Using ingest actions to filter Palo Alto logs
Palo Alto Networks (PAN) logs can pose challenges for Splunk platform users because of their volume and complexity. These logs, while rich in information, can inundate cloud environments, producing a lot of noise and leading to inefficiencies. This article introduces a strategic approach to filtering Palo Alto traffic and threat logs using ingest actions to ensure that only relevant data reaches your cloud environment, enhancing query efficiency and speeding up delivery of results.
Solution
You can manage Palo Alto logs more easily by focusing on data quality through targeted ingestion, ensuring that only relevant and clean data is processed. Ingest actions offers a sophisticated toolkit for refining data at the point of ingestion. This feature allows you to selectively process logs based on predefined criteria, significantly improving data quality and operational efficiency.
To set up ingest actions, you should follow the specific ingest actions requirements for your environment. See instructions for Splunk Enterprise or Splunk Cloud Platform. For comprehensive details and guidelines on the prerequisites and capabilities of ingest actions, see Ingest actions requirements.
Configuring ingest actions
To follow the steps below, you'll need to ensure the Palo Alto Networks Add-on for Splunk is installed and configured, as well as verify that you have access to ingest actions with the appropriate role permissions.
To get started, use to the following table to map the Common Information Model (CIM) to Palo Alto Networks event types:
CIM data model |
Tags |
Palo Alto Networks event types |
---|---|---|
ids, attack |
|
|
network, communicate |
|
When filtering Palo Alto logs, you'll want to ensure that you filter low value data, keep high value data, and trim fields not required for troubleshooting.
For this solution we will focus on Palo Alto traffic and threat logs because those, on average, are the biggest source of PAN logs.
Fields to drop (pan_*
)
You'll need to filter out events that have no defined value or when there is alternate field that should be used instead:
future_use_
- There is no defined usage for this field.time
- Redundant field. The true timestamp should use the fieldgenerated_time
.
Fields to trim
(pan_threat
)
The following pan_threat
fields are not required for troubleshooting and can be trimmed. These fields do not align with the CIM definition for intrusion detection as specified by the Palo Alto add-on documentation for pan_threat event types.
*_dag
*_edl
app_*
cloud_report_id
container_id
dest_dvc_*
dest_location
dynusergroup_name
dvc_serial_number
future_use*
generated_time
high_res_timestamp
host_id
http2_connection
http_headers
justification
nssai_sst
partial_hash
payload_protocol_id
pod_*
reason
receive_time
rule_uuid
sctp_*
sequence_number
src_dvc_*
src_location
url_category_list
xff_ip
(pan_traffic
)
The following pan_traffic
fields are not required for troubleshooting and can be trimmed. These fields do not align with the CIM definition for intrusion detection as specified by the Palo Alto add-on documentation for pan_traffic event types.
*_dag
*_edl
app_*
container_id
dest_dvc_*
dvc_serial_number
dynusergroup_name
future_use*
generated_time
high_res_timestamp
host_id
http2_connection
link_*
nsdsai_*
offloaded
pod_*
policy_id
receive_time
rule_uuid
sctp_*
sdwan_*
session_owner
src_dvc_*
tunnel_start_time
xff_ip
Configuring ingest actions to drop fields
Follow these steps to create a ruleset:
- Navigate to Settings > Data > Ingest Actions.
- Provide a Ruleset Name to create a new ruleset. For example,
PAN_DROP_FIELDS_FILTER_RULESET
- Identify and select the appropriate source for your logs, such as
pan_*:*
- Select +Add Rule > Filter > Filter with regular expression to start the filtering process.
- Set Source Field as
_raw
. - Set Drop Events Matching Regular Expression as
future_use_ | time
- Click Apply to review the results.
- On the right hand side, ensure that the filter correctly filters the events. The events highlighted in red will be dropped before data is ingested.
- Click Save to save the new ruleset.
Configuring ingest actions to trim logs
Follow these steps to create a ruleset:
- Navigate to Settings > Data > Ingest Actions.
- Provide a Ruleset Name to create a new ruleset. For example,
PAN_TRAFFIC_LOGS_TRIM_RULESET
orPAN_THREAT_LOGS_TRIM_RULESET
- Select a data source type, for example,
pan_traffic
orpan_threat
- Select +Add Rule > Mask > Mask with Regex to start the filtering process.
- Set Match Regular Expression. See Gist for more information.
- In the Replace Expression field, enter a blank space.
- Click Apply to review the results.
- On the right hand side, ensure that the filter correctly trims the events. The events highlighted in red will be trimmed before being ingested.
- Click Save to save the new ruleset.
By following these steps, you've successfully configured ingest actions to filter out unnecessary fields in PAN threat and traffic, resulting in better data management.
Next steps
These resources might help you understand and implement this guidance:
- Product tip: Sampling data with ingest actions for data reduction
- Product tip: Using ingest actions in Splunk Enterprise
- Tech Talk: Introducing ingest actions: Filter, mask, route, repeat