This guide covers how to set up Palo Alto Networks Strata Logging Service with Workbench via webhook.

Prerequisites

1. You must have admin access in Workbench to set up this integration.
2. You must have role privileges that allow for creation and management of log forwarding profiles in Palo Alto Strata.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

1. Add Palo Alto Strata as a Security Device in Workbench
2. Configure Palo Alto Strata to Send Events to Expel’s Webhook URL
3. Test Webhook Connectivity

Step 1: Add Palo Alto Strata as a Security Device in Workbench

1. Log in to Workbench.
2. In the side menu, navigate to Organization Settings > Security Devices.
3. Select Add Security Device.
4. In the search box, type “Palo Alto” and then select the Palo Alto Strata integration.
   
   
5. Complete the fields as follows:
   • Name - enter a name that might help you more easily identify this integration, such as “CompanyName Palo Alto Strata”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
   • Location - enter the location of your integration, for example “cloud.” This is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
6. Select Save.
7. Your device should be created successfully within a few seconds.
8. On the Security Devices page, select the dropdown arrow for the Palo Alto Strata device you just onboarded, and select Edit.
   
9. In the Connection Settings section, webhook credentials have been automatically generated and populated. Copy and save the URL, username, and password for use in the next step.

Step 2: Configure Palo Alto Strata to Send Events to Expel’s Webhook URL

1. Log in to the Palo Alto Hub.
2. Launch Strata Logging Service.
3. In the main menu, select Log Forwarding and then select the HTTPS tab.
4. In the top right of the list, select "+" to create a new forwarding profile.
   
5. On the HTTPS Forwarding Profile configuration page, configure the settings as follows:
   1. Name - enter a descriptive name, such as "Expel_Workbench_Forwarding".
   2. URL - paste the Webhook URL you copied from Workbench in Step 1.
   3. Leave the Server Authentication and Client Authentication sections as is.
   4. In the Client Authorization section: For Type, select Basic Authorization. Then, enter the Webhook username and Webhook password you copied from Workbench in Step 1.
   5. Select Test Connection to ensure that Strata can communicate with the Workbench webhook.
6. Select Next.
7. In the Payload Format dropdown, select Array JSON.
8. Skip the Status Notification and Profile Token settings.
9. Select + Add to configure the log types to forward. Forward these three essential log types for visibility:

   1. Type - URL. Paste the following required filter:

      URLCategory = 'malware' OR URLCategory = 'command-and-control' OR URLCategory = 'phishing' OR URLCategory = 'dynamic-dns'

       

   2. Type - Threat. Paste the following required filter:

      (severity = 'Medium' OR severity = 'High' OR severity = 'Critical' ) AND (Subtype = 'spyware' OR Subtype = 'wildfire-virus' OR Subtype = 'virus' OR Subtype = 'wildfire') OR (ThreatName LIKE "%webshell%" OR ThreatName LIKE "%crypto%" OR ThreatName LIKE "%miner%" )

   3. Type - GlobalProtect. No filtering recommended.
      
      
10. Select Save to finalize the log selection.
11. Select Save again to save the forwarding profile.

Step 3: Test Webhook Connectivity

1. On the Log Forwarding page, select the HTTPS tab to see HTTPS Profiles. After saving, the Status of a new forwarding profile here may show as Provisioning. Wait for up to 10 minutes for the status to change to Running.
2. To verify events are flowing, log in to Workbench and navigate to Dashboards > Alert Analysis. Scroll to the device you want to check and select the Expel Alerts tab to reveal more alert information. It can take 36-72 hours for alerts to appear after setup, as we tune your device.