Skip to content

Palo Alto Next-Generation Firewall

Overview

Palo Alto Networks offers an enterprise cybersecurity platform which provides network security, cloud security, endpoint protection, and various cloud-delivered security services.

Benefit from SEKOIA.IO built-in rules and upgrade Palo Alto Next-Generation Firewall with the following detection capabilities out-of-the-box.

SEKOIA.IO x Palo Alto Next-Generation Firewall on ATT&CK Navigator

Fortinet Firewall Login In Failure

Detects failed login attemps on firewall administration rule. Prerequisites, check that the firewall logs format corresponds to the rule

  • Effort: master
Fortinet Firewall Successful External Login

Detects succesfull access to administration console of firewall from another IP address than 127.0.0.1. Prerequisites, check that the firewall logs format corresponds to the rule

  • Effort: master
Internet Scanner

Detects known scanner IP addresses. Alert is only raised when the scan hits an opened port, on TCP or UDP.

  • Effort: master
Internet Scanner Target

Detects known scanner IP addresses. Alert is only raised when the scan hits an opened port, on TCP or UDP and group by target address.

  • Effort: master
RYUK Ransomeware - martinstevens Username

Detects user name "martinstevens". Wizard Spider is used to add the user name "martinstevens" to the AD of its victims. It was observed in several campaigns; in 2019 and 2020.

  • Effort: elementary
SEKOIA.IO Intelligence Feed

Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.

  • Effort: elementary
TOR Usage

Detects TOR usage, based on the IP address and the destination port (filtered on NTP). TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.

  • Effort: master

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Network device logs Palo Alto can record traffic events flowing through their firewall
Network protocol analysis Palo Alto firewall does traffic analysis at physical/data/transport layers

Event Samples

Find below few samples of events and how they are normalized by SEKOIA.IO.

{
    "action": {
        "type": "login"
    },
    "destination": {
        "port": 0
    },
    "ecs": {
        "version": "1.10.0"
    },
    "event": {
        "category": "userid"
    },
    "log": {
        "hostname": "hostexample",
        "logger": "srv1.example.local"
    },
    "message": "1,2020/12/04 16:00:02,016401002222,USERID,login,2305,2020/12/04 16:00:02,vsys,1.2.3.4,user1,srv1.example.local,0,1,12000,0,0,active-directory,,968683723,0x8000000000000000,12,0,0,0,,hostexample,1,,2020/12/04 16:00:02,1,0x80,user1",
    "related": {
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "user1"
        ]
    },
    "sekoiaio": {
        "intake": {
            "dialect": "Palo Alto",
            "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
        }
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4",
        "port": 0
    },
    "user": {
        "name": "user1"
    }
}
{
    "action": {
        "type": "login"
    },
    "destination": {
        "port": 0
    },
    "ecs": {
        "version": "1.10.0"
    },
    "event": {
        "category": "userid"
    },
    "log": {
        "hostname": "hostname_example",
        "logger": "srv1.example.local"
    },
    "message": "1,2020/12/04 16:00:02,01640103000,USERID,login,2200,2020/12/04 16:00:02,vsys,10.0.0.2,user1,srv1.example.local,0,1,13000,0,0,active-directory,,968700000,0x8000000000000000,12,0,0,0,,hostname_example,1,,2020/12/04 16:00:02,1,0x0,user1",
    "related": {
        "ip": [
            "10.0.0.2"
        ],
        "user": [
            "user1"
        ]
    },
    "sekoiaio": {
        "intake": {
            "dialect": "Palo Alto",
            "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
        }
    },
    "source": {
        "address": "10.0.0.2",
        "ip": "10.0.0.2",
        "port": 0
    },
    "user": {
        "name": "user1"
    }
}
{
    "action": {
        "outcome": "success",
        "type": "0"
    },
    "ecs": {
        "version": "1.10.0"
    },
    "event": {
        "category": "globalprotect"
    },
    "geo": {
        "country_iso_code": "FR"
    },
    "message": "1,2020/12/08 14:30:55,011111114444,GLOBALPROTECT,0,2305,2020/12/08 13:30:55,vsys1,gw-auth,login,Other,,user,FR,AAAABBBBB,1.2.3.4,0.0.0.0,0.0.0.0,0.0.0.0,aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee,ABCDEFG,5.1.4,Windows,\"Microsoft Windows 10 Pro , 64-bit\",1,,,\"\",success,,0,user-logon,0,gw1,1234567,0x8000000000000000",
    "related": {
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "user"
        ]
    },
    "sekoiaio": {
        "intake": {
            "dialect": "Palo Alto",
            "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
        }
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "user": {
        "name": "user"
    },
    "user_agent": {
        "os": {
            "name": "Windows",
            "version": "Microsoft Windows 10 Pro , 64-bit"
        }
    }
}
{
    "action": {
        "name": "allow",
        "outcome": "success",
        "type": "start"
    },
    "destination": {
        "address": "4.3.2.1",
        "bytes": 0,
        "ip": "4.3.2.1",
        "nat": {
            "ip": "10.0.1.2",
            "port": 0
        },
        "packets": 0,
        "port": 0
    },
    "ecs": {
        "version": "1.10.0"
    },
    "event": {
        "category": "traffic",
        "duration": 0
    },
    "message": "<14>Sep 16 10:00:02 PP 1,9/16/19 10:00,1801017000,TRAFFIC,start,2049,9/16/19 10:00,1.2.3.4,4.3.2.1,1.2.3.4,10.0.1.2,PING,,,ping,vsys,AAAAA,Zone1,ethernet1/1,ae2.11,Secure,9/16/19 10:00,24100,3,0,0,0,0,0x500000,icmp,allow,222,222,0,3,9/16/19 10:00,0,any,0,50660388939,0x0,Spain,France,0,3,0,n/a,0,0,0,0,,PA,from-policy,,,0,,0,,N/A,0,0,0,0",
    "network": {
        "bytes": 222,
        "packets": 3,
        "transport": "icmp"
    },
    "related": {
        "ip": [
            "1.2.3.4",
            "10.0.1.2",
            "4.3.2.1"
        ]
    },
    "sekoiaio": {
        "intake": {
            "dialect": "Palo Alto",
            "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
        }
    },
    "source": {
        "address": "1.2.3.4",
        "bytes": 222,
        "ip": "1.2.3.4",
        "nat": {
            "ip": "1.2.3.4",
            "port": 0
        },
        "packets": 3,
        "port": 0
    }
}
{
    "action": {
        "outcome_reason": "authenticated for user 'user1'.   auth profile 'GP', vsys 'vsys123', server profile 'LDAP', server address 'srv01.entreprise.local', From: 1.2.3.4.",
        "type": "auth"
    },
    "ecs": {
        "version": "1.10.0"
    },
    "event": {
        "category": "system"
    },
    "log": {
        "hostname": "fw1",
        "level": "informational"
    },
    "message": "1,2020/12/08 13:44:55,11111114444,SYSTEM,auth,0,2020/12/08 13:44:55,,auth-success,GP,0,0,general,informational,\"authenticated for user 'user1'.   auth profile 'GP', vsys 'vsys123', server profile 'LDAP', server address 'srv01.entreprise.local', From: 1.2.3.4.\",5211100,0x8000000000000000,0,0,0,0,,fw1",
    "sekoiaio": {
        "intake": {
            "dialect": "Palo Alto",
            "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
        }
    }
}
{
    "action": {
        "name": "allow",
        "outcome": "success",
        "type": "start"
    },
    "destination": {
        "address": "4.3.2.1",
        "bytes": 70,
        "ip": "4.3.2.1",
        "nat": {
            "ip": "0.0.0.0",
            "port": 0
        },
        "packets": 1,
        "port": 80
    },
    "ecs": {
        "version": "1.10.0"
    },
    "event": {
        "category": "traffic",
        "duration": 0
    },
    "message": "<14>Sep 16 10:00:02 PA-1 1,9/16/19 10:00,1801016000,TRAFFIC,start,2049,9/16/19 10:00,1.2.3.4,4.3.2.1,0.0.0.0,0.0.0.0,proxy1,,,web-browsing,vsys1234,v10213,zone1,a.1,b.2,Secure,9/16/19 10:00,60000,1,61000,80,0,0,0x0,tcp,allow,800,700,70,2,9/16/19 10:00,0,any,0,50660381839,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,2,1,n/a,0,0,0,0,,PP,from-policy,,,0,,0,,N/A,0,0,0,0",
    "network": {
        "bytes": 800,
        "packets": 2,
        "transport": "tcp"
    },
    "related": {
        "ip": [
            "1.2.3.4",
            "4.3.2.1",
            "0.0.0.0"
        ]
    },
    "sekoiaio": {
        "intake": {
            "dialect": "Palo Alto",
            "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
        }
    },
    "source": {
        "address": "1.2.3.4",
        "bytes": 700,
        "ip": "1.2.3.4",
        "nat": {
            "ip": "0.0.0.0",
            "port": 0
        },
        "packets": 2,
        "port": 61000
    }
}
{
    "action": {
        "name": "alert",
        "outcome": "success",
        "type": "vulnerability"
    },
    "destination": {
        "address": "10.2.0.1",
        "ip": "10.2.0.1",
        "nat": {
            "ip": "0.0.0.0",
            "port": 0
        },
        "port": 80
    },
    "ecs": {
        "version": "1.10.0"
    },
    "event": {
        "action": "code-execution",
        "category": "threat",
        "reason": "PDF Exploit Evasion Found(34805)"
    },
    "file": {
        "path": "EXAMPLE.PDF"
    },
    "log": {
        "hostname": "FW",
        "level": "informational"
    },
    "message": "1,2021/08/31 14:00:02,001701000000,THREAT,vulnerability,2049,2021/08/31 14:00:02,10.0.0.2,10.2.0.1,0.0.0.0,0.0.0.0,abcd,,,web-browsing,vsys,env,zone2,a1.1,aec.2,podl,2021/08/31 14:00:02,279429,2,12345,80,0,0,0x2000,tcp,alert,\"EXAMPLE.PDF\",PDF Exploit Evasion Found(34805),any,informational,server-to-client,1320000,0x2000000000000000,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,,0,,,1,,,,,,,,0,0,0,0,0,,FW,,,,,0,,0,,N/A,code-execution,AppThreat-0000-1111,0x0,0,422342342,",
    "network": {
        "transport": "tcp"
    },
    "related": {
        "ip": [
            "10.0.0.2",
            "10.2.0.1",
            "0.0.0.0"
        ]
    },
    "sekoiaio": {
        "intake": {
            "dialect": "Palo Alto",
            "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
        }
    },
    "source": {
        "address": "10.0.0.2",
        "ip": "10.0.0.2",
        "nat": {
            "ip": "0.0.0.0",
            "port": 0
        },
        "port": 12345
    }
}
{
    "action": {
        "name": "reset-both",
        "outcome": "success",
        "type": "deny"
    },
    "destination": {
        "address": "1.2.3.4",
        "bytes": 0,
        "ip": "1.2.3.4",
        "nat": {
            "ip": "5.4.3.2",
            "port": 53
        },
        "packets": 0,
        "port": 53
    },
    "ecs": {
        "version": "1.10.0"
    },
    "event": {
        "category": "traffic",
        "duration": 0
    },
    "message": "<14>Sep 16 10:00:00 PA 1,9/16/19 10:00,1801017000,TRAFFIC,deny,2049,9/16/19 10:00,10.0.0.2,1.2.3.4,5.4.4.3,5.4.3.2,DENYALL,,,protection,vsys1,DNS,AAAAA,ae2.503,ethernet1/1,Secure,9/16/19 10:00,11111,1,130000,53,6379,53,0x400000,udp,reset-both,284,284,0,1,9/16/19 10:00,0,any,0,50660381851,0x0,10.0.0.0-10.255.255.255,Spain,0,1,0,policy-deny,0,0,0,0,,PA-1,from-application,,,0,,0,,N/A,0,0,0,0",
    "network": {
        "bytes": 284,
        "packets": 1,
        "transport": "udp"
    },
    "related": {
        "ip": [
            "5.4.3.2",
            "5.4.4.3",
            "10.0.0.2",
            "1.2.3.4"
        ]
    },
    "sekoiaio": {
        "intake": {
            "dialect": "Palo Alto",
            "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
        }
    },
    "source": {
        "address": "10.0.0.2",
        "bytes": 284,
        "ip": "10.0.0.2",
        "nat": {
            "ip": "5.4.4.3",
            "port": 6379
        },
        "packets": 1,
        "port": 130000
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
destination.address keyword Destination network address.
destination.bytes long Bytes sent from the destination to the source.
destination.ip ip IP address of the destination.
destination.nat.ip ip Destination NAT ip
destination.nat.port long Destination NAT Port
destination.packets long Packets sent from the destination to the source.
destination.port long Port of the destination.
email.from.address keyword None
email.subject keyword None
email.to.address keyword None
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.duration long Duration of the event in nanoseconds.
event.reason keyword Reason why this event happened, according to the source
file.path keyword Full path to the file, including the file name.
geo.country_iso_code keyword None
http.request.method keyword HTTP request method.
http.request.referrer keyword Referrer for this HTTP request.
log.level keyword Log level of the log event.
log.logger keyword Name of the logger.
network.bytes long Total bytes transferred in both directions.
network.packets long Total packets transferred in both directions.
network.transport keyword Protocol Name corresponding to the field iana_number.
paloalto.content_type keyword None
source.address keyword Source network address.
source.bytes long Bytes sent from the source to the destination.
source.ip ip IP address of the source.
source.nat.ip ip Source NAT ip
source.nat.port long Source NAT port
source.packets long Packets sent from the source to the destination.
source.port long Port of the source.
user.name keyword Short name or login of the user.
user_agent.name keyword Name of the user agent.
user_agent.os.name keyword Operating system name, without the version.
user_agent.os.version keyword Operating system version as a raw string.

Configure

On Palo Alto appliances, most of the important hardward and software activities that are relevant for security detection and analysis, are logged into three files.

  • Traffic: Local out traffic, Denied traffic, Allowed traffic
  • System
  • Security

Transport to the collector

Prerequisites

The following prerequisites are needed in order to setup efficient log concentration:

  • Have administrator priviledge on the Palo Alto
  • Traffic towards the Rsyslog must be open on TCP/514

Configure Palo Alto

Configure a Syslog server profile

  1. In the GUI, go to Device > Serve Profiles > Syslog.
  2. Click Add and enter a name for the profile such as Syslog server.
  3. If the firewall has more than one virtual system (vsys), select the Location (vsys or Shared) where this profile is available.
  4. Click Add and enter the information that the firewall requires to connect to it:

  5. Name — Unique name for the server profile.

  6. Syslog Server — IP address or fully qualified domain name (FQDN) of the syslog server.
  7. Transport — Select TCP.
  8. Port — Select the default is TCP on port 514.
  9. Format — Select the syslog message format to use: IETF
  10. Facility — Select a syslog standard value (default is LOG_USER) to calculate the priority (PRI) field.

  11. Click OK to save the server profile.

Configure syslog forwarding for Traffic logs

  1. Select Objects > Log Forwarding, click Add, and enter a Name to identify the profile.
  2. For each log type (here Traffic, Threat and WileFire Malicious) and each severity level, select the Syslog server profile and click OK.
  3. Select Policies > Security and select a policy rule.
  4. Select the Actions tab and select the Log Forwarding profile you created.
  5. In the Profile Type drop-down, select Profiles or Groups, and then select the security profiles or Group Profiles required to trigger log generation and forwarding.
  6. Select both of the Log at Session Start and Log At Session End check boxes, and click OK.

For detailed information about configuring a log forwarding profile and assigning the profile to a policy rule, see Configure Log Forwarding

Configure syslog forwarding for System and User-ID logs

  1. In the GUI, go to Device > Log Settings.
  2. Click each Severity level (High and Critical if also fine), select the Syslog server profile, and click OK.

Transport to SEKOIA.IO

Please refer to the documentation of the Rsyslog Transport documentation to forward these logs to SEKOIA.IO.