Incoming feed - Palo Alto PAN-OS Traffic Report#

Note

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.

Specifications

Transport type

PAN-OS XML API Traffic Report.

Content type

PAN-OS Traffic Report.

Ingested data

PAN-OS network traffic logs.

Processed data

Hits that match the configured rule criteria for the feed are stored to the platform as sightings.

Description

Set up and configure transport and content types for Palo Alto Networks PAN-OS Traffic Report incoming feeds to process PAN-OS traffic logs to report sightings.

Requirements#

Users need an API key for their own configuration. Sign up and subscribe to the service to obtain the required API key credentials.

Configure the incoming feed#

  1. Create or edit an incoming feed.

  2. From the Transport type drop-down menu, select PAN-OS XML API Traffic Report.

  3. From the Content type drop-down menu, select PAN-OS Traffic Report.
    The PAN-OS XML API Traffic Report transport type supports only the PAN-OS Traffic Report content type.
    The organization providing the source data for the incoming feed is Palo Alto Networks.

  4. In the API URL field, enter the URL pointing to the API endpoint exposing the service that makes the source data available for retrieval through the feed.
    In this case, enter the API URL pointing to the PAN-OS instance that controls the firewall you want to designate as a network traffic log data source for the feed.
    Format: https://${my_pan-os_instance_url}/api.

  5. In the API key field, enter the API key to access the intelligence provider API and to consume the available services through their API endpoints.

  6. Click the Start ingesting from field, and use the drop-down calendar to select an initial date and, where available, an initial time to fetch content from the intelligence provider/data source starting from a specific date in the past.
    Default value: 3 days in the past from the current time (now).

  7. In the Security control name field, enter the name of the security control, that is, the firewall controlled by the PAN-OS instance whose URL you define under API URL.
    This name identifies the firewall providing the traffic log data the feed ingests.
    The name you specify here is included in the resulting sightings under Characteristics > Security control > Identity > Name.

  8. Select the Consider only blocked traffic checkbox to limit match searching to only the traffic that the firewall blocked.
    Leave the checkbox deselected to include in the source data pool for the feed both blocked and allowed traffic.

  9. In the Applicable firewall rules field, enter one or more firewall rule names to filter traffic log records, and to limit match searching to only the traffic that the specified rules process.
    This field accepts lists with comma-separated values: if you enter more than one rule name, separate them with a comma.
    Leave the checkbox deselected to include in the source data pool for the feed all traffic logs records from the specified firewall.

    Note

    The firewall rule names need to match exactly the firewall rule names assigned to the Rule Name field in the PAN-OS traffic log records; otherwise, they will be ignored.

  10. In the Source network zones field, enter one or more network zone names to filter traffic log records, and to limit match searching to only the traffic belonging to the specified network zones.
    This field accepts lists with comma-separated values: if you enter more than one network zone name, separate them with a comma.
    If you leave the field empty, the source data pool for the feed includes all traffic logs records from the specified firewall.

    Note

    The source network zone names need to match exactly the network zone names assigned to the Source Zone field in the PAN-OS traffic log records; otherwise, they will be ignored.

  11. In the Custom filter field, you can enter a custom PAN-OS network traffic filter to ingest only traffic data matching the filter rule criteria.
    A correct custom filter needs to be a valid PAN-OS traffic monitor filtering expression.
    Example:

    (port.src geq 1024) or (port.src leq 22)
    
  12. To store your changes, click Save; to discard them, click Cancel.

Ingestion and processing#

Ingested data

Resulting entities

Traffic log records

(PAN-OS XML API: log-type=traffic)

  • Sightings

  • Characteristic > Security control:

    • Name of the security control, system or device sending the sighting data

  • Characteristics > Related observables:

    • IP addresses

    • Open ports

    • Country name

    • Country code

The descriptions of the resulting sightings are prepopulated with data such as: source IP address and port, corresponding geolocation information, any specific firewall/network zones (if applicable), and any firewall action that should be triggered as a response.

Note

You can feed the platform-generated sightings back to a PAN-OS-controlled firewall to instrument the device to trigger a specific action for matching sightings.
For example: send an alert, block an IP address, or reroute it to a sinkhole.