Integrating Palo Alto Networks® Cortex Data Lake with

© Copyright Netsurion. All Rights Reserved. 1

Integration Guide

Integrating Palo Alto Networks® Cortex

Data Lake with EventTracker

Publication Date:

October 6, 2021


Abstract This guide provides instructions to retrieve the Palo Alto Networks® Cortex Data Lake events via remote

syslog. After the logs start coming into EventTracker, then reports, dashboards, alerts, and saved searches

can be configured.

Scope

The configuration details in this guide are consistent with EventTracker version 9.3 or above and Palo Alto

Networks® Cortex Data Lake .

Audience

Administrators who are assigned the task to monitor Palo Alto Networks® Cortex Data Lake events using

EventTracker.


Table of Contents

Table of Contents .....................................................................................................................................3

1. Overview ..........................................................................................................................................4

2. Prerequisites .....................................................................................................................................4

3. Configuring Palo Alto Networks® Cortex Data Lake to Forward Logs to EventTracker.............................4

3.1 Forwarding syslog data to EventTracker ......................................................................................4

4. EventTracker Knowledge Packs ..........................................................................................................6

4.1 Category....................................................................................................................................6

4.2 Alerts ........................................................................................................................................6

4.3 Reports .....................................................................................................................................7

4.4 Dashboards ...............................................................................................................................7

5. Importing Palo Alto Networks® Cortex Data Lake Knowledge Pack into EventTracker ............................9

5.1 Category.................................................................................................................................. 10

5.2 Alerts ...................................................................................................................................... 10

5.3 Knowledge Object.................................................................................................................... 11

5.4 Reports ................................................................................................................................... 13

5.5 Dashboards ............................................................................................................................. 14

6. Verifying Palo Alto Networks® Cortex Data Lake Knowledge Pack in EventTracker............................... 17

6.1 Category.................................................................................................................................. 17

6.2 Alert........................................................................................................................................ 17

6.3 Knowledge Object.................................................................................................................... 18

6.4 Report..................................................................................................................................... 19

6.5 Dashboards ............................................................................................................................. 20

About Netsurion ................................................................................................................................. 21

Contact Us.......................................................................................................................................... 21


1. Overview The Palo Alto Networks® Cortex Data Lake stores the context-rich enhanced network logs generated

by the security products, including the next-generation firewalls, Prisma Access, and Cortex XDR.

EventTracker helps to monitor events from Palo Alto Networks® Cortex Data Lake. Its dashboard, alerts,

and reports will help you to track authentication activities, threat activities, traffic activities, and

configuration changes. It will trigger an alert whenever user authentication fails, a threat is detected,

configuration is successfully changed, and an unauthorized configuration change is attempted.

2. Prerequisites • EventTracker v9.x or above should be installed.

• A user with global administrator of Palo Alto Networks® Cortex Data Lake.

• Syslog port should be allowed in the firewall.

• Administrative access on EventTracker.

3. Configuring Palo Alto Networks® Cortex Data Lake to Forward

Logs to EventTracker Palo Alto Networks® Cortex Data Lake events can be integrated with EventTracker by forwarding the

syslog to EventTracker manager.

3.1 Forwarding syslog data to EventTracker

1. Login to Palo Alto Cortex Data Lake https://apps.paloaltonetworks.com/.

2. Select the Cortex Data Lake instance that you want to configure for syslog forwarding.

(If you have multiple Cortex Data Lake instances, click the Cortex Data Lake tile and select an

instance from the list of those available.)

3. Select Log Forwarding -> Add to add a new Syslog forwarding profile.

4. Enter a descriptive Name for the profile as EventTracker syslog.

5. Enter the EventTracker Manager Syslog Server IP address.

6. Enter the Port on which the syslog server is listening.

For UDP (recommended if on-premises) port 514.

https://apps.paloaltonetworks.com/


7. Click Next.

8. Specify the Format in which you would like to forward your logs.

9. Specify the Delimiter that you would like to separate the fields in your log messages.

10. Select the logs need to forward.

I. Add a new log filter.

II. Select the log type.

• Threat

• Traffic

• Authentication

• Configuration


III. Click Save

11. Verify that the status of your syslog forwarding profile is running.

4. EventTracker Knowledge Packs After logs are received by EventTracker manager, Knowledge Packs can be configured into EventTracker.

The following Knowledge Packs (KPs) are available in EventTracker to support Palo Alto Networks® Cortex

Data Lake.

4.1 Category • Palo Alto Networks Cortex DL - Authentication activities– This category of saved search will allow

users to parse events that are specific to authentication activities performed on Palo Alto Networks® Cortex Data Lake.

• Palo Alto Networks Cortex DL - Successful Configuration changed– This category of saved search will allow users to parse events that are specific to successful configuration changes on Palo Alto Networks® Cortex Data Lake.

• Palo Alto Networks Cortex DL - Threat Detection– This category of saved search will allow users to parse events that are specific to threat detection on Palo Alto Networks® Cortex Data Lake.

4.2 Alerts • Palo Alto Networks Cortex DL: Authentication Failed– This alert is triggered when authentication

failure is detected in Palo Alto Networks® Cortex Data Lake. • Palo Alto Networks Cortex DL: web traffic blocked – This alert is triggered when a web traffic

blocked alert is detected in Palo Alto Networks® Cortex Data Lake. • Palo Alto Networks Cortex DL: Successful configuration changed– This alert is triggered when a

successful configuration change is detected in Palo Alto Networks® Cortex Data Lake. • Palo Alto Networks Cortex DL: Threat detected– This alert is triggered when a threat is detected in

Palo Alto Networks® Cortex Data Lake. • Palo Alto Networks Cortex DL: Unauthorized configuration change action– This alert is triggered

when unauthorized configuration change action is detected in Palo Alto Networks® Cortex Data Lake.


4.3 Reports • Palo Alto Networks Cortex DL - Configuration changes - This report provides a detailed summary of

configuration changes. It contains a source IP address, log source, destination username, and more. • Palo Alto Networks Cortex DL - Authentication Activities - This report provides a detailed summary

of authentication activity. It contains a source IP address, log source, source username, destination username, and more.

• Palo Alto Networks Cortex DL - Threat activities- This report provides a detailed summary of threat activity It contains a source IP address, log source, source username, destination username, http request, direction of attack, and more.

• Palo Alto Networks Cortex DL - Traffic Activities- This report provides a detailed summary of traffic activity. It contains a source IP address, log source, source username, destination username, protocol type, and more.

4.4 Dashboards • Palo Alto Networks Cortex DL - Authentication activity by username

• Palo Alto Networks Cortex DL - Threat activity by category


• Palo Alto Networks Cortex DL - Traffic activities by source IP address

• Palo Alto Networks Cortex DL - Configuration activities by status


• Palo Alto Networks Cortex DL - Activities by log type

5. Importing Palo Alto Networks® Cortex Data Lake Knowledge

Pack into EventTracker NOTE: Import knowledge pack items in the following sequence:

• Category

• Alert

• Knowledge Object

• Report

• Dashboard

1. Launch EventTracker Control Panel.

2. Double click Export Import Utility.

3. Click the Import tab.


5.1 Category 1. Click Category option, and then click the browse button.

2. Locate Categories_Palo Alto Networks® Cortex DL.iscat file, and then click the Open button.

3. To import categories, click the Import button.

EventTracker displays success message.

4. Click OK, and then click the Close button.

5.2 Alerts 1. Click Alerts option, and then click the browse button.


2. Locate Alerts_Palo Alto Networks® Cortex DL.isalt file, and then click the Open button.

3. To import alerts, click the Import button.

EventTracker displays success message.

4. Click OK, and then click Close.

5.3 Knowledge Object

1. Click Knowledge objects under Admin option in the EventTracker manager page.


2. Click on Import button as highlighted in the below image.

3. Click on Browse.

4. Locate the file named KO_Palo Alto Networks® Cortex DL.etko.

5. Select the check box and then click on Import option.


6. Knowledge Objects (KO) are now imported successfully.

5.4 Reports

1. Click Reports option and select New (*.etcrx) option.

2. Locate the file named Reports_ Palo Alto Networks® Cortex DL.etcrx and select all the check box.


3. Click the Import button to import the report. EventTracker displays success message.

5.5 Dashboards NOTE: Below steps given are specific to EventTracker 9 and later.

1. Open EventTracker in browser and logon.

2. Navigate to My Dashboard option as shown above.


3. Click on the Import button as show below.

4. Import dashboard file Dashboards_Palo Alto Networks Cortex DL.etwd and select Select All

checkbox.

5. Click on Import as shown below.

6. Import is now completed successfully.

7. In My Dashboard page select to add dashboard.


8. Choose appropriate name for Title and Description. Click Save.

9. In My Dashboard page select to add dashlets.

10. Select imported dashlets and click Add.


6. Verifying Palo Alto Networks® Cortex Data Lake Knowledge

Pack in EventTracker

6.1 Category 1. Logon to EventTracker.

2. Click Admin dropdown, and then click Category.

3. In Category Tree to view imported category, scroll down and expand the Palo Alto Networks®

Cortex Data Lake group folder to view the imported category.

6.2 Alert 1. Logon to EventTracker.

2. Click the Admin menu, and then click Alerts.


3. In the Search box, type Palo Alto Networks® Cortex Data Lake , and then click the Go button.

Alert Management page will display the imported alert.

4. To activate the imported alert, toggle the Active switch.

EventTracker displays message box.

5. Click OK, and then click the Activate Now button.

NOTE: Specify appropriate system in alert configuration for better performance.

6.3 Knowledge Object 1. In the EventTracker web interface, click the Admin dropdown, and then select Knowledge Objects.

2. In the Knowledge Object tree, expand the Palo Alto Networks® Cortex Data Lake group folder to view

the imported knowledge object.


3. Click Activate Now to apply imported knowledge objects.

6.4 Report 1. In the EventTracker web interface, click the Reports menu, and then select Report Configuration.

2. In Reports Configuration pane, select Defined option.

3. Click on the Palo Alto Networks® Cortex Data Lake group folder to view the imported reports.


6.5 Dashboards 1. In the EventTracker web interface, Click on Home Button and select My Dashboard.

2. In the Palo Alto Networks® Cortex Data Lake dashboard you should be now able to see the following

screen.


About Netsurion

Flexibility and security within the IT environment are two of the most important factors driving business today. Netsurion’s cybersecurity platforms enable companies to deliver on both. Netsurion’s approach of combining purpose-built technology and an ISO-certified security operations center gives customers the ultimate flexibility to adapt and grow, all while maintaining a secure environment.

Netsurion’s EventTracker cyber threat protection platform provides SIEM, endpoint protection, vulnerability scanning, intrusion detection and more; all delivered as a managed or co-managed service. Netsurion’s BranchSDO delivers purpose-built technology with optional levels of managed services to multi-location businesses that optimize network security, agility, resilience, and compliance for branch locations. Whether you need technology with a guiding hand or a complete outsourcing solution, Netsurion has the model to help drive your business forward. To learn more visit netsurion.com or follow us on Twitter or LinkedIn. Netsurion is #19 among MSSP Alert’s 2020 Top 250 MSSPs.

Contact Us Corporate Headquarters

Netsurion

Trade Centre South

100 W. Cypress Creek Rd

Suite 530

Fort Lauderdale, FL 33309

Contact Numbers

EventTracker Enterprise SOC: 877-333-1433 (Option 2)

EventTracker Enterprise for MSP’s SOC: 877-333-1433 (Option 3)

EventTracker Essentials SOC: 877-333-1433 (Option 4)

EventTracker Software Support: 877-333-1433 (Option 5)

https://www.netsurion.com/eventtracker-support

https://www.netsurion.com/managed-threat-protection

https://www.netsurion.com/secure-edge-networking

https://www.netsurion.com/

https://twitter.com/netsurion

https://www.linkedin.com/company/netsurion/

https://www.netsurion.com/news/netsurion-named-to-2020-mssp-alert-top-250-managed-security-services-providers-list

https://www.netsurion.com/eventtracker-support

Documents

Integrating Palo Alto Networks® Cortex Data Lake with