Collect Palo Alto Prisma Cloud alert logs
Supported in:
This parser extracts alert logs from Palo Alto Prisma Cloud in JSON format, transforming them into the UDM. The parser performs data normalization, type conversions, and conditional logic to populate the appropriate UDM fields. It also handles nested JSON structures and arrays within the log data to extract relevant information. The information in this document applies to the parser with the PAN_PRISMA_CA ingestion label.
Before you begin
Ensure that you have the following prerequisites:
- Google SecOps instance.
- Privileged access to Palo Alto Prisma Cloud.
Set up feeds
To configure a feed, follow these steps:
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- On the next page, click Configure a single feed.
- In the Feed name field, enter a name for the feed; for example, PAN Prisma Cloud Alerts.
- Select Webhook as the Source type.
- Select Palo Alto Prisma Cloud Alerts payload as the Log type.
- Click Next.
- Optional: Specify values for the following input parameters:
- Split delimiter: the delimiter that is used to separate log lines, such as
\n.
- Split delimiter: the delimiter that is used to separate log lines, such as
- Click Next.
- Review the feed configuration in the Finalize screen, and then click Submit.
- Click Generate Secret Key to generate a secret key to authenticate this feed.
- Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.
- From the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL in your client application.
- Click Done.
Create an API key for the webhook feed
Go to Google Cloud console > Credentials.
Click Create credentials, and then select API key.
Restrict the API key access to the Google Security Operations API.
Specify the endpoint URL
- In your client application, specify the HTTPS endpoint URL provided in the webhook feed.
Enable authentication by specifying the API key and secret key as part of the custom header in the following format:
X-goog-api-key = API_KEY X-Webhook-Access-Key = SECRETRecommendation: Specify the API key as a header instead of specifying it in the URL.
If your webhook client doesn't support custom headers, you can specify the API key and secret key using query parameters in the following format:
ENDPOINT_URL?key=API_KEY&secret=SECRETReplace the following:
ENDPOINT_URL: the feed endpoint URL.API_KEY: the API key to authenticate to Google Security Operations.SECRET: the secret key that you generated to authenticate the feed.
Configure Palo Alto Prisma Cloud webhook to Google SecOps
- Sign in to Palo Alto Prisma Cloud.
- Select Settings > Integrations & Notification ((and_then)) Integrations.
- Click Add Integration.
- Select Webhook.
- Specify values for the following input parameters:
- Integration Name: Provide a unique and descriptive name (for example, Google SecOps)
- Webhook URL: Enter the ENDPOINT_URL.
- Optional: Provide a Description of the integration.
- Optional: Enable Custom Payload > click Next to review or revise the custom payload.
- Click Next.
- Test and Save Integration.
Configure Palo Alto Prisma Cloud alerts
- In the Palo Alto Prisma Cloud console, go to Alerts > View Alert Rules.
- Select an existing alert rule to edit.
- Optional: Create new Alert for Cloud Infrastructure.
- Optional: Create new Alert for Cloud Workload.
- Go to Configure Notifications.
- Select Webhook.
- Optional: Select the Channels that you want to send notifications of alerts triggered by the alert rule.
- Click Next.
- Click Save.
UDM mapping tables
This section explains how the parser maps raw log fields to Unified Data Model (UDM) fields.
Log structure 1: Logs with records array (not aggregated alerts)
| Raw log field | UDM field | Remarks |
|---|---|---|
alarmType |
security_result.detection_fields |
key = "alarmType" |
app |
principal.application |
|
body |
additional.fields |
key = "body" |
body (Account ID) |
target.user.userid |
Extracted from body string "(Account ID:xxxxx)" |
errorMessage |
metadata.description |
|
errorType |
security_result.detection_fields |
key = "errorType" |
notificationRuleName |
security_result.rule_name |
|
policyDescription |
security_result.detection_fields |
|
policyRecommendation |
security_result.detection_fields |
|
policytype |
security_result.detection_fields |
|
record._id |
additional.fields |
key = "ID {index}" |
record.account.cloudType |
principal.cloud.environment |
Mapped to enum if "gcp" |
record.accountID |
target.resource.attribute.labels |
key = "Account ID {index}" |
record.accountId |
target.cloud.project.id |
|
record.accountName |
target.resource.attribute.labels |
key = "accountName" |
record.accountOwners |
principal.user.email_addresses |
Array elements merged |
record.acknowledged |
security_result.detection_fields |
key = "Acknowledged {index}" |
record.additionalInfo.saveSearchId |
security_result.detection_fields |
key = "saveSearchId" |
record.alertId |
security_result.detection_fields |
key = "alert id" |
record.alertRuleId |
security_result.rule_id |
|
record.alertRuleName |
security_result.rule_name |
Potentially overwrites record.audits.ruleName |
record.alertStatus |
security_result.detection_fields |
key = "alert status" |
record.alertTs |
security_result.detection_fields |
key = "alertTs" |
record.audits._id |
additional.fields |
key = "Audit ID {audit_index}" |
record.audits.attackTechniques |
additional.fields |
key = "attackTechniques_{audit_index}" |
record.audits.attackType |
security_result.threat_name |
Inside record.audits loop |
record.audits.command |
principal.process.command_line |
Inside record.audits loop |
record.audits.container |
additional.fields |
key = "Container {audit_index}" |
record.audits.count |
additional.fields |
key = "Count {audit_index}" |
record.audits.effect |
security_result.action_details |
Inside record.audits loop |
record.audits.msg |
metadata.description |
Inside record.audits loop |
record.audits.os |
principal.platform_version |
Inside record.audits loop |
record.audits.pid |
principal.process.pid |
Inside record.audits loop |
record.audits.processPath |
principal.process.file.full_path |
Inside record.audits loop |
record.audits.ruleName |
security_result.rule_name |
Inside record.audits loop |
record.audits.severity |
security_result.severity |
Inside record.audits loop |
record.audits.type |
metadata.product_event_type |
Inside record.audits loop |
record.audits.user |
principal.user.userid |
Inside record.audits loop |
record.callbackUrl |
metadata.url_back_to_product |
|
record.category |
security_result.category_details |
|
record.cloudType |
principal.cloud.environment |
key = "Policy Labels" |
record.cluster |
principal.resource.attribute.labels |
key = "Cluster {index}" |
record.collections |
additional.fields |
key = "Collections {index}" |
record.complianceMetadata.complianceId |
security_result.detection_fields |
|
record.complianceMetadata.customAssigned |
security_result.detection_fields |
|
record.complianceMetadata.policyId |
security_result.detection_fields |
|
record.complianceMetadata.requirementId |
security_result.rule_id |
|
record.complianceMetadata.requirementName |
security_result.summary |
Various keys from subfields |
record.complianceMetadata.requirementViewOrder |
security_result.detection_fields |
|
record.complianceMetadata.sectionDescription |
security_result.detection_fields |
|
record.complianceMetadata.sectionId |
security_result.detection_fields |
|
record.complianceMetadata.sectionLabel |
security_result.detection_fields |
|
record.complianceMetadata.sectionViewOrder |
security_result.detection_fields |
|
record.complianceMetadata.standardDescription |
security_result.detection_fields |
|
record.complianceMetadata.standardName |
security_result.rule_name |
|
record.complianceMetadata.systemDefault |
security_result.detection_fields |
|
record.containerID |
principal.asset.asset_id |
Prefix "containerid:" |
record.containerName |
principal.application, principal.resource.name |
|
record.firstSeen |
principal.asset.first_seen_time |
|
record.fqdn |
principal.hostname, principal.asset.hostname |
|
record.hasFinding |
security_result.detection_fields |
key = "hasFinding" |
record.hostname |
principal.hostname, principal.asset.hostname |
|
record.imageID |
principal.resource.attribute.labels |
key = "Image ID {index}" |
record.imageName |
principal.resource.attribute.labels |
key = "Image Name {index}" |
record.lastSeen |
principal.asset.last_discover_time |
|
record.message1 |
security_result.description |
|
record.namespace |
principal.namespace |
|
record.policy.description |
security_result.detection_fields |
key = "policyDescription" (Fallback) |
record.policy.id |
security_result.detection_fields |
key = "policy id" |
record.policy.Labels |
additional.fields |
Mapped to enum if "gcp" |
record.policy.name |
security_result.description |
Potentially overwrites record.message1 |
record.policy.policyType |
security_result.detection_fields |
key = "policy type" (Fallback) |
record.policy.recommendation |
security_result.detection_fields |
key = "policy recommendation" (Fallback) |
record.policy.severity |
security_result.severity |
|
record.policyDescription |
security_result.detection_fields |
key = "policyDescription" |
record.policyId |
security_result.detection_fields |
key = "policyId" |
record.policyLabels |
additional.fields |
|
record.policyName |
security_result.description |
Potentially overwrites record.policy.name |
record.policyRecommendation |
security_result.detection_fields |
key = "policy recommendation" |
record.policyType |
security_result.detection_fields |
key = "policy type" |
record.profileID |
additional.fields |
key = "Profile ID {index}" |
record.provider |
target.resource.attribute_labels |
key = "Provider %{index}" |
record.reason |
security_result.summary |
|
record.region |
principal.location.country_or_region |
|
record.resource |
principal.resource.attribute.labels |
key = "resource {key}" (for other keys in resource) |
record.resource.account |
principal.resource.attribute.labels |
|
record.resource.account |
target.resource.product_object_id |
|
record.resource.accountId |
principal.resource.attribute.labels |
|
record.resource.accountId |
target.cloud.project.id |
Fallback |
record.resource.data.document.Statement |
additional.fields |
key = "Statement{key}{stmt_index}" |
record.resource.data.document.Version |
additional.fields |
key = "Version" |
record.resource.data.entities.policyRoles |
additional.fields |
key = "policyRole{key}{role_index}" |
record.resource.data.isAttached |
security_result.detection_fields |
key = "isAttached" |
record.resource.data.isDefaultVersion |
security_result.detection_fields |
key = "isDefaultVersion" |
record.resource.data.isPermissionBoundarySet |
security_result.detection_fields |
key = "isPermissionBoundarySet" |
record.resource.data.secretVersionsToStages.terraform-20260122172341570100000002 |
principal.resource.attribute.labels |
key = "value: {index_1}" for each item in the array |
record.resource.data.tags |
additional.fields |
key = "{tag_key} {index} {tag_index}" |
record.resource.id |
principal.resource.attribute.labels |
|
record.resource.name |
principal.resource.attribute.labels |
|
record.resource.region |
principal.resource.attribute.labels |
|
record.resource.regionId |
principal.resource.attribute.labels |
|
record.resource.resourceType |
principal.resource.attribute.labels |
|
record.resource.resourceType |
principal.resource.resource_subtype |
Fallback |
record.resource.url |
principal.resource.attribute.labels |
|
record.resource.url |
principal.url |
if key = "url" |
record.resourceCloudService |
principal.resource.attribute.labels |
key = "resource cloud service" |
record.resourceId |
principal.resource.product_object_id |
|
record.resourceName |
principal.resource.name |
Potentially overwrites record.containerName |
record.resourceRegion |
principal.location.country_or_region |
Potentially overwrites record.region |
record.resourceRegionId |
principal.cloud.availability_zone |
|
record.resourceType |
principal.resource.resource_subtype |
|
record.sender |
metadata.description |
Potentially overwrites record.audits.msg |
record.sentTs |
metadata.event_timestamp |
|
record.serialNum |
additional.fields |
key = "Serial Number {index}" |
record.severity |
security_result.severity |
|
record.shouldCollect |
additional.fields |
key = "Should Collect {index}" |
record.source |
principal.application |
|
record.tags |
principal.resource.attribute.labels |
key = "{tag_key} {index} {tag_index}" |
record.time |
metadata.event_timestamp |
|
record.type |
principal.resource.type |
|
severity |
security_result.severity |
LOW, MEDIUM, HIGH, UNKNOWN |
title |
additional.fields |
key = "title" |
Log structure 2: Logs with records[].aggregatedAlerts array
| Raw log field | UDM field | Remarks |
|---|---|---|
aggregatedAlert.accountIDs |
target.resource.attribute.labels |
key = "AccountID {alert_index} {acct_index}" |
aggregatedAlert.appID |
security_result.detection_fields |
key = "appID" |
aggregatedAlert.category |
security_result.category_details |
Appended to type |
aggregatedAlert.clusters |
target.resource.attribute.labels |
key = "Cluster {alert_index} {clus_index}" |
aggregatedAlert.collections |
target.resource.attribute.labels |
key = "Collection {alert_index} {coll_index}" |
aggregatedAlert.command |
principal.process.command_line, security_result.detection_fields |
detection_fields key = "Command" |
aggregatedAlert.complianceIssues.category |
security_result.category_details |
Within complianceIssues loop |
aggregatedAlert.complianceIssues.description |
security_result.description, security_result.detection_fields |
detection_fields key = "Description {alert_index} {ci_index}" |
aggregatedAlert.complianceIssues.severity |
security_result.severity, security_result.detection_fields |
detection_fields key = "Severity {alert_index} {ci_index}" |
aggregatedAlert.complianceIssues.title |
security_result.action_details, security_result.detection_fields |
detection_fields key = "Title {alert_index} {ci_index}" |
aggregatedAlert.container |
target.resource.name |
|
aggregatedAlert.containerID |
target.resource.product_object_id |
|
aggregatedAlert.forensics |
principal.url |
|
aggregatedAlert.fqdn |
principal.domain.name |
|
aggregatedAlert.host |
principal.hostname, principal.asset.hostname |
|
aggregatedAlert.image |
target.resource.attribute.labels |
key = "image" |
aggregatedAlert.imageID |
target.resource.attribute.labels |
key = "imageID" |
aggregatedAlert.incidentTime |
target.resource.attribute.labels |
key = "incidentTime" |
aggregatedAlert.labels.controller-uid |
target.user.product_object_id |
|
aggregatedAlert.labels.io.kubernetes.pod.name |
target.hostname |
|
aggregatedAlert.message1 |
security_result.description |
|
aggregatedAlert.namespaces |
target.resource.attribute.labels |
key = "Namespace {alert_index} {ns_index}" |
aggregatedAlert.osDistro |
security_result.detection_fields |
key = "osDistro" |
aggregatedAlert.osRelease |
security_result.detection_fields |
key = "osRelease" |
aggregatedAlert.provider |
security_result.detection_fields |
key = "provider" |
aggregatedAlert.region |
target.cloud.availability_zone |
|
aggregatedAlert.rule |
security_result.rule_name |
|
aggregatedAlert.runtime |
security_result.detection_fields |
key = "runtime" |
aggregatedAlert.startupProcess |
principal.process.parent_process.command_line |
|
aggregatedAlert.tags |
security_result.detection_fields |
key = "tags" |
aggregatedAlert.time |
metadata.event_timestamp |
|
aggregatedAlert.type |
security_result.category_details |
|
aggregatedAlert.user |
principal.user.userid |
|
aggregatedAlert.vulnerabilities.distribution |
extensions.vulns.vulnerabilities.name |
|
aggregatedAlert.vulnerabilities.imageID |
extensions.vulns.vulnerabilities.about.file.sha256 |
Extracts sha256 |
aggregatedAlert.vulnerabilities.imageName |
extensions.vulns.vulnerabilities.about.file.full_path |
|
aggregatedAlert.vulnerabilities.newVulnerabilities.vulnerabilities.cve |
extensions.vulns.vulnerabilities.cve_id |
|
aggregatedAlert.vulnerabilities.newVulnerabilities.vulnerabilities.link |
extensions.vulns.vulnerabilities.about.url |
|
aggregatedAlert.vulnerabilities.newVulnerabilities.vulnerabilities.packages |
target.resource.attribute.labels |
key = "Packages {vln_idx1}-{vln_idx2}" |
aggregatedAlert.vulnerabilities.newVulnerabilities.vulnerabilities.packageVersion |
target.resource.attribute.labels |
key = "PackageVersion {vln_idx1}-{vln_idx2}" |
aggregatedAlert.vulnerabilities.newVulnerabilities.vulnerabilities.severity |
extensions.vulns.vulnerabilities.severity |
|
aggregatedAlert.vulnerabilities.newVulnerabilities.vulnerabilities.sourcePackage |
target.resource.attribute.labels |
key = "SourcePackage {vln_idx1}-{vln_idx2}" |
aggregatedAlert.vulnerabilities.newVulnerabilities.vulnerabilities.status |
extensions.vulns.vulnerabilities.description |
Prefix "status - " |
Log structure 3: Single JSON object logs (fallback)
| Raw log field | UDM field | Remarks |
|---|---|---|
"CASB" (Static Value) |
metadata.product_name |
|
"Palo Alto Networks" (Static Value) |
metadata.vendor_name |
|
accountId |
target.resource.product_object_id, target.resource.id |
|
actionParameters.clientID |
principal.group.product_object_id |
From user request |
complianceMetadata |
security_result.detection_fields |
Varied, see config for details |
createdAt |
metadata.event_timestamp |
From user request |
data.allocationId |
principal.resource.product_object_id |
|
data.publicIp |
principal.ip |
|
deleted |
additional.fields |
key = "deleted" |
description |
metadata.description |
|
email_add |
principal.user.email_addresses |
|
entitySnapshot.externalId |
principal.group.product_object_id |
From user request |
entitySnapshot.tags.io.cri-containerd.kind |
target.resource.attribute.labels |
key = "Containerd Kind" |
entitySnapshot.tags.io.kubernetes.container.name |
target.resource.attribute.labels |
key = "Container Name" |
entitySnapshot.tags.io.kubernetes.pod.name |
target.resource.attribute.labels |
key = "Pod Name" |
entitySnapshot.tags.io.kubernetes.pod.namespace |
target.resource.attribute.labels |
key = "Pod Namespace" |
entitySnapshot.tags.io.kubernetes.pod.uid |
target.resource.attribute.labels |
key = "Pod Id" |
entitySnapshot.tags.maintainer |
target.resource.attribute.labels |
key = "Maintainer" |
policy Type |
security_result.detection_fields |
|
policy.complianceMetadata.complianceId |
security_result.detection_fields |
|
policy.complianceMetadata.customAssigned |
security_result.detection_fields |
|
policy.complianceMetadata.policyId |
security_result.detection_fields |
|
policy.complianceMetadata.requirementId |
security_result.rule_id |
|
policy.complianceMetadata.requirementName |
security_result.summary |
Various keys from subfields |
policy.complianceMetadata.requirementViewOrder |
security_result.detection_fields |
|
policy.complianceMetadata.sectionDescription |
security_result.detection_fields |
|
policy.complianceMetadata.sectionId |
security_result.detection_fields |
|
policy.complianceMetadata.sectionLabel |
security_result.detection_fields |
|
policy.complianceMetadata.standardDescription |
security_result.detection_fields |
|
policy.complianceMetadata.standardName |
security_result.rule_name |
|
policy.complianceMetadata.systemDefault |
security_result.detection_fields |
|
policy.deleted |
additional.fields |
key = "deleted" (Fallback) |
policy.description |
security_result.detection_fields |
key = "policyDescription" |
policy.name |
security_result.description |
|
policy.policyType |
security_result.detection_fields |
key = "Policy Type" (Fallback) |
policy.recommendation |
security_result.detection_fields |
key = "Recommendation" (Fallback) |
policyId |
security_result.detection_fields |
key = "Policy Id" |
policyType |
security_result.detection_fields |
key = "Policy Type" |
reason |
security_result.summary |
|
recommendation |
security_result.detection_fields |
key = "Recommendation" |
region |
principal.location.state |
|
regionId |
principal.location.country_or_region |
|
resource.accountId |
target.resource.product_object_id, target.resource.id |
Fallback |
resource.cloudType |
principal.cloud.environment |
Mapped to enum if "gcp" |
resource.region |
principal.location.state |
Fallback |
resource.regionId |
principal.location.country_or_region |
Fallback |
resource.resourceConfigJsonAvailable |
additional.fields |
key = "resourceConfigJsonAvailable" (Fallback) |
resource.resourceDetailsAvailable |
additional.fields |
key = "resourceDetailsAvailable" (Fallback) |
resource.resourceType |
target.resource.resource_subtype |
Fallback |
resource.unifiedAssetId |
principal.asset.asset_id |
Fallback |
resource.url |
principal.url |
|
resourceConfigJsonAvailable |
additional.fields |
key = "resourceConfigJsonAvailable" |
resourceDetailsAvailable |
additional.fields |
key = "resourceDetailsAvailable" |
resourceType |
target.resource.resource_subtype |
|
severity |
security_result.severity |
|
systemDefault |
additional.fields |
key = "systemDefault" |
timestamp |
metadata.event_timestamp |
From user request |
unifiedAssetId |
principal.asset.asset_id |
Prefix "ASSETID:" |
Event type mapping
The
metadata.event_typefield is set based on the following logic:if [has_user] == "true" and ([has_principal] == "true" or [has_target] == "true") { metadata.event_type = USER_UNCATEGORIZED if [aggregatedAlert][host] != "" and [target_present] == "true" and [principal_user_present] != "true" { metadata.event_type = USER_RESOURCE_ACCESS } else if [principal_user_present] == "true" { metadata.event_type = USER_UNCATEGORIZED } else if [principal_present] == "true" and [aggregatedAlert][host] != "" { metadata.event_type = STATUS_UPDATE } else { metadata.event_type = GENERIC_EVENT } }
Need more help? Get answers from Community members and Google SecOps professionals.