This document explains the changes required to apply new Message Processing Engine (MPE) rules developed during the Log Source Optimization (LSO) project for the Syslog - Palo Alto Firewall log source type. 

Prerequisites

Supported Log Messages

The following table lists the log message types supported in the current MPE rules. Each page contains detailed information on parsing changes and new log processing settings.

Log Message Type

Event Type

V 2.0 Catch-all : General DHCP Messages

General DHCP

V 2.0 Authentication Lockout Expired 

Account Unlocked

V 2.0 Catch-all 

General Information

V 2.0 Catch-all : General Authentication Event

General Authentication Event

V 2.0 Catch-all : System Messages

General System Message

V 2.0 Configuration Messages

Configuration Modified: System

V 2.0 Correlated Event Messages

Suspicious Activity
V 2.0 Data/File/Virus/Spyware Threat MessagesGeneral Threat Message
V 2.0 Decryption Event MessagesSession Information
V 2.0 Flood/Packet Threat MessagesGeneral Threat Message
V 2.0 General Authentication EventGeneral Authentication Event

V 2.0 General Authentication Event

General Authentication Event
V 2.0 General DHCP MessagesGeneral DHCP

V 2.0 General DNS Signature Information

General Information
V 2.0 General Dynamic DNS MessagesDDNS Update

V 2.0 General GlobalProtect Messages

General VPN Information
V 2.0 General HA MessagesGeneral HA Information
V 2.0 General Logical Link Discovery ProtocolGeneral LLDP Message

V 2.0 General NTPD Messages

NTPD Information
V 2.0 General Path-Based Forwarding MessagesGeneral Information

V 2.0 General Port Message

General State Information
V 2.0 General Remote Access Manager MessagesGeneral Information
V 2.0 General Routing MessagesGeneral Routing Information
V 2.0 General SAML MessageGeneral Authentication Event
V 2.0 General Satellite Connection MessagesGeneral VPN Information
V 2.0 General SSL Manager MessagesGeneral SSLVPN Admin
V 2.0 General System EventGeneral System Message

V 2.0 General URL-Filtering System Messages

General System Message
V 2.0 General User Profile System MessagesGeneral System Message

V 2.0 General VPN Status Messages

General VPN Information

V 2.0 General Wildfire System Messages

General System Message
V 2.0 GlobalProtect Status MessagesGeneral Authentication Event
V 2.0 GTP Log MessagesGeneral Network Traffic
V 2.0 Host Profile MessagesGeneral Profile Detection

V 2.0 IP Tag Messages

General Profile Detection

V 2.0 Scan Threat Messages

General Threat Message

V 2.0 SCTP Messages

General Network Traffic

V 2.0 Traffic Messages

General Network Traffic
V 2.0 URL Threat MessagesGeneral Threat Message

V 2.0 User ID Messages

General Authentication Event

V 2.0 Vulnerability Threat Messages

General Threat Message
V 2.0 Wildfire Threat MessagesGeneral Threat Message
V 2.0 Wildfire-Virus Threat MessagesGeneral Threat Message

Log Processing Policy Updates

This section details log processing policy updates made to AIE Rules, system reports and templates, tails, and investigations as part of LSO.

Updates to AIE Rules

The table below indicates changes made to AIE Rules using the new policy LogRhythm Default v2.0 with the new log source type Syslog - Palo Alto Firewall. The Change Details column indicates where the new log source type was added.

AIE Rules

Change Details

NIST 800-53: Denial Of Service RuleRemoved object from Group By.
CSC: Config Deleted/Disabled

Removed current Group By fields.

Added Group By on Host (Impacted).

CSC: Config Modified

Removed HostName (Impacted) from Group By.

Added Host (Impacted) to Group By.

CSC: External DNS Observed

Removed HostName (Origin) and HostName (Impacted) from Group By.

Added Host (Origin) and Host (Impacted) to Group By.

CSF: Ext Mltpl Attacks Against Same HostRemoved User (Origin) Group By.
CSF: Ext Denial Of ServiceRemoved User (Origin) Group By.
CSF: Ext Distrib Denial Of ServiceRemoved User (Origin) Group By.
CSF: Intrnl Mltpl Unique Attacks Same HostRemoved User (Origin) Group By.
NERC-CIP: System Critical/Error Status RuleRemoved User (Origin) Group By.
HSS: System Critical And Error Conditions RuleRemoved User (Origin) Group By.
MAS: Non-Encrypted Protocol Alert

Changed Primary Criteria from:

  • Field. HostName (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING

Changed Primary Criteria to:

  • Field. Host (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
CCF: Social Media Event

Added to Primary Criteria:

  • Operator. Or Previous
  • Subject. Social Networking
CCF: Blacklisted Account Alarm

Removed Exclude Filters.

Removed Group By fields.

Added Group By for Host (Origin).

Added Include Filter:

  • Field. User (Origin or Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
T1566.002:Spearphishing Link

In rule block 2:

  • Changed Include Filter Command to Action.
  • Changed Command Group By to Action.

Updates to System Reports

The table below indicates changes made to system reports using the new policy LogRhythm Default v2.0 with the new log source type Syslog - Palo Alto Firewall.

Report Name

Change Details

SOX: Non-Encrypted Protocol Summary

Removed first filter with static Known Application list.

Removed filter with HostName (Impacted).

Added filter:

  • Field. Host (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
SOX: Non-Encrypted Protocol Detail

Removed filter with HostName (Impacted).

Added filter:

  • Field. Host (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
PCI-DSS: Non-Encrypted Protocol Summary

Removed filter with HostName (Impacted).

Added filter:

  • Field. Host (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
PCI-DSS: Non-Encrypted Protocol Details

Removed filter with HostName (Impacted).

Added filter:

  • Field. Host (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
CCF: Social Media Summary

Added filter:

  • Operator. Or Previous
  • Subject. Social Networking

Updates to System Investigations

The table below indicates changes made to system investigations using the new policy LogRhythm Default v2.0 with the new log source type Syslog - Palo Alto Firewall.

Investigate NameChange Details
NIST 800-53: Remote Access Activity Detail

Removed existing filter.

Added filter:

  • CE. Audit : Authentication Success : User Logon or Audit : Authentication Failure : User Logon Failure
  • Operator. AND
  • Direction. External
CSF: Remote Access Activity Detail

Removed existing filter.

Added filter:

  • CE. Audit : Authentication Success : User Logon or Audit : Authentication Failure : User Logon Failure
  • Operator. AND
  • Direction. External
SOX: Non-Encrypted Protocol Inv

Removed filter:

  • Field. HostName (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING

Added filter:

  • Field. Host (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
CCF: Social Media Inv

Added filter:

  • Operator. Or Previous
  • Subject. Social Networking

Updates to System Report Templates

  • No changes

Updates to System Tails

  • No changes