Palo Alto Endpoint Security Manager

The IBM® QRadar® DSM for Palo Alto Endpoint Security Manager (Traps) collects events from a Palo Alto Endpoint Security Manager (Traps) device.

The following table describes the specifications for the Palo Alto Endpoint Security Manager DSM:

Table 1. Palo Alto Endpoint Security Manager DSM specifications
Specification	Value
Manufacturer	Palo Alto Networks
DSM name	Palo Alto Endpoint Security Manager
RPM file name	DSM-PaloAltoEndpointSecurityManager-`QRadar_version-build_number`.noarch.rpm
Supported versions	3.4.2.17401
Protocol	Syslog
Event format	Log Event Extended Format (LEEF) Common Event Format (CEF). CEF:0 is supported.
Recorded event types	Agent Config Policy System Threat
Automatically discovered?	Yes
Includes identity?	No
Includes custom properties?	No
More information	Palo Alto Networks website (https://www.paloaltonetworks.com)

To integrate Palo Alto Endpoint Security Manager with QRadar, complete the following steps:

If automatic updates are not enabled, download the most recent versions of the RPMs from the IBM support website (http://www.ibm.com/support).
- DSMCommon RPM
- Palo Alto Endpoint Security Manager DSM RPM
Configure your Palo Alto Endpoint Security Manager device to send syslog events to QRadar.

If QRadar does not automatically detect the log source, add a Palo Alto Endpoint Security Manager log source on the QRadar Console. The following table describes the parameters that require specific values for Palo Alto Endpoint Security Manager event collection:

Table 2. Palo Alto Endpoint Security Manager log source parameters
Parameter	Value
Log Source type	Palo Alto Endpoint Security Manager
Protocol Configuration	Syslog
Log Source Identifier	A unique identifier for the log source.

To verify that QRadar is configured correctly, review the following table to see an example of a parsed event message.

The following table shows a sample event message for Palo Alto Endpoint Security Manager:

Event name Low level category Sample log message

New Hash Added

Successful Configuration Modification

Table 3. Palo Alto Endpoint Security Manager sample message
Event name	Low level category	Sample log message
New Hash Added	Successful Configuration Modification	`LEEF:1.0\|Palo Alto Networks\|Traps ESM\|3.4.2.17401\|New Hash Added\|cat=Policysubtype=New HashAdded devTimeFormat=MMM dd yyyy HH:mm:ss devTime=Nov 03 2016 18:43:57 src=<Source_IP_address> shost=hostname suser= fileHashxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx NewVerdict=Benign msg=New hash added sev=6`

LEEF:1.0|Palo Alto Networks|Traps ESM|3.4.2.17401|New Hash Added|cat=Policysubtype=New HashAdded	devTimeFormat=MMM dd yyyy HH:mm:ss	devTime=Nov 03 2016 18:43:57	src=<Source_IP_address>	shost=hostname	suser= fileHashxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx	NewVerdict=Benign	msg=New hash added	sev=6