Console
    Contact Us Start free

    Collect Palo Alto Networks IOC logs

    Supported in:

    Overview

    This parser extracts IOC data from Palo Alto Networks Autofocus JSON logs, mapping fields to the UDM. It handles domain, IPv4, and IPv6 indicators, prioritizing domainand converting IP addresses to the appropriate format. It drops unsupported indicator types and defaults categorization to MALWAREunless Trojanis specifically identified in the message.

    Before you begin

    Ensure that you have the following prerequisites:

    • Google SecOps instance.
    • Privileged access to Palo Alto AutoFocus.

    Configure Palo Alto AutoFocus license

    1. Sign in to Palo Alto Customer Support Portal .
    2. Go to Assets > Site Licenses.
    3. Select Add Site License.
    4. Enter the code.

    Obtain Palo Alto AutoFocus API Key

    1. Sign in to Palo Alto Customer Support Portal .
    2. Go to Assets > Site Licenses.
    3. Locate the Palo Alto AutoFocus license.
    4. Click Enablein the Actions column.
    5. Click API Keyin the API Key column.
    6. Copyand Savethe API Key from the top bar.

    Create Palo Alto AutoFocus custom Feed

    1. Sign in to Palo Alto AutoFocus.
    2. Go to Feeds.
    3. Select a feed already created. If no feed is present, proceed to create one.
    4. Click add Create A Feed.
    5. Provide a descriptive name.
    6. Create a query.
    7. Select Outputmethod as URL.
    8. Click Save.
    9. Access the feed details:
      • Copyand Savethe feed <ID> from the URL. (For example, https://autofocus.paloaltonetworks.com/IOCFeed/<ID>/IPv4AddressC2 )
      • Copyand Savethe feed name.

    Set up feeds

    To configure a feed, follow these steps:

    1. Go to SIEM Settings > Feeds.
    2. Click Add New Feed.
    3. On the next page, click Configure a single feed.
    4. In the Feed namefield, enter a name for the feed; for example, Palo Alto Autofocus Logs.
    5. Select Third party APIas the Source type.
    6. Select PAN Autofocusas the Log type.
    7. Click Next.
    8. Specify values for the following input parameters:
      • Authentication HTTP header: API Key used to authenticate to autofocus.paloaltonetworks.com in apiKey:<value> format. Replace <value> with the AutoFocus API Key copied previously.
      • Feed ID: Custom feed ID.
      • Feed Name: Custom feed name.
    9. Click Next.
    10. Review the feed configuration in the Finalizescreen, and then click Submit.

    UDM Mapping Table

    Log Field UDM Mapping Logic
    indicator.indicatorType
    		indicator.indicatorType Directly mapped from the raw log. Converted to uppercase.
    indicator.indicatorValue
    		event.ioc.domain_and_ports.domain Mapped if indicator.indicatorType is DOMAIN.
    indicator.indicatorValue
    		event.ioc.ip_and_ports.ip_address Mapped if indicator.indicatorType matches "IP(V4|V6|)(_ADDRESS|)". Converted to IP address format.
    indicator.wildfireRelatedSampleVerdictCounts.MALWARE
    		event.ioc.raw_severity Mapped if present. Converted to string.
    tags.0.description
    		event.ioc.description Mapped if present for the first tag (index 0). Set to PAN Autofocus IOCby the parser. Set to HIGHby the parser. Set to TROJANif the message field contains Trojan, otherwise set to MALWARE.

    Need more help? Get answers from Community members and Google SecOps professionals.

    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: