Palo Alto Networks Traps ESM

Palo Alto Networks Traps is an endpoint protection agent that detects and reports on unusual events that occur across an organization. If you use Palo Alto Networks Traps, you can configure the Palo Alto ESM Console to forward security events to InsightIDR. The Palo Alto Traps event source allows InsightIDR to parse third-party-alert documents.

To set up the Palo Alto Networks Traps event source, you will need to:

  1. Configure the Palo Alto ESM Console
  2. Set up the event source in InsightIDR
  3. Verify the configuration works

Configure the Palo Alto ESM Console

  1. From the ESM Console, select Settings > ESM > Syslog, and Enable Syslog.
  2. Set the Syslog Server to the IP address of the InsightIDR Collector.
  3. Configure an unused Collector port as Syslog Port.
  4. Use Syslog as the Syslog Protocol.
  5. Choose any timeout or protocol.
  6. Palo Alto categorizes security events as prevention, notification, and post-detection. When sent to InsightIDR, these categories are assigned a Rapid7 severity rating of low, medium, or high, respectively. Send the following categories of security events to InsightIDR:
    • Prevention Events
    • Notification Events
    • Post-Detection Events
  7. Select any additional events that you want to forward to InsightIDR.
  8. Save your changes.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Palo Alto Networks Traps in the event sources search bar.
    • In the Product Type filter, select Third Party Alerts.
  3. Select the Palo Alto Networks Traps event source tile.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. If you want to send all data, enable the unparsed logs option.
  6. Enter the port you chose in the ESM Console interface.
  7. Select TCP as your protocol.
  8. Save your changes.

Verify the Configuration

After you have configured the Palo Alto ESM Console and set up a new event source in InsightIDR, you need to verify that data is being sent to InsightIDR.

  1. From the left menu, go to Data Collection.
  2. When the “Data Collection Management” page appears, click the Event Sources tab.
  3. Find the Palo Alto event source record that you want to review, and click View raw log. The Raw Logs window will appear.

View Log Examples

To see parsable logs sent by Palo Alto Traps, go to Log Search and select the Third Party Alerts log set.

A parsable log from Palo Alto Traps will look like:

1
<134>1 2019-08-29T09:38:06.00Z-06:00 10.1.72.5 - - - Aug 29 2019 09:38:06,Traps Agent,1.2.3.45678,Threat,Notification Event,hostname-1,user1,New notification event. Parent process: powershell.exe. Child process: csc.exe. Prevention Key: 17494d16-6ee3-498c-ad97-e3839e9fd911,6,Child process Protection,powershell.exe,17494d16-6ee3-498c-ad97-e3839e9fd911,12-34567,10.20.32.19,,Aug 29 2019 09:38:01,