Which log type is the most useful for identifying if a user is repeatedly attempting to visit an "Unauthorized" website category that is being blocked by a security profile?
Comprehensive and Detailed 150 to 250 words of Explanation From Palo Alto Networks Network Security Analyst Knowledge:
While Traffic Logs show that a connection was denied, the URL Filtering Log provides the specific context required to understand why it was denied. It explicitly lists the URL being visited, the specific URL category (e.g., adult or gambling), and the action taken by the profile.
For a Network Security Analyst, monitoring this log is a core objective for identifying potential "insider threats" or users who require additional security training. If a host is generating hundreds of "block" entries for high-risk categories in a short period, it could indicate that the device is infected with malware that is attempting to "call home" to a malicious site or that a user is actively trying to bypass security controls.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit