Troubleshooting
Problem
Various Palo Alto event types were configured per DSM guide but only 'TRAFFIC' is parsing.
Symptom
Log Activity for Palo Alto log source is only displaying events for type TRAFFIC and missing all other types of events such as CONFIG, SYSTEM, THREAT.
Cause
If using LEEF format and no events are matching from the payload, then the following modifications to Custom Event Properties listed may be necessary.
Object type: [S|s]ubtype=([^|]+)
Bytes: totalBytes=([^|]+)
BytesReceived: srcBytes=([^|]+)
BytesSent: dstBytes=([^|]+)
Resolving The Problem
The Palo Alto DSM has since been updated which was distributed as an Auto Update. It is also available on IBM Fix Central.
Note: If you do not see Custom Event Properties for Palo Alto, you might need to download the Palo Alto content Pack from the X-Force App Exchange.
If this Palo Alto DSM update does not resolve your parsing issue or for some reason it cannot be installed, try this procedure to update the Custom Event Properties to the ones suggested above.
Procedure
- Log into the QRadar Web User Interface.
- Click Admin > Custom Event Properties.
- Add one of the following to the search box: Object Type, Bytes, BytesReceived, BytesSent.
- Click on the Search Icon.
- Click on the Palo Alto series Custom Event Property > Click Edit.
- Copy the current Regular Expression (Regex) to a test editor to save as a backup.
- Scroll Down to Extraction and edit the RegEx with the updated the Custom Event Property.
- Click on Save.
- Repeat for all other Custom Event Properties that are not parsing data from the event payload.
Object type: [S|s]ubtype=([^|]+)
Bytes: totalBytes=([^|]+)
BytesReceived: srcBytes=([^|]+)
BytesSent: dstBytes=([^|]+)
Note: A DSM update may cause the RegEx to revert back to the the QRadar default.
Where do you find more information?
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21983351