I watch my network at home all day and run Graylog on it’s own monitor. Fullscreen mode cycles through my tabs and shows me what is attacking, who/what/where/how traffic is coming in or going out. First up is the Threats tab:
Here I am getting a 7 day snapshot of threats coming in, if they are trending up or down, what is the threat, where did it come from, and what type of threats where blocked in the outbound traffic. Whenever there is a new 0-day or vulnerability disclosed this screen reflects the uptick in activity. I typically see lots of Internet wide scans for vulnerable routers, log4shell, and security camera exploit attempts. (These do not appear to be targeting my IP, just wide net scans and exploits going out to everyone everywhere).
Next up is a dashboard for a specific endpoint (in this case a desktop PC on the trusted network)
This dashboard will show a snapshot of the activity of this one endpoint which is handy to quickly see if anything unexpected is going on, this tab can be quickly cloned and adjusted for any endpoint on the network (i.e. watch an IOT device, watch what your phones are doing when idle, etc)
Finally the overview of the entire network:
Quick view of all network activity for all vLANs/zones (i.e. guest WiFi, DMZ, trusted subnets, IOT, etc). Being able to see who and what can lead to actionable items when you see something that does not look like it should be on your network, maybe you have unrecognized IP addresses then you can investigate and see which device that might belong to, catch malware on your guest’s phone or laptop while they are on your guest WiFi.
All of these dashboards combined become a window into what is “normal” and after a while you get used to what you should be seeing and anything outside of that will stand out. I do have these dashboards as a content pack in Github if anyone wants to use them feel free to grab them from the Github page linked in the marketplace.
Built for PANOS 10.x (tested and working with 10.0, 10.1) Not tested with 10.2