Syslog Splunk Parsing

cancel
Showing results for 
Search instead for 
Did you mean: 

Syslog Splunk Parsing

L2 Linker

Hey everyone, 

 

First time poster. We just rolled out XDR and having some issues getting data into Splunk. The Splunk TA App says it does not support Syslog, but there is loads of documentation for getting agent logs, alerts, management logs sent to Splunk. It seems there may be a disconnect between the DEV's for the APP and Product Management. Has anyone successfully parsed this data? Right now the only thing we are seeing in the API is INC and there are no mappings for CIM data (Which the documentation also says it has support for)

Introduction · GitBook (paloaltonetworks.com)

Cortex XDR is supported starting with App/Add-on 7.0.0.

Cortex XDR incidents are cloud-hosted so logs are retrieved by Splunk using the Cortex XDR API (syslog not supported).

 

Splunk Enterprise Security · GitBook (paloaltonetworks.com)
(Looking at you malware)

Common Information Model (CIM) Compliance

The Palo Alto Networks Add-on is fully compliant with the Common Information Model (CIM) provided by Splunk to normalize data fields. This table indicates the CIM datamodels and tags that apply to Palo Alto Networks data.

CIM Datamodel Tags Palo Alto Networks Eventtypes

Change Analysischangepan_config
Emailemail, filterpan_email
Intrusion Detectionids, attackpan_threat
Malwaremalware, attack, operationspan_malware_attacks, pan_malware_operations, pan_wildfire
Network Sessionsnetwork, session, start, endpan_traffic_start, pan_traffic_end
Network Trafficnetwork, communicatepan_traffic
Webweb, proxypan_url
2 REPLIES 2

L0 Member

Hi. If you are using the latest app it work by polling the data via the api and stores in as sourcetype pan:xdr_incident. The data is normalized to be CIM compliant.  You can configure you Splunk to use the API by selecting the Add On and then creating a new input. This requires setting up the API ID/Key inside XDR to be used to poll the data. 

L2 Linker

I already have done this... there is too little information in the Incident to even be considered an alert. 

None of the API data is being tagged for an event. Take the following for example: 

{"incident_id": "6969696", "incident_name": null, "creation_time": 1630475896376, "modification_time": 1630493807149, "detection_time": null, "status": "new", "severity": "medium", "description": "4 'WildFire Malware' alerts prevented by XDR Agent on host foobar involving user foo\\bar", "assigned_user_mail": null, "assigned_user_pretty_name": null, "alert_count": 4, "low_severity_alert_count": 0, "med_severity_alert_count": 4, "high_severity_alert_count": 0, "user_count": 1, "host_count": 1, "notes": null, "resolve_comment": null, "manual_severity": null, "manual_description": null, "xdr_url": "https://foobar.xdr.us.paloaltonetworks.com, "users": ["foo\\bar"], "incident_sources": ["XDR Agent"], "rule_based_score": null, "manual_score": null, "wildfire_hits": 1, "alerts_grouping_status": "Enabled", "mitre_techniques_ids_and_names": null, "mitre_tactics_ids_and_names": null, "alert_categories": ["Malware"]}

 

This should be tagged for Malware Data model, but since there is no action field or tags it doesn't. 

(`cim_Malware_indexes`) tag=malware tag=attack


See attached... It flat out fails even the most basic checks. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!