- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Palo Alto Create Policy to SIEM
Hi,
I am going to create a rule on the Siem side about policies created and deleted in Palo alto. Is there a rule you have used or prepared before?
Thank you
- Labels:
-
FortiSIEM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think there are no predefined rules for Palo Alto firewall.
From the official guide i see that it can monitor "Configuration Change" for Palo Alto so basically every change, but not something specifically for policies.
https://help.fortinet.com/fsiem/5-2-6_ESCG_HTML/FortiSIEM/User-guide/Palo-Alto-Firewall-Configuratio...
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @adem_netsys
You should start by checking out the event types available for Palo Alto (ADMIN > Device Support > Event Types). Find the relevant event type for you and make sure you are receiving the event.
Then you could simply clone a rule such as FortiGate: Admin User Deleted. Then replace the event type as required. For example:
be sure to also change the incident name under actions.
I hope it helps!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content