IBM Support

QRadar Security Content Pack: Palo Alto PA Series Firewall

Question & Answer


Question

A new security content pack is available for Palo Alto PA Series Firewall. This tech note outlines the changes and provides installation instructions for administrators.

Answer


Quick links



What is in the Palo Alto PA Series Firewall Security Content Pack?


The Palo Alto PA Series Firewall extension for QRadar adds 16 new custom event properties that are unique to Palo Alto event payloads. Custom event properties allow users to leverage their firewall event data more efficiently in searches or reports. New custom event properties that are specific to Palo Alto firewall events include: Content Type, Critically Rating, Destination Zone, Filename, Rulename, Source Zone, URL, and more. This custom property extension is intended for LEEF formatted Syslog events. For more information, see: DSM Configuration Guide: Palo Alto Networks PA Series Firewall.

NOTE: There is also a Palo Alto App for QRadar on the X-Force App Exchange, which can be found here: Palo Alto Networks App for QRadar.



Custom Event Properties added by the Palo Alto PA Series Firewall Security Content Pack
DescriptionRegex for the custom event property
ApplicationApplication=([^|]+)
BytesBytes=([^|]+)
Bytes ReceivedBytesIn=([^|]+)
Bytes SentBytesOut=([^|]+)
Content TypeContentType=([^|]+)
Criticality Ratingsev=([^|]+)
Destination ZoneDestinationZone=([^|]+)
Elapsed TimeElapsedTime=([^|]+)
FilenameFilename=([^|]+)
Object CategoryURLCategory=([^|]+)
Object Name\|Miscellaneous="(.*?)(?:"|$)
Object Types(s)Subtype=([^|]+)
PacketsPackets=([^|]+)
Rule NameRuleName=([^|]+)
Source ZoneSourceZone=([^|]+)
URL\|subtype=url\|.*?\|Miscellaneous="(.*?)(?:"|$)


Installing a QRadar Extension


The Extension Management window in QRadar is used to add applications to your deployment to improve the functionality or add customize content to QRadar. Extensions can contain content, such as rules, reports, searches, reference sets, and dashboards or extensions can install applications that deliver specific new functionality to QRadar. The About tab of this article will outline the contents of the extension being added to QRadar.

Procedure

  1. Log in to the X-Force Exchange App Hub: https://exchange.xforce.ibmcloud.com/
  2. If you have not downloaded the Insider Threat Extension, you can download the file from: https://exchange.xforce.ibmcloud.com/hub/extension/IBMQRadar:PaloAltoPASeriesFirewallCustomProperties
  3. Log in to the QRadar Console as an administrator.
  4. Click the Admin tab.
  5. Click the Extension Management icon.
  6. To upload an extension, click Add and select the extension to upload.
    Note:
    The extension (zip) must be downloaded to your local computer before it can be uploaded to the Console appliance.
  7. To install the extension immediately, select the Install immediately check box and then click Add.
    A preview of the application content is displayed. You can choose how existing content items are handled.
  8. To preview the contents of an extension after it is added and before it is installed, select it from the list of extensions, and click More Details.

    Before the extension is installed, the content items are compared to content items that are already in the deployment. If the content items exist, you can choose to overwrite them or to keep the existing data.

Results
After the extension is added, a yellow caution icon in the Status column indicates potential issues with the digital signature. Hover the mouse over the triangle for more information. Extensions that are unsigned or are signed by the developer, but not validated by your vendor, might cause compatibility issues in your deployment.



Where do you find more information?




[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Integrations - 3rd Party","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg21971461