With the IBM Security QRadar Palo Alto PA Series Content Extension pack installed the Palo Alto Cortex Data Lake events can be sent to QRadar and ingested by a Palo Alto PA Series log source.
Many of the included CEPs are not successfully parsed in the Cortex Data Lake events. This article contains a workaround to modify the CEPs that are included in the content extension pack to successfully parse the Cortex Data Lake events.
The following steps use the Application CEP as an example, but each affected content extension pack CEP would required manual modification.
- Log in to QRadar user interface as an admin.
- Open DSM Editor by going to the Admin tab, then on the Data Sources section, click DSM Editor.
- In the Select Log Source Type window, select the Palo Alto PA Series log source type:
- On the Properties tab, enter the CEP that you want to modify, in this example we are using Application.
- Click the green plus to add a new ‘Expression’
- Select LEEF as the Expression Type. In the Expression field type the name of the LEEF attribute that you want to parse, for this example we are using Application.
- Click Ok to save the new LEEF expression.
- Drag the new LEEF expression to be the first of the expression list (before the existing Regex expression).
- Click Save to save the changes in the Palo Alto PA Series DSM.
- Repeat the all these steps for each CEP that require modification.
The administrator is able to configure the log source extension for Palo Alto PA Series to extract the information from the needed CEPs.
When support was added for the DSM to ingest the Cortex Data Lake events, the content extension pack was not updated. An IBM Idea was created to request that support of the Cortex Data Lake events be added to the content extension pack:
Was this topic helpful?
21 June 2023