How To Investigate Palo Alto NGFW Alerts

Do you have a Palo Alto NGFW (or more than one) and wonder how can I check if the alerts it emits involve post exploitation activity or lateral movement?

This blog will outline how to configure Syslog forwarding from your NGFW(s) to the Efflux Platform for automatic investigations.

Steps

  • Login into your NGFW and select "Device" from the top navigation bar
  • On the left menu, under "Server Profiles", click "Syslog"
  • Choose "Add" from the bottom of the page
  • In the pop-up, choose "Add"
  • Give the profile a Name (NOTE: Provide name in both sections)
  • Set the IP of the Efflux Collector
  • Transport and Port should be UDP and 514
  • Format should be BSD
  • NOTE: Do not save, you must update Custom Log Format (see below image)
  • Click "Custom Log Format"
  • Click "Threat"
  • Copy the below into "Threat Log Format"
CEF:0|Palo Alto Networks|PAN-OS|7.0.0|$subtype|$type|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction externalId=$seqno requestContext=$contenttype cat=$threatid filePath=$cloud fileId=$pcap_id fileHash=$filedigest requestClientApplication=$user_agent fileType=$filetype panosxforwarderfor=$xff panosreferer=$referer suid=$sender msg=$subject duid=$recipient oldFileId=$reportid PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name
  • Click "OK"
  • Back in the "Custom Log Format" tab, now click "Traffic"
  • Copy the below into "Traffic Log Format"
CEF:0|Palo Alto Networks|PAN-OS|7.0.0|$subtype|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt pt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$actionflexNumber1Label=Total bytesflexNumber1=$bytes in=$bytes_sent out=$bytes_received cn2Label=Packets cn2=$packets PanOSPacketsReceived=$pkts_received PanOSPacketsSent=$pkts_sent start=$cef-formatted-time_generated cn3Label=Elapsed time in seconds cn3=$elapsed cs2Label=URL Category cs2=$category externalId=$seqno reason=$session_end_reason PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name cat=$action_source
  • Click "OK" to exit "Custom Log Format"
  • Click "OK" to save and exit the "Syslog Server Profile"
  • Along the top navigation, click "Objects"
  • Along the left, click "Log Forwarding"
  • Along the bottom, click "Add"
  • Give the Log Forwarding Profile a "Name"
  • UPDATE (28 Oct): Under Traffic Settings, set Syslog to None (the image below has Traffic logs being forwarded, but these can be disabled as Efflux does not process Traffic logs)
  • Under Threat Settings, set all categories except Informational to have Syslog set to Efflux
  • Under WIldFire Settings, set Malicious to have Syslog set to Efflux
  • Click "OK"
  • Your log forwarding should now be saved

The Efflux Platform will now consume and begin automatic investigation of all Palo Alto NGFW alerts.

Happy Hunting!

— John Myers, CTO & Co-founder, Efflux Systems