Use firewall sessions and submissions to products such as XDR and Prisma Cloud, with Cortex XSIAM, to find threats and protect your network.
The Sessions & Submissions tab enables you to use your sessions and submissions data for investigation and analysis. Sessions and submissions data are available for customers with Cortex XSIAM and at least one of the following products:
Palo Alto Networks Firewall
WildFire
Prisma SaaS
Prisma Access
Sessions refer to firewall sessions, while Submissions refer to logs of samples reported to Wildfire from other Palo Alto Networks products. Sessions data show you connections from one endpoint to another, and submissions data show you if a file was found on a specific endpoint.
With Sessions & Submissions data, you can take steps to block external IP addresses that are the sources of malicious files and threat campaigns. You can also find compromised machines within your network, isolate them as needed, and take remediation steps.
For example, you can search for a file hash in the Sessions & Submissions tab. If the file appeared in one or more sessions or submissions, you can see when and where that occurred. Firewall session data enables you to view the source IP and the destination IP for each session that included the file. If you have Cortex XDR, you can see which XDR agent(s) reported the file and which computer(s) are affected.
Note
Known limitation: When searching on the Sessions & Submissions page for relationships -relationships""
, some results may appear without their specific relationships listed, due to internal relationship permissions.
Sessions & Submissions Search
You can use Unit 42 Intel data to build complex searches for sessions and submissions with similar characteristics. From within the Session Summary page, any of the items listed in the Basic Information, Sample Information, or Metadata sections can be used to create a new search for similar sessions and submissions. For example, you can create a new search that includes a specific destination IP and a specific file name that you found together in a session.
To build a new search, hover your cursor over the end of the desired row. A drill-down button appears. When you click the button, two search options are displayed.
Add to Sessions & Submissions Search
Adds selected information to a Sessions & Submissions search. After choosing Add to Sessions & Submissions search, a pop-up appears at the bottom of the screen: Your selected terms were added to Sessions Analysis Search. Go to Sessions Analysis tab to apply the added terms. If you click on the link, you go to the Sessions & Submissions tab where you can edit or run your search for sessions and submissions that exhibited the same behavior. You can also Add to Saved Queries. If you do not click the link, the popup will disappear and you can continue to add additional items to the search. To run the search without clicking on the popup link, go to the Threat Intel page and click on the Sessions & Submissions tab.
Create New Sessions & Submissions Search
Clears any search characteristics you have already added and starts a new Sessions & Submissions search with the selected characteristic(s). After choosing this option, a pop-up appears at the bottom of the screen: Your selected terms were added to Sessions Analysis Search. Go to Sessions Analysis tab to apply the added terms. If you click on the link, you go to the Sessions & Submissions tab where you can edit or run your search for sessions and submissions that exhibited the same behavior. You can also Add to Saved Queries. If you do not click the link, the popup will disappear and you can continue to add additional items to the search. To run the search without clicking on the popup link, go to the Threat Intel page and click on the Sessions & Submissions tab.