Skip to content

Palo Alto Networks IoT Security

Palo Alto Networks IoT Security

About

The IoT Security solution works with next-generation firewalls to dynamically discover and maintain a real-time inventory of the IoT devices on your network. Through AI and machine-learning algorithms, the IoT Security solution achieves a high level of accuracy, even classifying IoT device types encountered for the first time. And because it’s dynamic, your IoT device inventory is always up to date. IoT Security also provides the automatic generation of policy recommendations to control IoT device traffic, as well as the automatic creation of IoT device attributes for use in firewall policies.

Product Details

Vendor URL: Palo Alto Networks IoT Security

Product Type: Endpoint Security

Product Tier: Tier II

Integration Method: Syslog

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: SYSLOG + CEF

Expected Normalization Rate: 90-100%

Data Label: PAN_IOT

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
AD_Domain principal.administrative_domain
Category additional.fields
ConfidenceScore security_result.confidence
DHCP additional.fields
dvc observer.ip
dvchost observer.hostname
dvcmac observer.mac
EndpointProtection additional.fields
FirstSeenDate principal.asset.first_seen_time.seconds
Model principal.asset.hardware.Model
NumCautionAlerts additional.fields
os_combined principal.asset.platform_software.platform_version
OsFirmwareVersion additional.fields
OsGroup principal.platform_version
Profile additional.fields
ProfileType additional.fields
RiskLevel additional.fields
RiskScore security_result.about.investigation.risk_score
SerialNumber principal.asset.hardware.serial_number
severity security_result.severity
Site additional.fields
Subnet additional.fields
summary security_result.summary
Vendor additional.fields

Product Event Types

Event UDM Event Classification
Connection NETWORK_CONNECTION
All others GENERIC_EVENT

Log Sample

<46>1 2024-01-26T02:59:44.608986+00:00 45e9824f8964 SysLogLogger 1 - - INFO:siem-syslog:CEF:0|PaloAltoNetworks|PANWIOT|1.0|asset|Asset Identification|1|dvc=10.2.120.106 dvcmac=fe:e2:d3:13:0e:14 dvchost=Observer1 cs1Label=Profile cs1=Medical Workstation cs2Label=Category cs2=Medical Workstation cs3Label=ProfileType cs3=IoT cs4Label=Vendor cs4=HP cs5Label=Model cs5=HP EliteDesk 800 G3 DM 35W cs6Label=Vlan cs6=2 cs7Label=Site cs7=SiteName1 cs8Label=RiskScore cs8=51 cs9Label=RiskLevel cs9=Medium cs10Label=Subnet cs10=10.2.120.0/24 cs13Label=NumCautionAlerts cs13=3 cs15Label=FirstSeenDate cs15=2023-05-09T02:00:30.000Z cs16Label=ConfidenceScore cs16=96 cs17Label=OsGroup cs17=Windows cs18Label=OsFirmwareVersion cs18=10 Enterprise (19045) cs21Label=SerialNumber cs21=ABC7514FSG cs22Label=EndpointProtection cs22=protected cs25Label=DHCP cs25=Yes cs40Label=AD_Username cs40=e59ca3fe0afbdff09b2a1564efca109331c8c966c9dbd940a1bbaccd2e878d08 cs41Label=AD_Domain cs41=Domain1 cs44Label=os_combined cs44=Windows 10 Enterprise (19045)

Sample Parsing

additional.fields["Category"] = "Medical Workstation"
additional.fields["DHCP"] = "Yes"
additional.fields["EndpointProtection"] = "protected"
additional.fields["NumCautionAlerts"] = "3"
additional.fields["OsFirmwareVersion"] = "10 Enterprise (19045)"
additional.fields["Profile"] = "Medical Workstation"
additional.fields["ProfileType"] = "IoT"
additional.fields["RiskLevel"] = "Medium"
additional.fields["Site"] = "SiteName1"
additional.fields["Subnet"] = "10.2.120.0/24"
additional.fields["Vendor"] = "HP"
metadata.event_timestamp = "2024-01-26T02:59:44.608986+00:00"
metadata.product_name = "Palo Alto Networks IoT Security"
metadata.product_version = "1.0"
metadata.vendor_name = "Palo Alto Networks"
observer.hostname = "Observer1"
observer.ip = "10.2.120.106"
observer.mac = "fe:e2:d3:13:0e:14"
principal.administrative_domain = "Domain1"
principal.asset.first_seen_time.seconds = "1683597630"
principal.asset.hardware.serial_number = "ABC7514FSG"
principal.asset.platform_software.platform_version = "Windows 10 Enterprise (19045)"
principal.platform_version = "Windows"
security_result.about.investigation.risk_score = "51"
security_result.confidence = "HIGH_CONFIDENCE"
security_result.severity = "INFORMATIONAL"
security_result.summary = "Asset Identification"

Rules

Coming Soon