Discussion of the Week, I've picked up on a question posted by community member @jezkerwin regarding naming conventions for Active Directory user groups. Although there is no convention that dictates which names to use or not to use, thoughtful selection of a naming convention at
A new variant of the PowerWare ransomware is stealing street creds from the Locky strain of ransomware in an attempt to spoof the malware family. A new sample of PowerWare found by Palo Alto Networks’ Unit 42 reveals the ransomware’s quickly evolving tactics.
MINEMELD Wow! MineMeld has arrived in the Live Community! Check out all the components of this awesome tool, including the repository on GitHub, articles, discussions and more. Take full advantage of the MineMeld multi-tool to collect, aggregate and filter threat indicators from a variety of sources and avail them to peers
by Patricia Cruz, Technical Writer @pcruz You can quickly search AutoFocus to look for samples with certain artifacts. Watch this short clip to see Patricia Cruz, Technical Writer at Palo Alto Networks, demonstrate this feature in action! For step-by-step instructions for using quick search, please refer to
Researchers from security firm Palo Alto Networks have recently found a new version of this threat that imitates a sophisticated and widespread ransomware program called Locky. It uses the extension .locky for encrypted files and also displays the same ransom note used by the real Locky ransomware.
Hi all, I've successfully connected my firewall to the syslog miner and can see logs arriving. I believe I now need to create a rule to match logs to extract the indicators. Here's my recieve stats from the miner: Here's the rule I'm trying to craft to extract
Trying to import a source configuration from a 7050 chassis and after it imports it just says devicename_config.xml and doesn't show any policies or objects to bring across into the base configuration. Strange also that from within the project if i edit the device and look at the device
We’ve rounded up all of our top news from this past week right here. Unit 42 found Andromeda malware targeting Italian users in recent spam campaigns, and shared a technical walkthrough of the Office Test persistence method used in recent Sofacy attacks. The team also discovered a new variant of PowerWare, also known as PoshCoder, imitating the popular Locky ransomware family. Be like Jerry and start your path to awesome.
On the 19th of July, the much discussed and anticipated Network and Information Security (NIS) Directive was published in the Official Journal of the EU. The Directive was developed to ensure that societies’ dependencies on technology undertake relevant cybersecurity activities to ensure resilience and confidence as we become ever more digitally dependent. The most important aspect is when this comes into force, which is the 8th of August 2016. However, it is not immediately applicable: each member state then has a period in which to take the Directive and turn …
Unit 42 has recently discovered a new variant of PowerWare, also known as PoshCoder, imitating the popular Locky ransomware family. PoshCoder has been encrypting files with PowerShell since 2014, and the new variant named PowerWare was reported in March 2016. The malware is responsible for encrypting files on a victim’s machine and demanding a ransom via the Bitcoin cryptocurrency. In addition to using the ‘.locky’ filename extension on encrypted files, this PowerWare variant also uses the same ransom note as the Locky malware family. This is not the first time PowerWare has …
Discover which applications and threats are exposing vulnerabilities in your security posture using our Security Lifecycle Review (SLR). Learn how you can benefit from our comprehensive SLR report in this video by Scott Simkin, Senior Threat Intelligence Manager.
Ransomware can bring your business operations to a halt. Keeping your organization safe from ransomware requires a fundamental shift toward breach prevention and away from simply detecting and requiring remediation after infection. The right security architecture can make this prevention real.
Nearly 400 people attended Palo Alto Networks Federal Forum last Thursday at the Newseum in Washington, D.C., just a stone’s throw from the iconic dome of the U.S. Capitol. The event featured a dynamic speaker lineup of cybersecurity luminaries in the federal government, including U.S. Cyber Command head and NSA Director Admiral Michael Rogers, Federal CIO Tony Scott and Congressman Will Hurd. The Forum brought together a broad range of stakeholders, with perspectives from civilian government, military, law enforcement, the intelligence community and the private sector— clear recognition that cybersecurity is …
Hello I read best practise, sow few webexes and so on ... I have config file from PA200 and I don't have PA500 yet. I'd like to prepare with config file to swap PA200 to PA500 as soon as posible. I try few times to get what I need -
If for some reasons the supplied MineMeld cloud-init loaders for VMWare, EC2 and Azure could not work in your environment, you can fall back to the good ol' manual installation of MineMeld. Supported distributions Ubuntu Server LTS 14.04 1. Hardening the instance First thing you should harden your new
Is there anyone able to share on how to configure minemeld nodes to automate resolving/capturing the “*.google.com.*” dynamic IP address, so I could integrate with palo alto networks dynamic Block list feature to identify most of the google.com IP addresses. I saw google.GCENetblocks and google.netBlocks in minemeld, but
Hi all, Firstly, great work on MineMeld - it is fantastic!!! I have it working great for dynamic IP lists and AF export lists, but our customer would like to import Indicators from CSV. It doesn't look possible with current class/prototypes. Any suggestions? I could script the import to
Want to present at Ignite 2017? The Call for Papers is now open. We are on the hunt for highly technical insights based on firsthand experience with next-generation security technologies, practicing new threat research, and cultivating technical best practices.