Does Panorama Forward These Events to External SIEMs via Syslog by Default?

Hello @austinsaint278

thanks for post!

I am going to break down your question into more details.

After logs are forwarded to Panorama's log collector, you will have to set log forwarding from log collector to SIEM. Here is documentation with instructions how to do it: Configure Log Forwarding from Panorama to External Destinations. After you complete the configuration do not forget to commit changes and push changes to log collectors. In the Syslog profile you can customize log format, however unless you have specific requirement you can leave it in default. Unless you configure filtering based on log severity or filter builder all logs regardless of log category will be forwarded to SIEM.

When it comes to specific events you mentioned in your post:

Malware/Spyware detections
Command and Control (C2) communications
CVE exploit attempts
High/Critical severity IPS alerts
DNS tunneling or other evasion behaviors

The above logs will be presented in Threat logs. You do not need additional configuration on Panorama side to allow logs forwarding to SIEM except of setting log forwarding profile described at the beginning of the post, however you have to make sure that you have security profile attached to every security policy with threat profile set to block/alert based on severity: Internet Gateway Best Practice Security Policy Also, to allow Firewall inspect traffic, you will have to enable decryption.

For below portion:

Blocked or suspicious URL category access attempts

you will have to enable action alert or deny URL filtering: URL Filtering Profiles to see logs, then you will have to enable URL log forwarding in Panorama. Here are all log fields: URL Filtering Log Fields. URL logs are not part of Threat logs.

For this portion:

DLP events or sensitive data exfiltration

For Data Leak Prevention logs, you will have to enable DLP logging in Firewalls and make sure that DLP logs are configured in Panorama for log forwarding. Here are DLP log fields: Data Filtering Log Fields.

For this portion:

Abnormal login behavior or access to uncommon ports

you will have to enable traffic log forwarding. It is tricky to give good answer to this point. As log as you have enabled log at session end: Session Log Best Practices you will have all traffic log, however you will have to categorize what uncommon ports mean in your organization and reflect it in security policies, then have a rule in SIEM to have detection for those events. Here are all traffic log fields: Traffic Log Fields. 

For this portion:

GlobalProtect VPN anomalies (e.g., connection failures, logins from new or suspicious locations)

you will have to enable Global Protect logs: GlobalProtect Log Fields and ideally also HIP Match logs: HIP Match Log Fields. Firewall will not be able to recognize what suspicious location means in your business context and where your GP clients are usually connecting from. I have seen this function to be facilitated by Identity Protection solution or SIEM. By quick search it looks like Wazuh has anomaly detection feature, however I do not have any experience to judge whether it can fulfill your expectations.    

Good luck with your setup and threat hunting!

Kind Regards

Pavel