Cryptsus Blog rss-feed  |  We craft cyber security solutions.

Palo Alto Firewall Sentinel SIEM integration

By: Jeroen van Kessel  |  September 29th, 2024 | 10 min read

Palo Alto Networks Next-Generation Firewalls (NGFWs) are enterprise-level firewalls. The Palo Alto NGFW's use a combination of signature-based detection, behaviour analysis, and machine learning to identify threats. Palo Alto claims they analyze network traffic patterns and application behaviour to detect anomalies. Palo Alto also has its own Threat Intelligence (Threat Vault) to identify threat actors. This blog post will showcase how to create Azure Sentinel SIEM use cases based on Palo Alto NGFW's Command and Control (C2) alerts, general exploits with published PoCs, malware, viruses and spyware, and malicious URLs.

Palo Alto Security Configuration

First of all, make sure to set the correct blocking rules in your Palo Alto Networks (PAN) PAN-OS configuration. Next, forward your Palo Alto "THREAT" log data to your Linux Rsyslog server, which in turn forwards the useful threat events to Azure Sentinel SIEM via the Azure Monitor Agent (AMA). Lastly, install the Palo Alto AMA data connector in Azure Sentinel.

Once you have your Palo Alto NGFW log data in Log Analytics Sentinel SIEM, you can leverage the built-in Analytics Rules and Workbooks. Unfortunately, the built-in Azure Sentinel Analytics Rules (use cases) are rather generic and do not bring the necessary depth and details for the SOC team to act fast during a security incident. This is why Cryptsus is sharing the custom Analytics Rules (use cases) for threat hunting use cases for possible malicious activity, including IoAs and IoCs based on the MITRE ATT&CK framework. Luckily, the default Sentinel SIEM parser is working correctly. However, the Threat Vault signature IDs are inconveniently parsed. This is why we customized the KQL (Kusto Query Language) code for an easy lookup of the Palo Alto Threat Vault threat signature for each alert.

1. Palo Alto firewall detects Command and Control payload

//cryptsus.com - we craft cyber security solutions
//Palo Alto IDS/IPS is based on Threat Vault. Search signatureID here: https://threatvault.paloaltonetworks.com/
CommonSecurityLog
| extend ThreatVaultBaseURL = 'https://threatvault.paloaltonetworks.com/?query='
| where DeviceVendor == "Palo Alto Networks"
| where DeviceEventClassID contains "Command and Control"
| extend split(DeviceEventClassID,'(')
| extend SignatureName=DeviceEventClassID[0]
| extend SignatureIDcat=DeviceEventClassID[1]
| extend SignatureID = substring(SignatureIDcat, 0, strlen(SignatureIDcat) - 1)
| extend ThreatVaultURL = strcat(ThreatVaultBaseURL, SignatureID)
| where isnotempty(RequestURL)
| summarize Amount=count() by  RequestURL, DeviceName, tostring(SignatureName), ThreatVaultURL, ApplicationProtocol, DeviceEventCategory, Activity, DeviceAction, SourceIP, DestinationIP, DestinationPort, Protocol

Example result. A reverse shell web shell was detected:

RequestURL				DeviceName		SignatureName						ThreatVaultURL  					ApplicationProtocol 	DeviceEventCategory	Activity	DeviceAction	SourceIP	DestinationIP	DestinationPort	Protocol
paribosyn.lu:5007/web_shell_cmd.gch 	PA_PAN_10_DMZ01_NY	Generic Webshell Command and Control Traffic Detection	https://threatvault.paloaltonetworks.com/?query=83227	web-browsing		spyware			THREAT		reset-server	45.148.10.88	192.180.10.102	5007		tcp

2. Palo Alto NGFW detects malware (virus)

//cryptsus.com - we craft cyber security solutions
//Palo Alto IDS/IPS is based on Threat Vault. Search signatureID here: https://threatvault.paloaltonetworks.com/
CommonSecurityLog
| extend ThreatVaultBaseURL = 'https://threatvault.paloaltonetworks.com/?query='
| where DeviceVendor == "Palo Alto Networks"
| where DeviceEventClassID has_any ("ml-virus", "virus", "flood", "spyware" "wildfire-virus")
| extend split(DeviceEventClassID,'(')
| extend SignatureName=DeviceEventClassID[0]
| extend SignatureIDcat=DeviceEventClassID[1]
| extend SignatureID = substring(SignatureIDcat, 0, strlen(SignatureIDcat) - 1)
| extend ThreatVaultURL = strcat(ThreatVaultBaseURL, SignatureID)
| where isnotempty(RequestURL)
| summarize Amount=count() by  RequestURL, DeviceName, tostring(SignatureName), ThreatVaultURL, ApplicationProtocol, DeviceEventCategory, Activity, DeviceAction, SourceIP, DestinationIP, DestinationPort, Protocol, LogSeverity

Example result. A malicious binary was detected. Unfortunately, Palo Alto does not provide a file hash checksum of the binary in the log entry:

RequestURL	DeviceName		SignatureName			ThreatVaultURL 						ApplicationProtocol 	DeviceEventCategory	Activity	DeviceAction	SourceIP	DestinationIP	DestinationPort	Protocol
icmp_rev.exe	PA_PAN_10_DMZ01_NY	Machine Learning found virus	https://threatvault.paloaltonetworks.com/?query=599800 	ms-ds-smbv3	 	ml-virus		THREAT	 	reset-both	45.148.10.88	192.180.10.102	445		tcp

3. Palo Alto firewall attacks which are not blocked

//cryptsus.com - we craft cyber security solutions
//Palo Alto IDS/IPS is based on Threat Vault. Search signatureID here: https://threatvault.paloaltonetworks.com/
CommonSecurityLog
| extend ThreatVaultBaseURL = 'https://threatvault.paloaltonetworks.com/?query='
| where DeviceVendor == "Palo Alto Networks"
| where Activity == "THREAT"
| where DeviceAction == "alert"
| extend split(DeviceEventClassID,'(')
| extend SignatureName=DeviceEventClassID[0]
| extend SignatureIDcat=DeviceEventClassID[1]
| extend SignatureID = substring(SignatureIDcat, 0, strlen(SignatureIDcat) - 1)
| extend ThreatVaultURL = strcat(ThreatVaultBaseURL, SignatureID)
| where SignatureName != "Microsoft Windows NTLMSSP Detection"
| summarize by DeviceName, tostring(SignatureName), ThreatVaultURL, ApplicationProtocol, DeviceEventCategory, Activity, DeviceAction, SourceIP, DestinationIP, DestinationPort, Protocol

Example result. smbcrackexec was detected trying to exploit Windows SMB:

DeviceName		SignatureName			   ThreatVaultURL 						ApplicationProtocol 	DeviceEventCategory	Activity	DeviceAction	SourceIP	DestinationIP	DestinationPort	Protocol
pavmhuba2848000001	Microsoft Windows user enumeration https://threatvault.paloaltonetworks.com/?query=30842	ms-ds-smbv3		vulnerability 		THREAT 		alert		45.148.10.88	192.180.10.102	445		tcp

4. Palo Alto firewall blocked URL's

//cryptsus.com - we craft cyber security solutions
CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks"
| where DeviceEventClassID == "url"
| where isnotempty(RequestURL)
| summarize Amount=count() by  RequestURL, DeviceName, ApplicationProtocol, DeviceEventCategory, Activity, DeviceAction, SourceIP, DestinationIP, DestinationPort, Protocol

Example result. This website was flagged by a user clicking on a malicious phishing e-mail:

RequestURL		DeviceName		ApplicationProtocol	DeviceEventCategory 	Activity DeviceAction	SourceIP	DestinationIP	DestinationPort	Protocol
http://www.824555.com	PA_PAN_10_DMZ01_NY	web-browsing (9999)	threat-hunting		THREAT 	 block-url	45.148.10.88	192.180.10.102	2038		tcp

There are many other use-cases and alerts which can be created based on your environment and business risks. Are you missing important alerts? Is your SIEM outdated? Contact us if you want to take your SIEM to the next level.

Discussion and questions