Collect Palo Alto Networks IOC logs

Supported in:

Overview

This parser extracts IOC data from Palo Alto Networks Autofocus JSON logs, mapping fields to the UDM. It handles domain, IPv4, and IPv6 indicators, prioritizing domain and converting IP addresses to the appropriate format. It drops unsupported indicator types and defaults categorization to MALWARE unless Trojan is specifically identified in the message.

Before you begin

  • Ensure that you have a Google SecOps instance.
  • Ensure that you have privileged access to Palo Alto AutoFocus.

Configure Palo Alto AutoFocus license

  1. Sign in to Palo Alto Customer Support Portal.
  2. Go to Assets > Site Licenses.
  3. Select Add Site License.
  4. Enter the code.

Obtain Palo Alto AutoFocus API Key

  1. Sign in to Palo Alto Customer Support Portal.
  2. Go to Assets > Site Licenses.
  3. Locate the Palo Alto AutoFocus license.
  4. Click Enable in the Actions column.
  5. Click API Key in the API Key column.
  6. Copy and Save the API Key from the top bar.

Create Palo Alto AutoFocus custom Feed

  1. Sign in to Palo Alto AutoFocus.
  2. Go to Feeds.
  3. Select a feed already created. If no feed is present, proceed to create one.
  4. Click add Create A Feed.
  5. Provide a descriptive name.
  6. Create a query.
  7. Select Output method as URL.
  8. Click Save.
  9. Access the feed details:
    • Copy and Save the feed <ID> from the URL. (For example, https://autofocus.paloaltonetworks.com/IOCFeed/<ID>/IPv4AddressC2)
    • Copy and Save the feed name.

Configure a feed in Google SecOps to ingest the Palo Alto Autofocus logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed (for example, Palo Alto AutoFocus Logs).
  4. Select Third party API as the Source type.
  5. Select PAN Autofocus as the Log type.
  6. Click Next.
  7. Specify values for the following input parameters:
    • Authentication HTTP header: API Key used to authenticate to autofocus.paloaltonetworks.com in apiKey:<value> format. Replace <value> with the AutoFocus API Key copied previously.
    • Feed ID: Custom feed ID.
    • Feed Name: Custom feed name.
    • Asset namespace: the asset namespace.
    • Ingestion labels: the label applied to the events from this feed.
  8. Click Next.
  9. Review the feed configuration in the Finalize screen, and then click Submit.

UDM Mapping Table

Log Field UDM Mapping Logic
indicator.indicatorType indicator.indicatorType Directly mapped from the raw log. Converted to uppercase.
indicator.indicatorValue event.ioc.domain_and_ports.domain Mapped if indicator.indicatorType is DOMAIN.
indicator.indicatorValue event.ioc.ip_and_ports.ip_address Mapped if indicator.indicatorType matches "IP(V4|V6|)(_ADDRESS|)". Converted to IP address format.
indicator.wildfireRelatedSampleVerdictCounts.MALWARE event.ioc.raw_severity Mapped if present. Converted to string.
tags.0.description event.ioc.description Mapped if present for the first tag (index 0). Set to PAN Autofocus IOC by the parser. Set to HIGH by the parser. Set to TROJAN if the message field contains Trojan, otherwise set to MALWARE.

Changes

2024-07-05

  • Mapped isInteractive to security_result.detection_fields.

2024-04-02

  • Mapped properties.createdDateTime to metadata.event_timestamp.
  • Mapped properties.resourceServicePrincipalId and resourceServicePrincipalId to target.resource.attribute.labels.
  • Mapped properties.authenticationProcessingDetails, authenticationProcessingDetails, and properties.networkLocationDetails to additional.fields.
  • Mapped properties.userAgent to network.http.user_agent and network.http.parsed_user_agent.
  • Mapped properties.authenticationRequirement to additional.fields.