Install the Sumo Logic App
Now that you have set up collection for Palo Alto Networks, install the Sumo Logic App for Palo Alto Networks to use the preconfigured searches and dashboards that provide insight into your data.
To install the app:
Locate and install the app you need from the App Catalog. If you want to see a preview of the dashboards included with the app before installing, click Preview Dashboards.
- From the App Catalog, search for and select the app.
- To install the app, click Add to Library and complete the following fields.
- App Name. You can retain the existing name, or enter a name of your choice for the app.
- Data Source. Select either of these options for the data source.
- Choose Source Category, and select a source category from the list.
- Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. Example: (_sourceCategory=MyCategory).
- Advanced. Select the Location in Library (the default is the Personal folder in the library), or click New Folder to add a new folder.
- Click Add to Library.
Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization. See Welcome to the New Library for information on working with the library in the new UI.
Panels will start to fill automatically. It's important to note that each panel slowly fills with data matching the time range query and received since the panel was created. Results won't immediately be available, but with a bit of time, you'll see full graphs and maps.
The Overview Dashboard keeps you up-to-speed on the higher level operations of your PAN deployment.
Source Host Locations. Using a geolocation query, this Panel maps the location of source hosts using their IP addresses.
Threat Type by Severity. Breaks down the number of threats, ranked by severity; threat types are divided into separate categories (such as Vulnerabilities and URL). Threat types displayed in this Panel include Low, Informational, High, and Critical.
Bandwidth Consumption (Bytes) by Virtual System. Displays the bandwidth of virtual systems, making it easy to see which systems are consuming the most bandwidth.
Bandwidth Consumption (Percentage) by App. Each app deployed by your organization is represented in an overall breakdown of how apps are consuming bandwidth.
Threat Type. Get an idea of the number of threats as well as the type of threats detected by Palo Alto Networks. Top Destination IPs. Shows the top 10 destination IPs (the IPs that have made the most attempts).
Top Destination IPs. Ranks the top 10 destination IPs as a bar chart.
Severity by Protocol. View the number of threats sorted by severity (Critical, High, Low, or Informational).
App by Severity. Shows the breakdown of threats per app, sorted by threat level (Critical, High, Informational, and Low).
Top Source IPs. Ranks the top 10 source IPs hitting your firewall as a bar chart.
Threat by Category. The query behind this Panel parses the threat ID and category from your Palo Alto Network logs, then returns the number of threats sorted by category.
The Traffic Monitoring Dashboard includes several Panels that display information about incoming and outgoing traffic, including bytes sent and received.
Events by Protocol. Displays the breakdown of events, sorted by protocol (ICMP, TCP, UDP, HOPOPT).
Top Destination IPs by Events. Using a geolocation query, this Panel maps which IPs are being accessed outside the network for all event types.
Top 10 Apps by Bytes Sent. Shows which apps are being sent the most bytes.
Apps by Action. This Panel queries all traffic types and then displays each app per drop, denial, and success.
Top Source IPs by Events. Displays the top 10 IPs generating events.
Top 10 Apps by Bytes Received. Traffic from the 10 most active apps is shown, making unexpected upticks in traffic easy to identify.
Bytes Sent/Received Overtime. Keep an eye on the overall inbound and outbound traffic in your deployment.
Triggered Rules by Virtual System. Including all existing trigger rules, this Panel displays traffic from each virtual system in your deployment.
This advanced Dashboard includes specialized, targeted Panels that are typically used by IT Admins.
Top 10 Source IPs by Byte. Watch for unexpected spikes in traffic from the top 10 Source IP addresses.
High Severity Threat Distribution. Displays the severity of threats over the past hour.
High Severity Threats by Destination & ID. Counted by the number of threats coming from specific destinations and IP addresses, Critical and High severity threats are shown.
Bandwidth Consumption by App. View the total bandwidth consumed by each app in one place.
Threat Distribution. Displays the source of threats as well as the number of threats over the past 24 hours.
High Severity Threats by Source & ID. No need to guess where Critical and High threats are coming from. This Panel displays each threat source.