Install the Sumo Logic App
Now that you have set up collection for Palo Alto Networks 8, install the Sumo Logic App for Palo Alto Networks 8 to use the preconfigured searches and dashboards that provide insight into your data.
To install the app:
Locate and install the app you need from the App Catalog. If you want to see a preview of the dashboards included with the app before installing, click Preview Dashboards.
- From the App Catalog, search for and select the app.
- To install the app, click Add to Library and complete the following fields.
- App Name. You can retain the existing name, or enter a name of your choice for the app.
- Data Source. Select either of these options for the data source.
- Choose Source Category, and select a source category from the list.
- Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. Example: (_sourceCategory=MyCategory).
- Advanced. Select the Location in Library (the default is the Personal folder in the library), or click New Folder to add a new folder.
- Click Add to Library.
Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization. See Welcome to the New Library for information on working with the library in the new UI.
Panels will start to fill automatically. It's important to note that each panel slowly fills with data matching the time range query and received since the panel was created. Results won't immediately be available, but with a bit of time, you'll see full graphs and maps.
Description: See an overview of system, correlation, configuration, and trap events; threats; and bandwidth consumption by app and by virtual system.
Use case: Use this dashboard for an overview of various activities by severity level, geo-location, and bandwidth consumption. Based on the results you see, you can go to more detailed dashboards to drill down for details. For example, if the “Threats By Severity Level” panel shows that there are “Critical” threats, you can proceed to the threat-related dashboards, including Threat Overview, Threat Analysis, Traffic Insight - File Activity, and Traffic Insight - Web Activity.
Description: See information about changes to your firewall configurations, including a breakdown of submitted, succeeded, and failed configuration updates; the trend of configuration update statuses; the top 10 IPs used for configuration changes; the top 10 admin users; and the top 10 commands executed.
Use case: Use this dashboard to learn about firewall configuration changes. You can identify who performed a configuration change, and the system from which the configuration change was made. The dashboard also helps you identify failed and successful configurations changes. If you observe a sudden change in device behavior, you can check this dashboard to investigate whether a configuration change might be to blame.
Description: See information about correlated events, including breakdowns of correlated events by severity, category, source user, and object; events by source IP; and recent correlation feeds.
Use case: Use this dashboard to identify hosts that are compromised, very likely compromised, likely compromised, or possibly compromised, based on correlation events.
High Severity Threats
Description: See information about the top 10 source IPs by bytes; high and critical severity threats by destination ID, and by Source ID; threat distribution by severity; bandwidth consumption by app; and outlier analysis of allowed and rejected requests.
Use case: Use this dashboard to identify the impact of high severity threats, including the most involved source and destination IPs. You can identify threats affecting multiple IPs, IPs affected by multiple threats, and identify source IPs or users which are responsible for generating high severity threats or are impacted by high severity threats.
Description: See breakdowns of events by subtype, module, severity, and EventID; objects by severity level and event type; and recent logs to the system feed.
Use case: Use this dashboard to identify system issues like hardware failures, HA failures, link down status, dropped connections with external devices, firmware / software upgrades, password change notifications, log in/log off, administrator name or password change, any configuration change, and other minor events.
Description: See breakdowns of each threat type by severity; threat analytics, including threat outliers and a time comparison of current threats versus threats in the previous hour, day, and previous week; threats affecting the most destination IPs; IPs generating multiple threats; and IPs observing multiple threats.
Use case: Use this dashboard to identify threat subtypes. Based on what you learn, you can drill down for additional detail in the “Threat Analysis” dashboard. You can also use this dashboard to identify threats that affect multiple IPs, IPs affected by multiple threats, and narrow in on source IPs or users that are responsible for generating threats or are impacted by threats.
Description: See analytics and details about threats, including the count of threats whose severity is greater that “Informational”; breakdowns of threats by subtype and severity; and recent critical and non-critical threat feeds.
Use case: Use this dashboard to get detailed information on threats identified, rules fired, actions, trends, threat outliers, and threat directions.
Description: See information about firewall traffic, including protocol usage; top source IPs, apps, destination IPs, source users, and destination ports; and outlier analysis of rejected and accepted traffic.
Use case: Use this dashboard to detect sudden changes in allowed or rejected traffic in the outlier panels. To investigate outliers, look for a corresponding change in rules configuration on the Configuration Analysis dashboard.
You can also monitor the types of content being accessed by various apps and virtual systems. You can track the bandwidth consumed by specific apps and take corrective action as necessary. Using the geolocation map, you can track source and destination locations and determine whether a location is expected, and block it, as appropriate.
Traffic Insight - File Activity
Description: See information about firewall requests that involved file uploads or downloads, including upload/download event counts; top file types, file names, and apps; and time comparison and outlier analysis of download and upload traffic.
Use case: Use this dashboard to monitor end users’ file upload and download activities. You can track suspicious file types being uploaded or downloaded through various apps. It also provides insight into sudden changes in activities though outliers. You can compare the current activity trend with the the previous hour, the same time yesterday, and the same time last week with the time compare panel.
Traffic Insight - Web Activity
Description: See information about firewall requests that involved web browsing activities, including event count; top content types, apps, and URLs; and time comparison and outlier analysis of web browsing activity.
Use case: Use this dashboard to monitor end users’ file web browsing activities. You can track URLs and the content being browsed using various apps. It also provides insight into sudden changes in activities though outliers. You can compare the current activity trend with the the previous hour, the same time yesterday, and the same time last week with the time compare panel.
Traps V4 Monitoring
Description: See information about trap events, including a count of trap events, a breakdown of trap events by severity, and a breakdown by Traps ESM and Traps Agent.
Use case: Use this dashboard to identify how end points have been attacked. You can monitor ransomware threats and new exploits. You can also track agent installs/uninstalls, upgrades, service statuses, access violations, and prevention events.