Collect Palo Alto Networks IOC logs

Supported in:

Overview

This parser extracts IOC data from Palo Alto Networks Autofocus JSON logs, mapping fields to the UDM. It handles domain, IPv4, and IPv6 indicators, prioritizing domain and converting IP addresses to the appropriate format. It drops unsupported indicator types and defaults categorization to MALWARE unless Trojan is specifically identified in the message.

Before you begin

Ensure that you have the following prerequisites:

  • Google SecOps instance.
  • Privileged access to Palo Alto AutoFocus.

Configure Palo Alto AutoFocus license

  1. Sign in to Palo Alto Customer Support Portal.
  2. Go to Assets > Site Licenses.
  3. Select Add Site License.
  4. Enter the code.

Obtain Palo Alto AutoFocus API Key

  1. Sign in to Palo Alto Customer Support Portal.
  2. Go to Assets > Site Licenses.
  3. Locate the Palo Alto AutoFocus license.
  4. Click Enable in the Actions column.
  5. Click API Key in the API Key column.
  6. Copy and Save the API Key from the top bar.

Create Palo Alto AutoFocus custom Feed

  1. Sign in to Palo Alto AutoFocus.
  2. Go to Feeds.
  3. Select a feed already created. If no feed is present, proceed to create one.
  4. Click add Create A Feed.
  5. Provide a descriptive name.
  6. Create a query.
  7. Select Output method as URL.
  8. Click Save.
  9. Access the feed details:
    • Copy and Save the feed <ID> from the URL. (For example, https://autofocus.paloaltonetworks.com/IOCFeed/<ID>/IPv4AddressC2)
    • Copy and Save the feed name.

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

  • SIEM Settings > Feeds
  • Content Hub > Content Packs

Set up feeds from SIEM Settings > Feeds

To configure a feed, follow these steps:

  1. Go to SIEM Settings > Feeds.
  2. Click Add New Feed.
  3. On the next page, click Configure a single feed.
  4. In the Feed name field, enter a name for the feed; for example, Palo Alto Autofocus Logs.
  5. Select Third party API as the Source type.
  6. Select PAN Autofocus as the Log type.
  7. Click Next.
  8. Specify values for the following input parameters:
    • Authentication HTTP header: API Key used to authenticate to autofocus.paloaltonetworks.com in apiKey:<value> format. Replace <value> with the AutoFocus API Key copied previously.
    • Feed ID: Custom feed ID.
    • Feed Name: Custom feed name.
  9. Click Next.
  10. Review the feed configuration in the Finalize screen, and then click Submit.

Set up feeds from the Content Hub

Specify values for the following fields:

  • Authentication HTTP header: API Key used to authenticate to autofocus.paloaltonetworks.com in apiKey:<value> format. Replace <value> with the AutoFocus API Key copied previously.
  • Feed ID: Custom feed ID.
  • Feed Name: Custom feed name.

Advanced options

  • Feed Name: A prepopulated value that identifies the feed.
  • Source Type: Method used to collect logs into Google SecOps.
  • Asset Namespace: Namespace associated with the feed.
  • Ingestion Labels: Labels applied to all events from this feed.

UDM Mapping Table

Log Field UDM Mapping Logic
indicator.indicatorType indicator.indicatorType Directly mapped from the raw log. Converted to uppercase.
indicator.indicatorValue event.ioc.domain_and_ports.domain Mapped if indicator.indicatorType is DOMAIN.
indicator.indicatorValue event.ioc.ip_and_ports.ip_address Mapped if indicator.indicatorType matches "IP(V4|V6|)(_ADDRESS|)". Converted to IP address format.
indicator.wildfireRelatedSampleVerdictCounts.MALWARE event.ioc.raw_severity Mapped if present. Converted to string.
tags.0.description event.ioc.description Mapped if present for the first tag (index 0). Set to PAN Autofocus IOC by the parser. Set to HIGH by the parser. Set to TROJAN if the message field contains Trojan, otherwise set to MALWARE.

Changes

2024-07-05

  • Mapped isInteractive to security_result.detection_fields.

2024-04-02

  • Mapped properties.createdDateTime to metadata.event_timestamp.
  • Mapped properties.resourceServicePrincipalId and resourceServicePrincipalId to target.resource.attribute.labels.
  • Mapped properties.authenticationProcessingDetails, authenticationProcessingDetails, and properties.networkLocationDetails to additional.fields.
  • Mapped properties.userAgent to network.http.user_agent and network.http.parsed_user_agent.
  • Mapped properties.authenticationRequirement to additional.fields.

Need more help? Get answers from Community members and Google SecOps professionals.