Skip to content
Find out how we support MDR.

Palo Alto PAN-OS integration

You can integrate Palo Alto PAN-OS with Sophos Central so that it sends alerts to Sophos for analysis.

This page gives you an overview of the integration.

Palo Alto PAN-OS product overview

Palo Alto Networks' Panorama PAN-OS is a centralized security management system that provides users with global visibility, policy control, and workflow automation across their entire firewall deployment. It's a holistic approach to network security, ensuring consistent coverage and real-time threat intelligence.

Sophos documents

Integrate Palo Alto PAN-OS

What we ingest

We ingest Threat and WildFire Submission logs and a subset of Traffic logs.

Sample alerts seen by Sophos:

  • Spring Boot Actuator H2 Remote Code Execution Vulnerability (93279)
  • RealNetworks RealPlayer URL Parsing Stack Buffer Overflow Vulnerability (37255)
  • Dahua Security DVR Appliances Authentication Bypass Vulnerability (38926)
  • Microsoft Windows NTLMSSP Detection (92322)
  • Compromised username and/or password from previous data breach in inbound FTP login (SIGNATURE)

Alerts ingested in full

For our recommendations on configuring log forwarding, see Integrate Palo Alto PAN-OS.

Filtering

We filter logs as follows.

Agent filter

  • We ALLOW valid CEF.
  • We DROP traffic logs.

Platform filter

  • We DROP various reviewed and non-security related messages and logs.
  • We DROP DNS request logs.
  • We DROP some VPN logs.
  • We DROP Wildfire logs classified as benign.
  • We DROP various high-volume and low-value specified messages.

Sample threat mappings

To determine the alert type, we use one of these fields, depending on the alert classification and the fields it includes.

  • cef.deviceEventClassID
  • PanOSThreatCategory
"value": "=> !isEmpty(fields.cat) && !is(fields.cat, 'vulnerability') ? searchRegexList(fields.cat, [_.referenceValues.code_translation.regex_alert_type,_.globalReferenceValues.code_translation.regex_alert_type]) ? searchRegexList(fields.cat, [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) : fields.cat : !isEmpty(fields.cat) && is(fields.cat, 'vulnerability') ? searchRegexList(cef.deviceEventClassID, [_.referenceValues.code_translation.regex_alert_type,_.globalReferenceValues.code_translation.regex_alert_type]) ?searchRegexList(cef.deviceEventClassID, [_.referenceValues.code_translation.regex_alert_type,_.globalReferenceValues.code_translation.regex_alert_type]) : cef.deviceEventClassID : isEmpty(fields.cat) && !isEmpty(fields.PanOSThreatCategory) ? fields.PanOSThreatCategory : undefined",

Sample mappings:

{"alertType": "Apache Log4j Remote Code Execution Vulnerability(N)", "threatId": "T1203", "threatName": "Exploitation for Client Execution"}
{"alertType": "RealVNC VNC Server ClientCutText Message Memory Corruption Vulnerability(33672)", "threatId": "T1203", "threatName": "Exploitation for Client Execution"}
{"alertType": "DOCX With Attached Templates In Multiple Attacks(86646)", "threatId": "T1221", "threatName": "Template Injection"}
{"alertType": "Generic Cross-Site Scripting Vulnerability(94093)", "threatId": "T1189", "threatName": "Drive-by Compromise"}
{"alertType": "Fastflux:DOMAIN(N)", "threatId": "T1036", "threatName": "Masquerading"}
{"alertType": "Virus.ramnit:lfjyaf.com(121569082)", "threatId": "TA0002", "threatName": "Execution"}
{"alertType": "OpenSSL SSL_check_chain NULL Pointer Dereference Vulnerability(58033)"  "threatId": "T1573", "threatName": "Encrypted Channel"}
{"alertType": "Microsoft Office File Embedded in PDF File Detection(86796)", "threatId": "T1204.002", "threatName": "Malicious File"}

Vendor documentation

Configure Log Forwarding