How To Investigate Palo Alto NGFW Alerts
Do you have a Palo Alto NGFW (or more than one) and wonder how can I check if the alerts it emits involve post exploitation activity or lateral movement?
This blog will outline how to configure Syslog forwarding from your NGFW(s) to the Efflux Platform for automatic investigations.
- Login into your NGFW and select "Device" from the top navigation bar
- On the left menu, under "Server Profiles", click "Syslog"
- Choose "Add" from the bottom of the page
- In the pop-up, choose "Add"
- Give the profile a Name (NOTE: Provide name in both sections)
- Set the IP of the Efflux Collector
- Transport and Port should be UDP and 514
- Format should be BSD
- NOTE: Do not save, you must update Custom Log Format (see below image)
- Click "Custom Log Format"
- Click "Threat"
- Copy the below into "Threat Log Format"
- Click "OK"
- Back in the "Custom Log Format" tab, now click "Traffic"
- Copy the below into "Traffic Log Format"
- Click "OK" to exit "Custom Log Format"
- Click "OK" to save and exit the "Syslog Server Profile"
- Along the top navigation, click "Objects"
- Along the left, click "Log Forwarding"
- Along the bottom, click "Add"
- Give the Log Forwarding Profile a "Name"
- UPDATE (28 Oct): Under Traffic Settings, set Syslog to None (the image below has Traffic logs being forwarded, but these can be disabled as Efflux does not process Traffic logs)
- Under Threat Settings, set all categories except Informational to have Syslog set to Efflux
- Under WIldFire Settings, set Malicious to have Syslog set to Efflux