Leveraging Microsoft Sentinel KQL Queries for Parsing Palo Alto Firewall Syslog Data

1 Comment / Blogs / By

Introduction

Palo Alto firewalls are vital for network security, but interpreting their messages can be daunting. This post will show how Microsoft Sentinel, a network security tool, can unravel these messages using Kusto Query Language (KQL).

Understanding Firewall Messages

Before delving into the technicalities, let’s grasp the structure of Palo Alto firewall messages. They contain various details such as timestamps, event types, involved parties, and more. Comprehending these details is crucial for identifying network activities and security threats.

Understanding KQL Query Step by Step

Syslog

| where Computer in  (“machine_name”)

| extend Parts = split(SyslogMessage, “#011”)

| extend Event = tostring(Parts[0]),

         SecurityNo = tostring(Parts[1]),

         SecurityID =  tostring(Parts[3]),

         TimeGenerated = tostring(Parts[4]),

         EventID = tostring(Parts[5]),

         EventType = tostring(Parts[6]),

         NA = tostring(Parts[7]),

         NA1 = tostring(Parts[8]),

         AuditSucess_Failure = tostring(Parts[9]),

         Domain = tostring(Parts[10]),

         ActivityType = tostring(Parts[11]),

         Null = tostring(Parts[12]),

         Operation =tostring(Parts[13]),

         OperationActivity  = tostring(split(Parts[14], “:”)[1])

| project TimeGenerated,EventTime,Computer,Event,EventType,SecurityID,HostIP, Operation,ActivityType,CollectorHostName, EventID,Domain,AuditSucess_Failure,_ResourceId

|extend OperationDetail = tostring(split(Operation, “.”)[0])

| extend TargetAccount = tostring(split(split(Operation, “:”)[14], ” “)[2])

| extend AccountName = substring(Operation, indexof(Operation, “Account Name: “) + strlen(“Account Name: “), indexof(Operation, “Account Domain: “, indexof(Operation, “Account Name: “) + strlen(“Account Name: “)) – (indexof(Operation, “Account Name: “) + strlen(“Account Name: “)))

| extend AccountDomain = substring(Operation, indexof(Operation, “Account Domain: “) + strlen(“Account Domain: “), indexof(Operation, “Logon ID: “, indexof(Operation, “Account Domain: “) + strlen(“Account Domain: “)) – (indexof(Operation, “Account Domain: “) + strlen(“Account Domain: “)))

| extend ProcessName = substring(Operation, indexof(Operation, “Process Name: “) + strlen(“Process Name: “), indexof(Operation, “Requested Operation: “, indexof(Operation, “Process Name: “) + strlen(“Process Name: “)) – (indexof(Operation, “Process Name: “) + strlen(“Process Name: “)))

| extend LogonId = tostring(split(substring(Operation, indexof(Operation, “Logon ID: “) + strlen(“Logon ID: “), indexof(Operation, “Object: “, indexof(Operation, “Logon ID: “) + strlen(“Logon ID: “)) – (indexof(Operation, “Logon ID: “) + strlen(“Logon ID: “))), ” “)[1])

| extend Logon_GUID = substring(Operation, indexof(Operation, “Logon GUID: “) + strlen(“Logon GUID: “), indexof(Operation, “Process Information: “, indexof(Operation, “Logon GUID: “) + strlen(“Logon GUID: “)) – (indexof(Operation, “Logon GUID: “) + strlen(“Logon GUID: “)))

| extend SourceNetworkAddress = substring(Operation, indexof(Operation, “Source Network Address: “) + strlen(“Source Network Address: “), indexof(Operation, “Source Port: “, indexof(Operation, “Source Network Address: “) + strlen(“Source Network Address: “)) – (indexof(Operation, “Source Network Address: “) + strlen(“Source Network Address: “)))

|project TimeGenerated,EventTime,Computer, LogonId,AccountName,AccountDomain,TargetAccount,ProcessName,Event,EventType, SecurityID,HostIP,SourceNetworkAddress, ActivityType,Operation,OperationDetail,EventID,Domain,AuditSucess_Failure,CollectorHostName,_ResourceId,Logon_GUID

Let’s break down the KQL query provided

  1. Filtering Messages: We start by filtering messages based on the machine name to focus on relevant data.
  2. Splitting Messages: Using the split() function, messages are divided into segments based on the delimiter “#011”.
  3. Expanding Fields: The extend operator assigns each message segment to its respective field, like event type, timestamp, event ID, and so forth.
  4. Selecting Relevant Information: The project operator selects essential fields for analysis, such as timestamps, event types, security IDs, and more.
  5. Additional Field Derivation: Extra fields, like operation details and account names, are derived from existing fields using string manipulation functions like substring() and indexof().
  6. Finalizing Output: The query concludes by projecting all relevant fields, including those derived from other fields, for comprehensive analysis.

Conclusion

Understanding Palo Alto firewall messages is vital for maintaining network security. By utilizing Microsoft Sentinel and KQL, security professionals can effectively interpret these messages, enabling swift detection and response to potential threats. Let’s dive deeper into the query to grasp how it dissects firewall messages, empowering us to safeguard our networks effectively.

1 thought on “Leveraging Microsoft Sentinel KQL Queries for Parsing Palo Alto Firewall Syslog Data”

Comments are closed.