Palo Alto Traps TMS

Palo Alto Traps TMS is an endpoint detection and response software that detects threats such as unknown malware, exploits, and ransomware. InsightIDR features a Palo Alto Traps TMS event source that you can configure to parse threat logs for virus infection documents.

Palo Alto Traps TMS log formatting

InsightIDR only supports parsing of Palo Alto Traps TMS event source logs in Syslog format.

To set up Palo Alto Traps TMS, you’ll need to:

  1. Review “Before You Begin” and note any requirements.
  2. Set up the Palo Alto Traps TMS event source in InsightIDR.
  3. Verify the configuration works.

Before you begin

The InsightIDR collector cannot directly connect to Palo Alto Traps TMS. You must set up a machine capable of receiving logs from Palo Alto and forward them on to the collector.

For more information on setting up log forwarding, see: https://docs.paloaltonetworks.com/cortex/log-forwarding/log-forwarding-app-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Palo Alto Traps TMS in the event sources search bar.
    • In the Product Type filter, select Virus Scan.
  3. Select the Palo Alto Traps TMS event source tile.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches with the location of your event source logs.
  6. If you are sending additional events beyond alerts and want them in Log Search, select the unparsed logs checkbox.
  7. You can specify a Default Domain or add a new domain if needed.
  8. Enter a Port number.
  9. Choose a Protocol.
  10. Click Save.

Verify the configuration

  1. From the left menu, click Log Search to view your logs to ensure events are making it to the Collector. Palo Alto Traps TMS logs flow into the Virus Alert Log Set.
  2. Next, perform a Log Search to make sure Palo Alto Traps TMS events are coming through.

Example input logs:

Log
1
{\"MessageSourceAddress\":\"100.200.100.200\",\"EventReceivedTime\":\"2020-06-17 07:06:51\",\"SourceModuleName\":\"tcp_ssl\",\"SourceModuleType\":\"im_ssl\",\"SyslogFacilityValue\":1,\"SyslogFacility\":\"USER\",\"SyslogSeverityValue\":5,\"SyslogSeverity\":\"NOTICE\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"Hostname\":\"100.200.100.200\",\"EventTime\":\"2020-12-31 19:21:06\",\"Message\":\"<14>1 2020-06-17T11:06:51.402Z logforwarder-3029707592971507306-86c58f6f46-42sjg logforwarder 8 panwlogs - threat,,,,2020-06-17T11:06:24.000000Z,2020-06-17T11:06:25.745518,2020-06-17T11:06:24.000000Z,-240,,,594860012,,,,,1,88cd39eb39c8b0989329df2dc405aa47,1,0,10.0.14393,1,10.10.100.23,HOST,rapid7.org,4,2,7.1.0.45682,132-30505,0,5d6dd5acf5fd4f4c8e3aa2e28db3f160,COMPONENT_WILDFIRE,Malware,CYSTATUS_MALICIOUS_EXE,1,blocked,1,,,0,0,\\\"[\\\"\\\"C:\\\\\\\\ProgramData\\\\\\\\someDir\\\\\\\\AEMAgent\\\\\\\\AEMAgent.exe\\\"\\\",\\\"\\\"045CD7025049C54E11130FCAE0190866C9071585A950683DF8104CA1E4B47282\\\"\\\",\\\"\\\"045CD7025049C54E11130FCAE0190866C9071585A950683DF8104CA1E4B47282\\\"\\\",\\\"\\\"1\\\"\\\"]\\\",0,,0,\\\"[{\\\"\\\"pid\\\"\\\":4764,\\\"\\\"parentId\\\"\\\":2792,\\\"\\\"exeFileIdx\\\"\\\":0,\\\"\\\"userIdx\\\"\\\":0,\\\"\\\"commandLine\\\"\\\":\\\"\\\"\\\\\\\"\\\"C:\\\\\\\\ProgramData\\\\\\\\someDir\\\\\\\\AEMAgent\\\\\\\\AEMAgent.exe\\\\\\\"\\\"\\\"\\\",\\\"\\\"instanceId\\\"\\\":\\\"\\\"AdZEl1aTU4kAABKcAAAAAA==\\\"\\\",\\\"\\\"terminated\\\"\\\":1}]\\\",\\\"[{\\\"\\\"rawFullPath\\\"\\\":\\\"\\\"C:\\\\\\\\ProgramData\\\\\\\\someDir\\\\\\\\AEMAgent\\\\\\\\AEMAgent.exe\\\"\\\",\\\"\\\"fileName\\\"\\\":\\\"\\\"AEMAgent.exe\\\"\\\",\\\"\\\"sha256\\\"\\\":\\\"\\\"045CD7025049C54E11130FCAE0190866C9071585A950683DF8104CA1E4B47282\\\"\\\",\\\"\\\"fileSize\\\"\\\":\\\"\\\"65537200\\\"\\\",\\\"\\\"innerObjectSha256\\\"\\\":\\\"\\\"045CD7025049C54E11130FCAE0190866C9071585A950683DF8104CA1E4B47282\\\"\\\",\\\"\\\"signers\\\"\\\":[\\\"\\\"rapid7 Inc\\\"\\\"]}]\\\",\\\"[{\\\"\\\"userName\\\"\\\":\\\"\\\"SYSTEM\\\"\\\",\\\"\\\"domainUser\\\"\\\":\\\"\\\"SYSTEM\\\"\\\"}]\\\",[],WildFire Malware\"}
Log
1
<14>1 2020-06-17T11:06:58.161Z logforwarder-3029707592971507306-86c58f6f46-42sjg logforwarder 8 panwlogs - threat,,,,2020-06-17T11:06:51.000000Z,2020-06-17T11:06:53.224573,2020-06-17T11:06:51.000000Z,-240,,,594860012,,,,,1,93d1c4f6fb3a4252612125a201808681,1,0,10.0.14393,1,10.134.10.116,HOST,rapid7.org,4,2,7.1.0.45682,132-30505,0,376248687c27489db415551540c6a648,COMPONENT_WILDFIRE,Malware,CYSTATUS_MALICIOUS_EXE,1,blocked,1,,,0,0,\\\"[\\\"\\\"C:\\\\\\\\ProgramData\\\\\\\\someDir\\\\\\\\AEMAgent\\\\\\\\AEMAgent.exe\\\"\\\",\\\"\\\"045CD7025049C54E11130FCAE0190866C9071585A950683DF8104CA1E4B47282\\\"\\\",\\\"\\\"045CD7025049C54E11130FCAE0190866C9071585A950683DF8104CA1E4B47282\\\"\\\",\\\"\\\"1\\\"\\\"]\\\",0,,0,\\\"[{\\\"\\\"pid\\\"\\\":3644,\\\"\\\"parentId\\\"\\\":6420,\\\"\\\"exeFileIdx\\\"\\\":0,\\\"\\\"userIdx\\\"\\\":0,\\\"\\\"commandLine\\\"\\\":\\\"\\\"\\\\\\\"\\\"C:\\\\\\\\ProgramData\\\\\\\\someDir\\\\\\\\AEMAgent\\\\\\\\AEMAgent.exe\\\\\\\"\\\"\\\"\\\",\\\"\\\"instanceId\\\"\\\":\\\"\\\"AdZEl2bKU24AAA48AAAAAA==\\\"\\\",\\\"\\\"terminated\\\"\\\":1}]\\\",\\\"[{\\\"\\\"rawFullPath\\\"\\\":\\\"\\\"C:\\\\\\\\ProgramData\\\\\\\\someDir\\\\\\\\AEMAgent\\\\\\\\AEMAgent.exe\\\"\\\",\\\"\\\"fileName\\\"\\\":\\\"\\\"AEMAgent.exe\\\"\\\",\\\"\\\"sha256\\\"\\\":\\\"\\\"045CD7025049C54E11130FCAE0190866C9071585A950683DF8104CA1E4B47282\\\"\\\",\\\"\\\"fileSize\\\"\\\":\\\"\\\"65537200\\\"\\\",\\\"\\\"innerObjectSha256\\\"\\\":\\\"\\\"045CD7025049C54E11130FCAE0190866C9071585A950683DF8104CA1E4B47282\\\"\\\",\\\"\\\"signers\\\"\\\":[\\\"\\\"company Inc\\\"\\\"]}]\\\",\\\"[{\\\"\\\"userName\\\"\\\":\\\"\\\"SYSTEM\\\"\\\",\\\"\\\"domainUser\\\"\\\":\\\"\\\"SYSTEM\\\"\\\"}]\\\",[],WildFire Malware