Use Sessions and Submissions in your investigation - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Threat intel management

Product
Cortex XSIAM
Creation date
2023-07-30
Last date published
2024-04-15
Category
Threat Intel Management Guide
Abstract

Use firewall sessions and submissions with your firewall, the Cortex XDR Agent and other Palo Alto Networks products to find threats and protect your network.

The Sessions & Submissions page enables you to use your firewall sessions and submissions data for investigation and analysis.

Sessions refer to firewall sessions that show connections from one endpoint to another. A firewall can forward information about network sessions for an investigation. Cortex XSIAM TIM uses session information to learn more about the context of the suspicious network event, indicators of compromise related to the malware, affected hosts and clients, and applications used to deliver the malware.

Submissions refer to sample logs reported to Wildfire from the Cortex XDR Agent and other Palo Alto Networks products. While Sessions data shows connections from one endpoint to another, submissions data shows if a file was found on a specific endpoint.

Firewall data can be submitted from WildFire through the Cortex XDR Agent, the Palo Alto Networks Firewall, Prisma SaaS, and Prisma Access.

You can take steps to block external IP addresses that are the sources of malicious files and threat campaigns. You can find compromised machines within your network, isolate them as needed, and take remediation steps. For example, search for a file hash in Sessions & Submissions. If the file appeared in one or more sessions or submissions, you can see when and where that occurred. A firewall session data enables you to view the source IP and the destination IP for each session that includes the file.

You can see which XDR agent reported the file and which computers are affected.

Note

When searching on the Sessions & Submissions page for relationships -relationships"", some results may appear without their specific relationships listed, due to internal relationship permissions.

Investigate Sessions and Submissions

From Sessions & Submissions in the ID column click an ID to start an investigation.

In the Session Summary tab you can see the following information:

Section

Description

Basic Information

Includes general information such as the session Timestamp, destination IP, and source country.

Sample Information

Includes file information, such as the file name, SHA, File URL, and Status. The Status for blocked samples is Blocked, while the status for allowed samples is blank.

Note

The Application is matched to the type of application traffic detected in a session. For example, a search for the Application web-browsing returns sessions during which web browsing over HTTP occurred. See Applipedia for an updated list of applications that Palo Alto Networks identifies.

Metadata

Includes metadata, such as the source, region, and Device Hostname.

Related Sessions and Submissions

Lists any related sessions and submissions for further investigation

Sessions & Submissions advanced search

You can use Unit 42 Intel data to build complex searches for sessions and submissions with similar characteristics. From within the Session Summary tab, any of the items listed in the Basic Information, Sample Information, or Metadata sections can be used to create a new search for similar sessions and submissions. For example, you can create a new search that includes a specific destination IP and a specific file name that you found together in a session.

To build a new search, hover your cursor over the end of the desired row. You can submit the following search:

unit42-sessions-search.png
  • Add to Sessions & Submissions Search

    Adds selected information to a Sessions & Submissions search.

  • Create New Sessions & Submissions Search

    Clears any search characteristics you have already added and starts a new Sessions & Submissions search.

After selecting the relevant option, a message appears. You can do the following:

  • Run the query now, by clicking the link.

    You pivot to the Sessions & Submissions page where you can edit or run your search for sessions and submissions that exhibited the same behavior.

  • If you want to add additional items to the search, ignore the message.

    To run the search without clicking on the popup link, go to the Sessions & Submissions page.