Palo Alto Traps TMS

Palo Alto Traps TMS is an endpoint detection and response software that detects threats such as unknown malware, exploits, and ransomware. InsightIDR features a Palo Alto Traps TMS event source that you can configure to parse threat logs for virus infection documents.

To set up Palo Alto Traps TMS, you’ll need to:

  1. Review “Before You Begin” and note any requirements.
  2. Set up the Palo Alto Traps TMS event source in InsightIDR.
  3. Verify the configuration works.

Before you begin

The InsightIDR collector cannot directly connect to Palo Alto Traps TMS. You must set up a machine capable of receiving logs from Palo Alto and forward them on to the collector.

For more information on setting up log forwarding, see: https://docs.paloaltonetworks.com/cortex/log-forwarding/log-forwarding-app-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server

Set up Palo Alto Traps TMS in InsightIDR

  1. From the left menu, go to Data Collection.
  2. When the “Data Collection” page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Virus Scan” section, click the Palo Alto Traps TMS icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches with the location of your event source logs.
  6. If you are sending additional events beyond alerts and want them in Log Search, select the unfiltered logs checkbox.
  7. You can specify a Default Domain or add a new domain if needed.
  8. Enter a Port number.
  9. Choose a Protocol.
  10. Click Save.

Verify the configuration

  1. From the left menu, click Log Search to view your logs to ensure events are making it to the Collector. Palo Alto Traps TMS logs flow into the Virus Alert Log Set.
  2. Next, perform a Log Search to make sure Palo Alto Traps TMS events are coming through.

Example input logs:

Log
1
{\"MessageSourceAddress\":\"100.200.100.200\",\"EventReceivedTime\":\"2020-06-17 07:06:51\",\"SourceModuleName\":\"tcp_ssl\",\"SourceModuleType\":\"im_ssl\",\"SyslogFacilityValue\":1,\"SyslogFacility\":\"USER\",\"SyslogSeverityValue\":5,\"SyslogSeverity\":\"NOTICE\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"Hostname\":\"100.200.100.200\",\"EventTime\":\"2020-12-31 19:21:06\",\"Message\":\"<14>1 2020-06-17T11:06:51.402Z logforwarder-3029707592971507306-86c58f6f46-42sjg logforwarder 8 panwlogs - threat,,,,2020-06-17T11:06:24.000000Z,2020-06-17T11:06:25.745518,2020-06-17T11:06:24.000000Z,-240,,,594860012,,,,,1,88cd39eb39c8b0989329df2dc405aa47,1,0,10.0.14393,1,10.10.100.23,HOST,rapid7.org,4,2,7.1.0.45682,132-30505,0,5d6dd5acf5fd4f4c8e3aa2e28db3f160,COMPONENT_WILDFIRE,Malware,CYSTATUS_MALICIOUS_EXE,1,blocked,1,,,0,0,\\\"[\\\"\\\"C:\\\\\\\\ProgramData\\\\\\\\someDir\\\\\\\\AEMAgent\\\\\\\\AEMAgent.exe\\\"\\\",\\\"\\\"045CD7025049C54E11130FCAE0190866C9071585A950683DF8104CA1E4B47282\\\"\\\",\\\"\\\"045CD7025049C54E11130FCAE0190866C9071585A950683DF8104CA1E4B47282\\\"\\\",\\\"\\\"1\\\"\\\"]\\\",0,,0,\\\"[{\\\"\\\"pid\\\"\\\":4764,\\\"\\\"parentId\\\"\\\":2792,\\\"\\\"exeFileIdx\\\"\\\":0,\\\"\\\"userIdx\\\"\\\":0,\\\"\\\"commandLine\\\"\\\":\\\"\\\"\\\\\\\"\\\"C:\\\\\\\\ProgramData\\\\\\\\someDir\\\\\\\\AEMAgent\\\\\\\\AEMAgent.exe\\\\\\\"\\\"\\\"\\\",\\\"\\\"instanceId\\\"\\\":\\\"\\\"AdZEl1aTU4kAABKcAAAAAA==\\\"\\\",\\\"\\\"terminated\\\"\\\":1}]\\\",\\\"[{\\\"\\\"rawFullPath\\\"\\\":\\\"\\\"C:\\\\\\\\ProgramData\\\\\\\\someDir\\\\\\\\AEMAgent\\\\\\\\AEMAgent.exe\\\"\\\",\\\"\\\"fileName\\\"\\\":\\\"\\\"AEMAgent.exe\\\"\\\",\\\"\\\"sha256\\\"\\\":\\\"\\\"045CD7025049C54E11130FCAE0190866C9071585A950683DF8104CA1E4B47282\\\"\\\",\\\"\\\"fileSize\\\"\\\":\\\"\\\"65537200\\\"\\\",\\\"\\\"innerObjectSha256\\\"\\\":\\\"\\\"045CD7025049C54E11130FCAE0190866C9071585A950683DF8104CA1E4B47282\\\"\\\",\\\"\\\"signers\\\"\\\":[\\\"\\\"rapid7 Inc\\\"\\\"]}]\\\",\\\"[{\\\"\\\"userName\\\"\\\":\\\"\\\"SYSTEM\\\"\\\",\\\"\\\"domainUser\\\"\\\":\\\"\\\"SYSTEM\\\"\\\"}]\\\",[],WildFire Malware\"}
Log
1
<14>1 2020-06-17T11:06:58.161Z logforwarder-3029707592971507306-86c58f6f46-42sjg logforwarder 8 panwlogs - threat,,,,2020-06-17T11:06:51.000000Z,2020-06-17T11:06:53.224573,2020-06-17T11:06:51.000000Z,-240,,,594860012,,,,,1,93d1c4f6fb3a4252612125a201808681,1,0,10.0.14393,1,10.134.10.116,HOST,rapid7.org,4,2,7.1.0.45682,132-30505,0,376248687c27489db415551540c6a648,COMPONENT_WILDFIRE,Malware,CYSTATUS_MALICIOUS_EXE,1,blocked,1,,,0,0,\\\"[\\\"\\\"C:\\\\\\\\ProgramData\\\\\\\\someDir\\\\\\\\AEMAgent\\\\\\\\AEMAgent.exe\\\"\\\",\\\"\\\"045CD7025049C54E11130FCAE0190866C9071585A950683DF8104CA1E4B47282\\\"\\\",\\\"\\\"045CD7025049C54E11130FCAE0190866C9071585A950683DF8104CA1E4B47282\\\"\\\",\\\"\\\"1\\\"\\\"]\\\",0,,0,\\\"[{\\\"\\\"pid\\\"\\\":3644,\\\"\\\"parentId\\\"\\\":6420,\\\"\\\"exeFileIdx\\\"\\\":0,\\\"\\\"userIdx\\\"\\\":0,\\\"\\\"commandLine\\\"\\\":\\\"\\\"\\\\\\\"\\\"C:\\\\\\\\ProgramData\\\\\\\\someDir\\\\\\\\AEMAgent\\\\\\\\AEMAgent.exe\\\\\\\"\\\"\\\"\\\",\\\"\\\"instanceId\\\"\\\":\\\"\\\"AdZEl2bKU24AAA48AAAAAA==\\\"\\\",\\\"\\\"terminated\\\"\\\":1}]\\\",\\\"[{\\\"\\\"rawFullPath\\\"\\\":\\\"\\\"C:\\\\\\\\ProgramData\\\\\\\\someDir\\\\\\\\AEMAgent\\\\\\\\AEMAgent.exe\\\"\\\",\\\"\\\"fileName\\\"\\\":\\\"\\\"AEMAgent.exe\\\"\\\",\\\"\\\"sha256\\\"\\\":\\\"\\\"045CD7025049C54E11130FCAE0190866C9071585A950683DF8104CA1E4B47282\\\"\\\",\\\"\\\"fileSize\\\"\\\":\\\"\\\"65537200\\\"\\\",\\\"\\\"innerObjectSha256\\\"\\\":\\\"\\\"045CD7025049C54E11130FCAE0190866C9071585A950683DF8104CA1E4B47282\\\"\\\",\\\"\\\"signers\\\"\\\":[\\\"\\\"company Inc\\\"\\\"]}]\\\",\\\"[{\\\"\\\"userName\\\"\\\":\\\"\\\"SYSTEM\\\"\\\",\\\"\\\"domainUser\\\"\\\":\\\"\\\"SYSTEM\\\"\\\"}]\\\",[],WildFire Malware