Issue
When configuring Palo Alto PAN-OS to send Syslog data for ingestion by Red Canary. What data is expected?
Environment
Red Canary Alerts
Resolution
Red Canary would prefer to ingest Palo Alto Wildfire & Palo Alto Threat Prevention data sources of Critical, High & Medium severity. System logs can be ingested but are set at a low priority. All logs with severity of Low or Informational are filtered out and will not be displayed in the alerts page UI.
As Palo Alto PANOS is able to take action on particular traffic types we have filters for Vulnerability, Trusted Communications and reset-both as these alerts have already been taken care of by the Palo Alto PANOS actions. Also we do not process alerts already marked with action "drop" or "sinkhole" as these have already been mitigated by PANOS.
Cause
Regular traffic data and non security errors logs can saturate the ingestor and can provide a large number of alerts that may no be relevant to your security needs.