Palo Alto Networks App for QRadar Troubleshooting Guide

panguyen — Mon, 26 Aug 2019 19:41:53 GMT

Panels are not showing any data

1. Check to see if logs are being forwarded properly

Confirm you are receiving LEEF log format in QRadar, navigate to the “Log Activity” tab of QRadar and create an advanced search:

SELECT UTF8(payload) FROM events WHERE devicetype=206

No Results

Check log forwarding configurations in the Firewall/Panorama. Refer to the getting started guide on how to setup log forwarding from the Firewall/Panorama.

Results

Double check that the log contains the word LEEF in the payload.

If LEEF does not exist in the payload then you have setup log forwarding with standard log format. By default QRadar expects logs to be in LEEF format. Refer to the getting started guide on how to send logs in LEEF format.

LEEF Log Forwarding Guide

NOTE: Make sure you are using LEEF format for PAN-OS v7.0-v8.0+

If LEEF exist in the payload, then there may be an issue with the custom properties.

2. Check that custom properties are correct

Confirm each field is being parsed by running this search in the "Log Activity" tab of QRadar.

SELECT "PANW-type", "PANW-subtype", "PANW-category", "PANW-filename", "PANW-threatid", "PANW-vendor-action" from events WHERE "PANW-type"='THREAT'

The columned returned should have values in them. If you are receiving "NA" in the column then there is an issue with the parser.

Navigate to the admin panel and click on "Extensions" and confirm that the "Palo Alto Networks LEEF to Standard log" extension is NOT installed.

This extension is only required if if logs are being sent in the standard log format. This format is not recommended by QRadar. The recommended log format is LEEF.

LEEF to standard log extension was installed

Uninstall both the App and the extension. Then reinstall only the Palo Alto Networks QRadar App.

LEEF logs are being sent but still receiving "NA" in the columns

You may have setup the older LEEF log format on the Firewall/Panorama. In this case please review the LEEF Log Forwarding Guide and make sure you are using PAN-OS v7.0 - v8.0+ format in the log forwarding profile.