Does this information look incorrect or out-of-date? Please contact us at support@socos.io.
A SOC.OS agent needs to be installed on the network in order to forward Palo Alto alerts sent over syslog to the SOC.OS platform. This SOC.OS agent will be treated as the "syslog server" in any Palo Alto documentation. The following variables must be known:
UDP/TCP/TLS)RFC3164/RFC5424)Note that the following information is based on Palo Alto PAN-OS version 9.1. Guides for other versions are similar, but equivalent links are provided wherever available. Please contact us at support@socos.io regarding any questions.
General configuration guides by Palo Alto can be found here.
For SOC.OS, configuration of Palo Alto can be split into the following steps:
In the following steps, Traffic, Threat and WildFire Submission logs (equivalent to alerts) will be sent to the SOC.OS Agent in CEF format. Please contact support@socos.io if other log types are desired.
Device > Server Profiles > Syslog.Add and enter a Name for the profile, e.g. SOC.OS Agent.vsys or Shared) where this profile is available.Add and enter the prerequisite information about the SOC.OS Agent:
Name - Unique name for the server profile, e.g. SOC.OS Agent.Syslog Server - Private IP address of the agent.Transport - Select UDP, TCP or SSL (equivalent to TLS) to match the agent protocol.Port - The port number that the agent is listening for Palo Alto alerts on.Format - Select the syslog format to use: BSD (equivalent to RFC3164) or IETF (equivalent to RFC5424).Facility — Select a syslog standard value to calculate the priority (PRI) field of the syslog message. This value is not used by SOC.OS and can be set to any suitable value, including the default LOG_USER.Move on to the next section before clicking OK to save the server profile.
The following steps provide an example for formatting alerts as CEF in Palo Alto PAN-OS version 9.1. The templates provided below may not be suitable for other versions. Refer to the Palo Alto Common Event Format Configuration Guide to find CEF alert templates for specific versions of PAN-OS.
Custom Log Format tab.Traffic and paste the following into the Threat Log Format text box, then select OK:CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$subtype|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action flexNumber1Label=Total bytes flexNumber1=$bytes in=$bytes_sent out=$bytes_received cn2Label=Packets cn2=$packets PanOSPacketsReceived=$pkts_received PanOSPacketsSent=$pkts_sent start=$cef-formatted-time_generated cn3Label=Elapsed time in seconds cn3=$elapsed cs2Label=URL Category cs2=$category externalId=$seqno reason=$session_end_reason PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name cat=$action_source PanOSActionFlags=$actionflags PanOSSrcUUID=$src_uuid PanOSDstUUID=$dst_uuid PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag PanOSParentSessionID=$parent_session_id PanOSParentStartTime=$parent_start_time PanOSTunnelType=$tunnel PanOSSCTPAssocID=$assoc_id PanOSSCTPChunks=$chunks PanOSSCTPChunkSent=$chunks_sent PanOSSCTPChunksRcv=$chunks_received PanOSRuleUUID=$rule_uuid PanOSHTTP2Con=$http2_connection PanLinkChange=$link_change_count PanPolicyID=$policy_id PanLinkDetail=$link_switches PanSDWANCluster=$sdwan_cluster PanSDWANDevice=$sdwan_device_type PanSDWANClustype=$sdwan_cluster_type PanSDWANSite=$sdwan_site PanDynamicUsrgrp=$dynusergroup_name
Threat and paste the following into the Threat Log Format text box, then select OK:CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$threatid|$type|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction PanOSActionFlags=$actionflags externalId=$seqno cat=$threatid fileId=$pcap_id PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name PanOSSrcUUID=$src_uuid PanOSDstUUID=$dst_uuid PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag PanOSParentSessionID=$parent_session_id PanOSParentStartTime=$parent_start_time PanOSTunnelType=$tunnel PanOSThreatCategory=$thr_category PanOSContentVer=$contentver PanOSAssocID=$assoc_id PanOSPPID=$ppid PanOSHTTPHeader=$http_headers PanOSURLCatList=$url_category_list PanOSRuleUUID=$rule_uuid PanOSHTTP2Con=$http2_connection PanDynamicUsrgrp=$dynusergroup_name
Wildfire and paste the following into the Threat Log Format text box, then select OK:CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$subtype|$type|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction PanOSActionFlags=$actionflags externalId=$seqno cat=$threatid filePath=$cloud fileId=$pcap_id fileHash=$filedigest fileType=$filetype suid=$sender msg=$subject duid=$recipient oldFileId=$reportid PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name PanOSSrcUUID=$src_uuid PanOSDstUUID=$dst_uuid PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag PanOSParentSessionID=$parent_session_id PanOSParentStartTime=$parent_start_time PanOSTunnelType=$tunnel PanOSThreatCategory=$thr_category PanOSContentVer=$contentver PanOSAssocID=$assoc_id PanOSPPID=$ppid PanOSHTTPHeader=$http_headers PanOSRuleUUID=$rule_uuid
Objects > Log Forwarding, click Addname to identify the profile, e.g. SOC.OS AgentFor more information, refer to the following step in the configuration guide: Create a Log Forwarding profile.
Policies > Security and select a policy rule.Actions tab and select the Log Forwarding profile created the previously.Profile Type drop-down, select Profiles or Groups, and then select the security profiles or group profiles required to trigger log generation and forwarding.Traffic logs, select one or both of the Log at Session Start and Log At Session End check boxes, and click OK.For more information, refer to the following step in the configuration guide: Assign the Log Forwarding profile to policy rules and network zones.
Once configuration is complete, click Commit in the top toolbar. The SOC.OS Agent should now be forwarding Palo Alto alerts to the SOC.OS platform. Contact support@socos.io to confirm.