This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Request Clarification: Palo Alto source integration

Posted on 07-24-2024 02:32 AM
Aravind3
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hello Everyone,

While integrating Palo Alto with Chronicle, I found a document from Palo Alto which states that the endpoint URL should be set as "https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate" or according to region. My question is, by doing this, how do we specify the Log type? How will Chronicle identify that this is intended for Palo Alto Prisma Access logs or any other log type?

Reference: https://docs.paloaltonetworks.com/strata-logging-service/administration/forward-logs/forward-logs-to...

Thanks in advance.

Aravind Sreekumar

Solved Solved
1 7 624
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Rene_Figueroa
Staff
Reply posted on --/--/---- --:-- AM

Hi @Aravind3 the Palo Alto integration sets the log type. I think this integration sets the log type as ARCSIGHT_CEF and therefore the logs are parsed by our ARCSIGHT_CEF parser. If you want to double check the log source, you can follow up with Palo Alto directly. 

View solution in original post

Jump to Solution
0 Likes
7 REPLIES 7

Posted on --/--/---- --:-- AM
Rene_Figueroa
Staff
Reply posted on --/--/---- --:-- AM

Hi @Aravind3 the Palo Alto integration sets the log type. I think this integration sets the log type as ARCSIGHT_CEF and therefore the logs are parsed by our ARCSIGHT_CEF parser. If you want to double check the log source, you can follow up with Palo Alto directly. 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Aravind3
Bronze 4
Bronze 4
In response to Rene_Figueroa
Reply posted on --/--/---- --:-- AM

Hi @Rene_Figueroa,
Thanks a bunch

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Aravind3
Bronze 4
Bronze 4
In response to Rene_Figueroa
Reply posted on --/--/---- --:-- AM

Hi @Rene_Figueroa ,
Is there an official google doc available for Proofpoint OnDemand integration?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Rene_Figueroa
Staff
In response to Aravind3
Reply posted on --/--/---- --:-- AM

Hi @Aravind3 we have the following PoD info on our public docs:

https://cloud.google.com/chronicle/docs/reference/feed-management-api#proofpoint-on-demand

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Aravind3
Bronze 4
Bronze 4
In response to Rene_Figueroa
Reply posted on --/--/---- --:-- AM

Thanks a bunch @Rene_Figueroa 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
vpehlivanov
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Using the same Palo Alto integration I get an error at the very last step. It complains that "region is required". Has anyone seen that error before?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ionutm
Staff
In response to vpehlivanov
Reply posted on --/--/---- --:-- AM

We haven't seen this error on other instances. If this happens again please go through support so we can further investigate.

Jump to Solution
0 Likes
Top Solution Authors
View all