Palo Alto Networks IoT Security¶
About¶
The IoT Security solution works with next-generation firewalls to dynamically discover and maintain a real-time inventory of the IoT devices on your network. Through AI and machine-learning algorithms, the IoT Security solution achieves a high level of accuracy, even classifying IoT device types encountered for the first time. And because it’s dynamic, your IoT device inventory is always up to date. IoT Security also provides the automatic generation of policy recommendations to control IoT device traffic, as well as the automatic creation of IoT device attributes for use in firewall policies.
Product Details¶
Vendor URL: Palo Alto Networks IoT Security
Product Type: Endpoint Security
Product Tier: Tier II
Integration Method: Syslog
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: SYSLOG + CEF
Expected Normalization Rate: 90-100%
Data Label: PAN_IOT
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
AD_Domain | principal.administrative_domain |
Category | additional.fields |
ConfidenceScore | security_result.confidence |
DHCP | additional.fields |
dvc | observer.ip |
dvchost | observer.hostname |
dvcmac | observer.mac |
EndpointProtection | additional.fields |
FirstSeenDate | principal.asset.first_seen_time.seconds |
Model | principal.asset.hardware.Model |
NumCautionAlerts | additional.fields |
os_combined | principal.asset.platform_software.platform_version |
OsFirmwareVersion | additional.fields |
OsGroup | principal.platform_version |
Profile | additional.fields |
ProfileType | additional.fields |
RiskLevel | additional.fields |
RiskScore | security_result.about.investigation.risk_score |
SerialNumber | principal.asset.hardware.serial_number |
severity | security_result.severity |
Site | additional.fields |
Subnet | additional.fields |
summary | security_result.summary |
Vendor | additional.fields |
Product Event Types¶
Event | UDM Event Classification |
---|---|
Connection | NETWORK_CONNECTION |
All others | GENERIC_EVENT |
Log Sample¶
<46>1 2024-01-26T02:59:44.608986+00:00 45e9824f8964 SysLogLogger 1 - - INFO:siem-syslog:CEF:0|PaloAltoNetworks|PANWIOT|1.0|asset|Asset Identification|1|dvc=10.2.120.106 dvcmac=fe:e2:d3:13:0e:14 dvchost=Observer1 cs1Label=Profile cs1=Medical Workstation cs2Label=Category cs2=Medical Workstation cs3Label=ProfileType cs3=IoT cs4Label=Vendor cs4=HP cs5Label=Model cs5=HP EliteDesk 800 G3 DM 35W cs6Label=Vlan cs6=2 cs7Label=Site cs7=SiteName1 cs8Label=RiskScore cs8=51 cs9Label=RiskLevel cs9=Medium cs10Label=Subnet cs10=10.2.120.0/24 cs13Label=NumCautionAlerts cs13=3 cs15Label=FirstSeenDate cs15=2023-05-09T02:00:30.000Z cs16Label=ConfidenceScore cs16=96 cs17Label=OsGroup cs17=Windows cs18Label=OsFirmwareVersion cs18=10 Enterprise (19045) cs21Label=SerialNumber cs21=ABC7514FSG cs22Label=EndpointProtection cs22=protected cs25Label=DHCP cs25=Yes cs40Label=AD_Username cs40=e59ca3fe0afbdff09b2a1564efca109331c8c966c9dbd940a1bbaccd2e878d08 cs41Label=AD_Domain cs41=Domain1 cs44Label=os_combined cs44=Windows 10 Enterprise (19045)
Sample Parsing¶
additional.fields["Category"] = "Medical Workstation"
additional.fields["DHCP"] = "Yes"
additional.fields["EndpointProtection"] = "protected"
additional.fields["NumCautionAlerts"] = "3"
additional.fields["OsFirmwareVersion"] = "10 Enterprise (19045)"
additional.fields["Profile"] = "Medical Workstation"
additional.fields["ProfileType"] = "IoT"
additional.fields["RiskLevel"] = "Medium"
additional.fields["Site"] = "SiteName1"
additional.fields["Subnet"] = "10.2.120.0/24"
additional.fields["Vendor"] = "HP"
metadata.event_timestamp = "2024-01-26T02:59:44.608986+00:00"
metadata.product_name = "Palo Alto Networks IoT Security"
metadata.product_version = "1.0"
metadata.vendor_name = "Palo Alto Networks"
observer.hostname = "Observer1"
observer.ip = "10.2.120.106"
observer.mac = "fe:e2:d3:13:0e:14"
principal.administrative_domain = "Domain1"
principal.asset.first_seen_time.seconds = "1683597630"
principal.asset.hardware.serial_number = "ABC7514FSG"
principal.asset.platform_software.platform_version = "Windows 10 Enterprise (19045)"
principal.platform_version = "Windows"
security_result.about.investigation.risk_score = "51"
security_result.confidence = "HIGH_CONFIDENCE"
security_result.severity = "INFORMATIONAL"
security_result.summary = "Asset Identification"