Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

PaloAlto threat logs not triggering alert

Highlighted

PaloAlto threat logs not triggering alert

New Contributor

Hi,

I've ingested threat logs from PaloAlto in a HCP environment and they appear in Elesticsearch/Kibana. So far so good...

Currently none of the events appear in the Metron Alerts UI. I've tried configuring threat triage rules an give scores to events based on content of a field (severity). The scores are visible in Elasticsearch entries, but still no alerts are triggered.

A second thin I've tried is adding a field (IsAlert, is_alert, alert) and set it to true using field transformations. This is also visible in Elasticsearch, but still no luck on the Metron Alerts UI...

Anybody any advise on how I can configure my sensor to make all the events comming from PaloAlto Threat logs visible in the Metron Alerts UI?

Some extra information:

events are ingested using a dedicated kafka topic for paloalto threat logs

Metron sensor uses the built-in BasicPaloAltoFirewallParser (Java)

Any help is more than welcome as this is giving me some headaces the last couple of days :-)

Kind regards,

Andy

1 REPLY 1

Re: PaloAlto threat logs not triggering alert

New Contributor

Hi,

In case anyone has the same issue. The problem was fixed by creating a mapping for the doc's stored in Elasticsearch.

The important part in that mapping is that a field exists which is called 'alert' and is of the 'nested' type.

Kind regards,

Andy