LSO: Syslog - Palo Alto Firewall (Mapping Doc)

This document explains the changes required to apply new Message Processing Engine (MPE) rules developed during the Log Source Optimization (LSO) project for the Syslog - Palo Alto Firewall log source type.

Prerequisites

Download and apply the Knowledge Base. For more information, see KB Synchronization Settings for LSO.
Enable the new MPE rules in the LogRhythm System Monitor.
- Select log source type Syslog - Palo Alto Firewall.
- Enable log processing policy LogRhythm Default v2.0.
For details on how to enable LogRhythm Default v2.0, see Apply LogRhythm Default v2.0 on a Log Source.

Supported Log Messages

The following table lists the log message types supported in the current MPE rules. Each page contains detailed information on parsing changes and new log processing settings.

Log Message Type	Event Type
V 2.0 Catch-all : General DHCP Messages	General DHCP
V 2.0 Authentication Lockout Expired	Account Unlocked
V 2.0 Catch-all	General Information
V 2.0 Catch-all : General Authentication Event	General Authentication Event
V 2.0 Catch-all : System Messages	General System Message
V 2.0 Configuration Messages	Configuration Modified: System
V 2.0 Correlated Event Messages	Suspicious Activity
V 2.0 Data/File/Virus/Spyware Threat Messages	General Threat Message
V 2.0 Decryption Event Messages	Session Information
V 2.0 Flood/Packet Threat Messages	General Threat Message
V 2.0 General Authentication Event	General Authentication Event
V 2.0 General Authentication Event	General Authentication Event
V 2.0 General DHCP Messages	General DHCP
V 2.0 General DNS Signature Information	General Information
V 2.0 General Dynamic DNS Messages	DDNS Update
V 2.0 General GlobalProtect Messages	General VPN Information
V 2.0 General HA Messages	General HA Information
V 2.0 General Logical Link Discovery Protocol	General LLDP Message
V 2.0 General NTPD Messages	NTPD Information
V 2.0 General Path-Based Forwarding Messages	General Information
V 2.0 General Port Message	General State Information
V 2.0 General Remote Access Manager Messages	General Information
V 2.0 General Routing Messages	General Routing Information
V 2.0 General SAML Message	General Authentication Event
V 2.0 General Satellite Connection Messages	General VPN Information
V 2.0 General SSL Manager Messages	General SSLVPN Admin
V 2.0 General System Event	General System Message
V 2.0 General URL-Filtering System Messages	General System Message
V 2.0 General User Profile System Messages	General System Message
V 2.0 General VPN Status Messages	General VPN Information
V 2.0 General Wildfire System Messages	General System Message
V 2.0 GlobalProtect Status Messages	General Authentication Event
V 2.0 GTP Log Messages	General Network Traffic
V 2.0 Host Profile Messages	General Profile Detection
V 2.0 IP Tag Messages	General Profile Detection
V 2.0 Scan Threat Messages	General Threat Message
V 2.0 SCTP Messages	General Network Traffic
V 2.0 Traffic Messages	General Network Traffic
V 2.0 URL Threat Messages	General Threat Message
V 2.0 User ID Messages	General Authentication Event
V 2.0 Vulnerability Threat Messages	General Threat Message
V 2.0 Wildfire Threat Messages	General Threat Message
V 2.0 Wildfire-Virus Threat Messages	General Threat Message
V 2.0 Authentication Messages	General Authentication Event

Log Processing Policy Updates

This section details log processing policy updates made to AIE Rules, system reports and templates, tails, and investigations as part of LSO.

Updates to AIE Rules

The table below indicates changes made to AIE Rules using the new policy LogRhythm Default v2.0 with the new log source type Syslog - Palo Alto Firewall. The Change Details column indicates where the new log source type was added.

AIE Rules	Change Details
NIST 800-53: Denial Of Service Rule	Removed object from Group By.
CSC: Config Deleted/Disabled	Removed current Group By fields. Added Group By on Host (Impacted).
CSC: Config Modified	Removed HostName (Impacted) from Group By. Added Host (Impacted) to Group By.
CSC: External DNS Observed	Removed HostName (Origin) and HostName (Impacted) from Group By. Added Host (Origin) and Host (Impacted) to Group By.
CSF: Ext Mltpl Attacks Against Same Host	Removed User (Origin) Group By.
CSF: Ext Denial Of Service	Removed User (Origin) Group By.
CSF: Ext Distrib Denial Of Service	Removed User (Origin) Group By.
CSF: Intrnl Mltpl Unique Attacks Same Host	Removed User (Origin) Group By.
NERC-CIP: System Critical/Error Status Rule	Removed User (Origin) Group By.
HSS: System Critical And Error Conditions Rule	Removed User (Origin) Group By.
MAS: Non-Encrypted Protocol Alert	Changed Primary Criteria from: Field. HostName (Impacted) Filter Mode. Is Not Filtered Values. NOTHING Changed Primary Criteria to: Field. Host (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
CCF: Social Media Event	Added to Primary Criteria: Operator. Or Previous Subject. Social Networking
CCF: Blacklisted Account Alarm	Removed Exclude Filters. Removed Group By fields. Added Group By for Host (Origin). Added Include Filter: Field. User (Origin or Impacted) Filter Mode. Is Not Filtered Values. NOTHING
T1566.002:Spearphishing Link	In rule block 2: Changed Include Filter Command to Action. Changed Command Group By to Action.

Updates to System Reports

The table below indicates changes made to system reports using the new policy LogRhythm Default v2.0 with the new log source type Syslog - Palo Alto Firewall.

Report Name	Change Details
SOX: Non-Encrypted Protocol Summary	Removed first filter with static Known Application list. Removed filter with HostName (Impacted). Added filter: Field. Host (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
SOX: Non-Encrypted Protocol Detail	Removed filter with HostName (Impacted). Added filter: Field. Host (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS: Non-Encrypted Protocol Summary	Removed filter with HostName (Impacted). Added filter: Field. Host (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS: Non-Encrypted Protocol Details	Removed filter with HostName (Impacted). Added filter: Field. Host (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
CCF: Social Media Summary	Added filter: Operator. Or Previous Subject. Social Networking

Updates to System Investigations

The table below indicates changes made to system investigations using the new policy LogRhythm Default v2.0 with the new log source type Syslog - Palo Alto Firewall.

Investigate Name	Change Details
NIST 800-53: Remote Access Activity Detail	Removed existing filter. Added filter: CE. Audit : Authentication Success : User Logon or Audit : Authentication Failure : User Logon Failure Operator. AND Direction. External
CSF: Remote Access Activity Detail	Removed existing filter. Added filter: CE. Audit : Authentication Success : User Logon or Audit : Authentication Failure : User Logon Failure Operator. AND Direction. External
SOX: Non-Encrypted Protocol Inv	Removed filter: Field. HostName (Impacted) Filter Mode. Is Not Filtered Values. NOTHING Added filter: Field. Host (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
CCF: Social Media Inv	Added filter: Operator. Or Previous Subject. Social Networking

Updates to System Report Templates

No changes

Updates to System Tails

No changes