Hi,
I am going to create a rule on the Siem side about policies created and deleted in Palo alto. Is there a rule you have used or prepared before?
Thank you
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I think there are no predefined rules for Palo Alto firewall.
From the official guide i see that it can monitor "Configuration Change" for Palo Alto so basically every change, but not something specifically for policies.
https://help.fortinet.com/fsiem/5-2-6_ESCG_HTML/FortiSIEM/User-guide/Palo-Alto-Firewall-Configuratio...
Hi @adem_netsys
You should start by checking out the event types available for Palo Alto (ADMIN > Device Support > Event Types). Find the relevant event type for you and make sure you are receiving the event.
Then you could simply clone a rule such as FortiGate: Admin User Deleted. Then replace the event type as required. For example:
be sure to also change the incident name under actions.
I hope it helps!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1721 | |
1098 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.