Palo Alto Network logs are network security logs that come from next-generation firewall technology that enables applications – regardless of port, protocol, evasive tactic, or SSL encryption – and scans content to stop targeted threats and prevent data leakage. They provide insight into the use of applications, helping you maintain complete visibility and control simplifying network security.
Data visibility
Palo Alto Networks logs provide deep visibility into network traffic information, including: the date and time, source and destination zones, addresses and ports, application name, security rule name applied to the flow, rule action (allow, deny, or drop), ingress and egress interface, number of bytes, and session end reason. They also provide system information, host information profiles, malware analysis, information about configuration changes, security alerts, and much more.
How can I use this data?
When your Splunk deployment is ingesting Palo Alto network logs, you can use the data to achieve the following objectives:
- Monitoring for network traffic volume outliers
- Monitoring employee network traffic
- Detecting the use of randomization in cyberattacks
- Monitoring for signs of Windows privilege escalation attacks
- Detecting techniques in the Orangeworm attack group
Configuration
The following sections provide information on configuring Splunk software to ingest this data source. To configure the device or software, we recommend that you leverage official Palo Alto resources.
Getting Palo Alto network data in
Splunk Docs contains extensive guidance on getting data into your Splunk deployment. If your deployment is not already ingesting Palo Alto network data, the following topics can assist you in preparing to work with this data type:
- Splunk Enterprise
- Splunk Cloud
There are a variety of input types, source types, and recommended indexes for Palo Alto network logs, as shown in the following table.
|
Input |
Source Type |
Index |
|
var/log/rsyslog/pan/threat/*.log |
pan: threat |
netproxy |
|
var/log/rsyslog/pan/traffic/*.log |
pan:traffic |
netfw |
|
var/log/rsyslog/pan/system/*.log |
pan:system |
netops |
|
var/log/rsyslog/pan/config/*.log |
pan:config |
netops |
|
var/log/rsyslog/pan/hipmatch/*.log |
pan:hipmatch |
epintel |
|
var/log/rsyslog/pan/endpoint/*.log |
pan:endpoint |
epintel |
|
var/log/rsyslog/pan/correlation/*.log |
pan:correlation |
netintel |
|
var/log/rsyslog/pan/aperture/*.log |
pan:aperture |
netintel |
|
var/log/rsyslog/pan/wildfire/*.log |
pan:wildfire |
epintel |
In addition, you will need the Palo Alto Networks Add-on for Splunk. The add-on can be downloaded here and the official documentation can be accessed here. Read and follow the documentation carefully to understand all the essential information you need to work with this data source, including how to install the add-on, configure Palo Alto, and configure Splunk.
Sizing estimate
There is large variability in the size for Palo Alto Networks logs. Each message is typically around 850 bytes with usually one message per connection (as we recommend logging allows, along with denies). The volume then depends on the size of your PAN device and can range from hundreds of MB per day for a branch office to more than 250 GB per day for a main datacenter cluster.
Using only Palo Alto's built-in tools, the show session info command will tell you how many connections there have been since bootup. So, one way of estimating event volume is to check that number at the same time on subsequent days, then calculate the number of connections you typically see per day. When multiplied by the general 850 byte number, you will get a reasonable expectation for data size.
Validation
Perform the following search on your Splunk instance to see whether you receive results.
index=* sourcetype=pan*
|stats count by sourcetype index
Comments
0 comments
Please sign in to leave a comment.