firewall.paloalto

[ 1 Purpose ] [ 2 How is the data sent to Devo? ] [ 3 Tags and tables ] [ 4 Secure it ]

Purpose

An analyst wanted to detect malicious traffic in a corporate network. Using the SecOpsFWTrafficForeignDestination alert with Palo Alto firewall data, the analyst found out that actors in sanctioned countries attempted remote access. As a result, the analyst blocked the network traffic using firewall rules, preventing exploitation of vulnerabilities in the corporate network.

How is the data sent to Devo?

Sending with the Devo relay

In PAN-OS, enable syslog.

Set the server to be your Devo relay.
Use the TCP protocol.
Choose a port on your relay which is currently unused.
Select BSD format.

Define these relay rules.

         Source message: 
            Source data: ([^,]+,){3}([^,]+)
             Source tag: 
             Target tag: firewall.paloalto.\\D2
Sent without syslog tag: true
        Stop processing: true

         Source message: 
            Source data: LEEF:(?:[^\|]+\|){4}([^\|]+)\|.*$
             Source tag: 
             Target tag: firewall.paloalto.\\D1.leef
Sent without syslog tag: true
        Stop processing: true

For some versions of PAN-OS, the digit 4 must be replaced with 6.

Sending with AWS SQS

Logs can be forwarded to an S3 bucket and then sent to Devo with an SQS collector using the aws_sqs_palo_alto service.

Tags and tables

The default tags are for CSV formatted logs. For other log formats, select leef or json tags. No JSON relay rule is necessary.

Tag	Data table

Tag	Data table
	`firewall.paloalto.all` This is a union table.
`firewall.paloalto.auth` `firewall.paloalto.auth.json` `firewall.paloalto.auth.leef`	`firewall.paloalto.auth`
`firewall.paloalto.config` `firewall.paloalto.config.v2` `firewall.paloalto.config.v3` `firewall.paloalto.config.json` `firewall.paloalto.config.leef`	`firewall.paloalto.config`
`firewall.paloalto.correlation`	`firewall.paloalto.correlation`
`firewall.paloalto.decryption` `firewall.paloalto.decryption.json`	`firewall.paloalto.decryption`
`firewall.paloalto.globalprotect` `firewall.paloalto.globalprotect.json` `firewall.paloalto.globalprotect.leef`	`firewall.paloalto.globalprotect`
`firewall.paloalto.hipmatch` `firewall.paloalto.hipmatch.json` `firewall.paloalto.hipmatch.leef`	`firewall.paloalto.hipmatch`
`firewall.paloalto.iptag`	`firewall.paloalto.iptag`
`firewall.paloalto.system` `firewall.paloalto.system.json` `firewall.paloalto.system.leef`	`firewall.paloalto.system`
`firewall.paloalto.threat` `firewall.paloalto.threat.json` `firewall.paloalto.threat.leef`	`firewall.paloalto.threat`
`firewall.paloalto.traffic` `firewall.paloalto.traffic.json` `firewall.paloalto.traffic.leef`	`firewall.paloalto.traffic`
`firewall.paloalto.url` `firewall.paloalto.url.json` `firewall.paloalto.url.leef`	`firewall.paloalto.url`
`firewall.paloalto.userid` `firewall.paloalto.userid.json` `firewall.paloalto.userid.leef`	`firewall.paloalto.userid`

Configuration log versions

Different configuration log tags can be used for different log formats.

firewall.paloalto.config.v1 - This is the default format. In this case, the parser uses the default field order (fields affected: seqno, actionflags, beforechangedetail and afterchangedetail).
firewall.paloalto.config.v2 - Used to indicate that the fields beforechangedetail and afterchangedetail are not part of the event and must be ignored and initialized with null.
firewall.paloalto.config.v3 - Used to indicate that the fields beforechangedetail and afterchangedetail come before the seqno and actionflags fields.
firewall.paloalto.config.leef - LEEF format.
firewall.paloalto.config.json - JSON format.

Secure it

Devo Exchange resources that work with Palo Alto and other data sources:

Palo Alto-specific resources:

Compromised identity provider

An identity provider has been compromised. To determine the impact of the attack on the firewall, check how the firewall used identity providers.

from firewall.paloalto.system where isnotnull(idp_entity_id) 
group by machine, eventId, idp_entity_id, auth_username

Credential tampering

A malicious “man in the middle” has modified certificates to cause an interruption in service. Identify certificates which are not valid.

from firewall.paloalto.system where eq(eventId,"tls-X509-validation-failed")