Palo Alto Networks and Elastic

Solution overview

Palo Alto Networks and Elastic provide an integrated solution for near real-time threat detection, interactive triage and incident investigation, and automated response. Together, the solution helps organizations protect against attacks that can lead to data breaches and other loss or damage.

Elastic SIEM leverages the speed, scale, and relevance of Elasticsearch, and provides a curated data integration with Palo Alto Networks logs to enable cross data-source search, analysis, and correlation. Elastic SIEM provides an interactive workspace for analysts to quickly identify suspicious activity, pivot between all data sources, and gather evidence relevant to an incident.

Bidirectional integrations between Demisto and Elasticsearch enable security operations teams to automate and orchestrate response actions through pre-defined playbooks — streamlining and standardizing incident response and resolution, as well as incident lifecycle management.

Key capabilities

Palo Alto Networks and Elastic help security teams more readily navigate today’s complex threat landscape by providing an integrated solution that’s been proven in large-scale security analytics installations worldwide. By using the two together, you can:

  • Ingest Palo Alto Networks PAN-OS firewall logs — normalized through Elastic Common Schema format — into Elastic SIEM using the Filebeat Palo Alto Networks module
  • Visualize, search, and correlate Palo Alto Networks logs with other security-relevant information in Kibana using Elastic SIEM, dashboards, heatmaps, geo maps, and infographic displays to enable real-time threat hunting and automated detection
  • Apply Elastic alerting and machine learning features to automate threat detection across multiple data sources to reduce false positives, help analysts and operators prioritize, and mitigate alert fatigue
  • Elastic alerts can trigger Palo Alto Networks Demisto playbooks that orchestrate response actions across the entire stack of products in a single workflow. Users can export Elastic SIEM detections into Palo Alto Networks Demisto.

Out-of-the-box integrations

The sample integration below shows data forwarded from Palo Alto Networks devices to the Elastic Stack via the Elastic Filebeat module for Palo Alto. Elastic SIEM detections are pulled into the Demisto platform by the Elastic plugin, incidents are created, playbooks executed, and responses to the firewall are made via the PAN plugin.

Use cases

Elastic and Palo Alto Networks work together to fulfill vital use cases.

Insider threat and zero trust: The zero trust model should be the foundation for conducting operations. Because every network is different, however, it’s important to know exactly where to deploy those zero trust controls. Elastic can collect logs and netflows, create baselines, and help identify where zero trust policies would be the most effective. Elastic machine learning features identify anomalies and trigger alerts that admins can then use to automate actions (such as firewall policies) in Demisto.

Threat intelligence: Palo Alto Networks provides advanced threat intelligence tools that help identify threats to the network, and Elastic makes it easy to integrate those tools and make them usable in real-time contexts. Feeds ingested via Minemeld, for example, can incorporate AutoFocus tags that are continuously ingested into Elastic SIEM, making them available for near real-time lookup, categorization, and attribution within analysis tools.

IoT and SCADA: Sensor feeds from all types of devices can be ingested into Elastic for analysis and reporting. Anomalies identified by machine learning can trigger alerts to Demisto that perform immediate actions to isolate or control devices in trouble. Practitioners can correlate Zingbox IoT security service analysis with indicators from other enterprise data sources to further validate assessments and even automate response actions like segmentation or quarantine.

NetOps and SIEM: Network data is one of the primary intelligence feeds that cybersecurity teams rely on to monitor and identify threat behaviors — and it’s even more powerful when combined with other indicators. Fine-grained network feeds from the Palo Alto Networks NGFW can be automatically normalized through the Elastic Common Schema and ingested in near real time. Once indexed, they can be correlated with other data sources and then automatically analyzed with tools like unsupervised machine learning to deliver insights and help prioritize responses.

Automated response and orchestration: With 300+ integrated vendor playbooks and counting, Demisto is a powerful platform for automating actions in a multi-vendor environment. The data analytics and insights generated within Elastic can be used to power automatic operations by pushing to Demisto, while Demisto can leverage Elastic for real-time data access and aggregation.

Learn more

When powerful technologies like Elastic and Palo Alto Networks work together, it's a force multiplier. Take a look at the following technical resources or connect with your local Elastic field team to learn more.