Skip to main content
 

This procedure helps you to connect your Palo Alto Networks via SIEM to the Expel Workbench. The procedure is to port in logs by creating a new Syslog source, configuring that source in Workbench, then configure your Palo Alto Networks via SIEM device in Workbench.

Note

Some steps in this procedure vary greatly depending upon the SIEM-based technology you use.

Step 1: Logging Palo Alto Networks to a desired SIEM

Refer to your SIEM documentation or work with your SIEM representative to port in Palo Alto Networks logs. You can also refer to the following web references for creating a new Syslog source:

Step 2: Configure the SIEM in Workbench

This link opens the Expel Knowledge Base section for connecting SIEM-based technology to Workbench. Follow the applicable article to configure your SIEM-based tech and confirm that Palo Alto Networks logs are flowing through and available.

Step 3: Configure Palo Alto Networks via SIEM in Workbench

Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.

  1. In a new browser tab, go to https://workbench.expel.io/settings/security-devices?setupIntegration=palo_alto_networks_siem.

    image2.png
  2. Fill in the device fields like this:

    1. For SIEM, select the SIEM that was onboarded in Step 2.

    2. For Name, type the host name of the Palo Alto Networks device.

    3. For Location, type the geographic location of the device.

  3. Fill in the Connection Settings fields based on the SIEM you selected:

    1. For Source category, type the Sumo Logic source category for this device.

    2. For Source type, type the Splunk source type for this device.

    3. For Index, type in the Splunk index where the logs are located