Palo Alto Create Policy to SIEM

adem_netsys · ‎01-11-2024

Hi,

I am going to create a rule on the Siem side about policies created and deleted in Palo alto. Is there a rule you have used or prepared before?

Thank you

dbu · ‎01-11-2024

I think there are no predefined rules for Palo Alto firewall.

From the official guide i see that it can monitor "Configuration Change" for Palo Alto so basically every change, but not something specifically for policies.

https://help.fortinet.com/fsiem/5-2-6_ESCG_HTML/FortiSIEM/User-guide/Palo-Alto-Firewall-Configuratio...

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.

Richie_C · ‎01-18-2024

Hi @adem_netsys

You should start by checking out the event types available for Palo Alto (ADMIN > Device Support > Event Types). Find the relevant event type for you and make sure you are receiving the event.

Then you could simply clone a rule such as FortiGate: Admin User Deleted. Then replace the event type as required. For example:

be sure to also change the incident name under actions.

I hope it helps!

Take a backup before making any changes

adem_netsys · ‎01-18-2024

Thank you @Richie_C

I solved the issue.

Palo Alto Create Policy to SIEM

Nominate a Forum Post for Knowledge Article Creation