• Resources
  • Automation to enable security teams to do more with less

Automation to enable security teams to do more with less

Automation Playbook UI showing a flow with "Generate panos key" and "Get max logging rate" device task cards and task details

Inside Auto-Triage

Many enterprises are expecting to continue operating remotely through the end of the year. This new operating environment has significantly increased workloads on security infrastructure operations teams. Luckily, Indeni’s automation capabilities can help take a few things off their plates by troubleshooting and capturing pertinent information required to report an incident.

Explore how Indeni’s Auto-Triage capabilities play a key role in keeping your remote operations secure and fully functional 24/7.

How does Auto-Triage help?

Once Indeni identifies an issue, it can run its own investigative steps, the same ones that are normally run manually. The steps can be as simple as gathering additional contextual diagnostics information, or as in-depth as analyzing and performing common troubleshooting tasks. Applying best practice procedures reduces time to resolution, whether that’s providing an engineer all of the information or by automatically narrowing down the issue with even more prescriptive remediation recommendations.

An example: Log management for maximum visibility

The sudden remote workforce model has changed the operating conditions. Logs are the primary data source for forensics and security incident responses. Not only does log analysis increase security awareness, it rapidly detects failed processes, network outages, or protocol failures. It also helps in the effective management of applications and infrastructure. If log collection doesn’t happen, it is considered a P1 (a high priority) event. For businesses to prevent service disruptions and detect threats, they must rely on logs and they must continuously monitor log collection, at scale.

What can possibly go wrong with log collection?

  1. Logging rate is higher than what the device can handle.
  2. Devices are stressed due to a high number of connections.
  3. Unable to reach the log management server(s).
  4. Network connection issues.
  5. Limited local storage on the device to temporarily store log data.

Auto-Triage ensures continuous log collection

Indeni continuously monitors log collection by tracking the log-forward discards of a Palo Alto Network device. When logs are discarded, Indeni will immediately notify users and automatically initiate an investigation. 

The first investigative step is to retrieve the logging rate from the device.


Indeni will determine if the logging rate is within the device limit. If the logging rate is exceeding the device rate limit, logs are discarded. This could be a hardware resource limitation. 

Indeni will suggest workarounds such as disabling logging for some types of traffic (DNS and PING). An alternate suggestion is to only log the container page and not subsequent pages. Because URL filtering can potentially generate a lot of log entries, this could be a viable workaround.

If logging rate is within the device limit, Indeni will check session utilization.

Discarding logs can be caused by an increase in traffic rate that exceeds the device limit. Some types of traffic create more sessions (e.g. DNS, PING) and use more resources for session lookups, log at session start, log at session end, just to name a few.  If session utilization is above 70% of the device session table, it is considered high. If this issue persists, this could be an indication of hardware limitations. 

If session utilization is below 70%, Indeni will determine if the log collectors are reachable and connection can be established. 

In conclusion, if logging rate is within the device limit, session utilization is below 70% of the connection table, and the collector is reachable, it would be time to open a trouble ticket with Palo Alto Networks. With the automated investigative steps, users have just gathered the relevant information required to open a case. 

Next Steps

Indeni is here to help you maintain business as usual. If you are a customer, we encourage you to enable Auto-Triage, geared to help you run your security infrastructures smoothly during this challenging time. If you can’t find the Auto-Triage Element (ATE) you’re looking for, you can always submit a request to our community. If you are new to Indeni, we would love to give you the chance to try our automation capabilities in your own environment.

Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.

The article explains how Indeni’s Auto-Triage automations help security infrastructure teams manage remote-workload-driven strain by automatically investigating and collecting diagnostic data for incidents, with a focus on continuous log collection for Palo Alto Networks devices. It describes the real-world problem of increased logging volume and stressed devices causing log discards, outlines the technical investigative steps Indeni runs (checking logging rate, session utilization, and collector reachability), and explains operational impacts and outcomes: faster time-to-resolution, prescriptive workarounds, and preparation of relevant information for opening vendor trouble tickets. The piece concludes with next steps encouraging customers to enable Auto-Triage or request elements from the community and invites new users to try Indeni’s automation capabilities.

How does Indeni’s Auto-Triage detect and respond when logs are being discarded on a Palo Alto Networks device?

Indeni continuously monitors log collection by tracking log-forward discards for Palo Alto Network devices and immediately notifies users when discards occur. It then automatically runs investigative steps beginning with retrieving the device’s logging rate to determine if the rate exceeds the device limit, which would cause discards. If the logging rate is within limits, Indeni checks session utilization to see whether session table exhaustion is causing discards, and if utilization is low it next verifies reachability to the log collectors. Based on these findings, Indeni suggests workarounds or gathers the diagnostic details needed for a trouble ticket.

What troubleshooting steps and workarounds does Auto-Triage suggest if the logging rate exceeds the device limit?

When Indeni finds the logging rate exceeds the device’s capacity—indicating potential hardware resource limits—it recommends pragmatic workarounds to reduce log volume. Suggested actions include disabling logging for noisy traffic types such as DNS and ICMP (PING), or limiting URL filtering logs by logging only the container page rather than subsequent pages. These measures aim to reduce the logging rate and prevent further discards while preserving essential visibility.

When should a team open a Palo Alto Networks trouble ticket after Indeni’s automated investigation?

A trouble ticket should be opened when Indeni’s automated checks show that the logging rate is within the device limit, session utilization is below 70% of the device session table, and the log collectors are reachable—meaning the usual causes for discards have been ruled out. In that scenario, Indeni will have already gathered and presented the relevant diagnostic information through its investigative steps, enabling the team to submit a fully informed case to Palo Alto Networks for further support.