Sessions and Submissions - Threat Intel Management Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-03-05
End_of_Life
EoL
Category
Threat Intel Management Guide
Abstract

Use firewall sessions and submissions to products such as XDR and Prisma Cloud, in conjunction with Cortex XSOAR, to find threats and protect your network.

The Sessions & Submissions tab enables you to use your sessions and submissions data for investigation and analysis. Sessions and submissions data is available for customers with a TIM license and at least one of the following products:

  • Palo Alto Networks Firewall

  • WildFire

  • Cortex XDR

  • Prisma SaaS

  • Prisma Access

Sessions refers to firewall sessions, while Submissions refers to logs of samples reported to Wildfire from other Palo Alto Networks products. Sessions data shows you connections from one endpoint to another, and submissions data shows you if a file was found on a specific endpoint.

With Sessions & Submissions data, you can take steps to block external IP addresses that are the sources of malicious files and threat campaigns. You can also find compromised machines within your network, isolate them as needed, and take remediation steps.

For example, you can search for a file hash in the Sessions & Submissions tab. If the file appeared in one or more sessions or submissions, you can see when and where that occurred. Firewall session data enables you to view the source IP and the destination IP for each session that included the file. If you have Cortex XDR, you can see which XDR agent(s) reported the file and which computer(s) are affected.

Note

  • Known limitation: When searching on the Sessions & Submissions page for relationships -relationships"", some results may appear without their specific relationships listed, due to internal relationship permissions.

  • (Multi-tenant) Sessions & Submissions data is not available for Multi-tenant deployments.

Sessions & Submissions Search

You can use Unit 42 Intel data to build complex searches for sessions and submissions with similar characteristics. From within the Session Summary page, any of the items listed in the Basic Information, Sample Information, or Metadata sections can be used to create a new search for similar sessions and submissions. For example, you can create a new search that includes a specific destination IP and a specific file name that you found together in a session.

To build a new search, hover your cursor over the end of the desired row. A drill-down button appears. When you click the button, two search options are displayed.

unit42-sessions-search.png
  • Add to Sessions & Submissions Search

    Adds selected information to a Sessions & Submissions search. After choosing Add to Sessions & Submissions search, a pop up appears at the bottom of the screen: Your selected terms were added to Sessions Analysis Search. Go to Sessions Analysis tab to apply the added terms. If you click on the link, you go to the Sessions & Submissions tab where you can edit or run your search for sessions and submissions that exhibited the same behavior. You can also Add to Saved Queries. If you do not click the link, the popup will disappear and you can continue to add additional items to the search. To run the search without clicking on the popup link, go to the Threat Intel page and click on the Sessions & Submissions tab.

  • Create New Sessions & Submissions Search

    Clears any search characteristics you have already added and starts a new Sessions & Submissions search with the selected characteristic(s). After choosing this option, a pop up appears at the bottom of the screen: Your selected terms were added to Sessions Analysis Search. Go to Sessions Analysis tab to apply the added terms. If you click on the link, you go to the Sessions & Submissions tab where you can edit or run your search for sessions and submissions that exhibited the same behavior. You can also Add to Saved Queries. If you do not click the link, the popup will disappear and you can continue to add additional items to the search. To run the search without clicking on the popup link, go to the Threat Intel page and click on the Sessions & Submissions tab.