Hi everyone,
We're currently integrating Palo Alto logs (via Panorama) into our SIEM solution (Wazuh) using syslog, and I wanted to confirm the log types that are forwarded by default or require additional configuration.
Specifically, does Panorama forward the following events out-of-the-box via syslog?
Malware/Spyware detections
Command and Control (C2) communications
CVE exploit attempts
High/Critical severity IPS alerts
DNS tunneling or other evasion behaviors
Blocked or suspicious URL category access attempts
DLP events or sensitive data exfiltration
Abnormal login behavior or access to uncommon ports
GlobalProtect VPN anomalies (e.g., connection failures, logins from new or suspicious locations)
If some of these aren’t forwarded by default, what additional steps (custom syslog filters, log forwarding profiles, threat signatures, etc.) are needed to ensure these logs are exported properly?
Thanks in advance for any clarification or guidance!
Best regards, Austin
... View more
