topic Re: Threat logs in General Topics

Threat logs

jdprovine — Thu, 16 Jul 2015 20:59:02 GMT

Can the threats logs be sent to a 3rd party syslog server?

Re: Threat logs

staffan — Fri, 17 Jul 2015 06:59:42 GMT

Hi,

Yes it's possible.

You can add a 3rd party syslog server under "Device" -> "Server Profiles" -> "Syslog". Then under "Objects" -> "Log Forwarding" you can specify which profiles you want to send to your syslog-server.

/Staffan

Re: Threat logs

jdprovine — Fri, 17 Jul 2015 12:06:30 GMT

Yes I know how to set up log forwarding and am doing it but those are added to the security policies. What I am asking is if you go to monitor\threat can those be monitored

Re: Threat logs

Sobolenko — Fri, 17 Jul 2015 20:03:24 GMT

Hello,

Currently, the system only allows to see if Monitor Tab was accessed. You can see these events at Monitor->Logs->System.

However, it does not provide information if any sub-options of the tab were used.

Regards,

Val

Re: Threat logs

jdprovine — Mon, 20 Jul 2015 14:40:19 GMT

I don't believe that the point of what I am trying to do is being understood. I know how to set up syslogs,but I want to know if there is a way to send the information from the monitor---> logs-->threat can be sent to a syslog to be analyzed. I am trying to do some automation of the process

Re: Threat logs

googol — Mon, 20 Jul 2015 14:49:37 GMT

Yes, threat logs are sent to syslog as well. Like in Splunk, it is pan_threat.

It is setup under the log forwarding profile you setup

Re: Threat logs

jdprovine — Mon, 20 Jul 2015 15:00:18 GMT

So googol if you choose traffic - any, does that include all the other settings such as threat?

Re: Threat logs

Brandon_Wertz — Mon, 20 Jul 2015 16:05:05 GMT

Are you asking about event correlation? That's done via a SEIM like ArcSight or QRadar. Via a syslog profile you can forward the threat logs to a SEIM which in turn will correlate all relevant logs.

Re: Threat logs

jdprovine — Mon, 20 Jul 2015 16:50:07 GMT

We currently send the information from our syslogs to a seim server to analyze the information but I was asked if we could be more grandular on the type of threat information that is being sent to the seim server from the palot alto

Re: Threat logs

Sobolenko — Mon, 20 Jul 2015 21:05:05 GMT

Well, setup configuring syslogs in my understanding means not only to configure syslog profile, but also setup log forwarding profile as googol says and configure policies to log forward to your syslog server.

Make sure that you have configured your security policies with Threat Prevention Profiles, DDoS profiles so you can see events in Logs->Threat

After all that configured, you will be able to visualize logs that you configured on syslog server in syslog format. You can use simple Kiwi Syslog to do a quick test.

Re: Threat logs

jdprovine — Mon, 20 Jul 2015 21:08:02 GMT

Yes it is going to a syslog server and we are using seim to sort and view the logs but I wanted to know if its possible to send more granular or specific threat logs to the syslog servers

Re: Threat logs

Sobolenko — Tue, 21 Jul 2015 13:55:41 GMT

Could you please explain what do you mean by "more granular"? You will receive threat logs "as is" and in pre-established format. There is no way you can enhance them. Your SIEM can apply correlations and alerts, but they will be based only on the information received from PA.

Re: Threat logs

jdprovine — Tue, 21 Jul 2015 14:06:54 GMT

My boss asked me if it was possible to apply a filter to the threat logs before they are sent to the syslog just like you can add a filter when you are in monitor--->logs--->threat.

Re: Threat logs

Brandon_Wertz — Tue, 21 Jul 2015 16:33:36 GMT

In the 'Log Forwarding" profile that googol included a screen shot of you can elect which threats you wanted to send to your SEIM/Syslog.

Further within the SEIM you can use REGEX to parse the fields and filter exactly the records you're looking for.

For instance a "Threat" log with a threat type of "virus" of a "medium" severity can be filtered to either be included or excluded in your SEIM:

2015/07/21 09:49:53,*DEVICE SN*,THREAT,virus,*A BUNCH OF STUFF SEPARATED BY ALPHA NUMERIC CHARACTERS SEPARATED BY COMMAS* ,Virus/Win32.ramnit.aztfn(2022885),any,medium,server-to-client,*MORE STUFF FOLLOWS*

Here was a log example from our SEIM. You'd have to use REGEX to parse through the log message to the relevant fields but you could filter to the log types you're wanting this way as well.

Re: Threat logs

Sobolenko — Tue, 21 Jul 2015 21:19:04 GMT

As Brandon replied, it is best way to apply filtering on SIEM side. There is no way you can filter it on PA level, the only thing you can do is just select certain severity level to be sent to SIEM. But in that case you are not filtering - you simply not sending these logs to SIEM.

What SIEM do you use? Splunk to be proven good, I tried the others commercials and free - Splunk still best for PA.

Re: Threat logs

jdprovine — Wed, 22 Jul 2015 12:30:42 GMT

I thought that was going to be the case but my boss asked me to investigate and I was unable to find a way to do it that is why I posted on this board

Re: Threat logs

Brandon_Wertz — Wed, 22 Jul 2015 12:34:31 GMT

I think maybe his boss is worried about storage retention, just guessing, that's why he's trying to not even send certain ones. The point of the SIEM though is to have all logs and let the correlation engine decide based upon all possible related information to bring to the front the most relevant logs.

Re: Threat logs

jdprovine — Wed, 22 Jul 2015 12:36:32 GMT

No actually I think my boss is trying to find out all the PA can do and use it to its fullest extent

Re: Threat logs

Brandon_Wertz — Wed, 22 Jul 2015 12:43:15 GMT

Following what you were asking before:

Sending filters that you establish from the threat logs to your syslog SIEM:

IE..( subtype eq vulnerability ) and ( threatid eq 34804 ) and ( app eq web-browsing ) and ( action eq alert ) and ( severity eq medium ) and ( rule eq 'OBB - Alw Guest Netwrk to Inet' )

What would be the point of sending this specifically? Wouldn't it just be easier to use the native functions within the respective tools? IE...the "clickable" filtering in the Palo UI and the regex parsing within your SIEM?

Re: Threat logs

jdprovine — Wed, 22 Jul 2015 12:46:35 GMT

I don't know just trying to do what my boss asked. So I will just tell him that it has to be done on the seim side