This article leads you through the process of integrating Palo Alto Networks Threat Prevention with Red Canary. Follow the procedure from beginning to end. 

Step 1: Red Canary–Create your Red Canary generated URL

Create a Red Canary generated-URL to send Palo Alto alerts for ingestion. 

1. From the Red Canary homepage, click Integrations, and then click Alert Sources.
2. In the search bar, type and select Palo Alto Networks Threat Prevention.
   
   
3. To configure your new alert source, scroll down and click Palo Alto Networks Threat Prevention.
4. Click Edit Configuration.
5. Enter a Name for your external alert source.  
6. Select a Display Category.
7. Under the Ingest Format/Method dropdown, select Palo Alto Networks Threat via Syslog.
8. Click Save Configuration.
9. Click Edit Configuration.
10. Click Activate.
11. Red Canary will generate a URL and Port number that you will use to input into your Palo Alto account. Copy and save this number as you will use it in subsequent steps.
    
    
12. With your Red Canary URL generated, log in to your PAN-OS device of choice.

Step 2: Your PAN-OS Device–Generate a PAN-OS certificate

Generate a PanOS custom certificate to send syslogs from your PAN-OS device to Red Canary.

Step 2.1–Create a Syslog Profile

1. From your PAN-OS dashboard, click Device.
2. From the Server Profiles dropdown in the navigation pane, click Syslog.
   
   
3. Click +Add.
4. Name your Syslog Profile.
5. Click +Add.
6. Name your Syslog Server.
7. Copy and paste the syslog server URL address from Step 1.11.
8. From the Transport dropdown, select SSL.
9. In the Port section, enter the Port number from Step 1.11. 
10. From the Format dropdown, select BSD.
11. From the Facility dropdown, select LOG_User.
12. Click OK.

Step 2.2–Create a Log Forwarding Profile

1. From your PAN-OS dashboard, click Objects.
2. In the navigation pane, click Log Forwarding.
   
   
3. Click +Add.
4. Name your log forwarding profile, and then write a description for the profile.
   Note: We recommend that you name your profile something generic so it can be reused with other PAN-OS security products (for example, RC Syslog Output). 
   
5. Click +Add.
6. Name your log forwarding profile match list, and then write a description for the profile match list.
7. From the Log Type dropdown, select threat.
8. From the Filter dropdown, select All Logs.
9. From the Syslog section, click  +Add, and then select the syslog created from Step 2.1.
10. Click OK. 
11. With your Log Forwarding Profile created, click OK.
    
    

Step 2.3–Create a Security Policy Rule

1. From your PAN-OS dashboard, click Policies.
2. In the navigation pane, click Security.
   
   
3. Click +Add.
4. To create a Security Policy Rule, fill in the required information in all of the tabs.
   Note: We recommend that you name your Security Policy Rule something generic so it can be reused with other PAN-OS security products (for example, RC Security Policy). 
5. In the Actions tab’s Action dropdown, select Allow.
6. From the Profile Type dropdown, select Profiles.
7. Customize the type of information you want to send to Red Canary by selecting your profile settings.
8. From the Log Forwarding dropdown, select RC Syslog Output.
9. With all of the required information filled in, click OK.
   

Step 2.4–Export your PAN-OS Certificate

1. From your PAN-OS dashboard, click Device.
2. From the Certificate Management dropdown in the navigation pane, click Certificates.
   
   
3. Click Generate.
4. Name your certificate.
5. For Common Name, enter the address you acquired from Red Canary in Step 1.11.
6. From the Signed By dropdown, select the trusted CA or the self-signed CA that the syslog server and the firewall both trust.
7. Click Generate.
8. Click your newly created certificate.
   
   
9. Select Certificate for Secure Syslog.
   
   
10. Click OK.
11. From the Device Certificates landing page, select the new certificate, and then click Export Certificate.
    
    
12. Select Export Private Key.
13. Enter a Passphrase.
14. Confirm your Passphrase.
15. Click OK.
    
    
16. Save the downloaded certificate as you will use it in subsequent steps.
17. With your PAN-OS generated certificate downloaded, log in to Red Canary.
18. Continue on to Step 4.

Step 3: Your PAN-OS Device–Create a Certificate Authority (CA) (Optional)

Generate a PanOS CA certificate to send syslogs from your PAN-OS device to Red Canary. If you choose to perform this step, you do so before you perform Step 4.

1. Review this article and complete steps 1-4 to configure the PAN-OS syslog monitoring process.
   Note: If a CA certificate is not already present, PAN-OS allows for their firewall to act as a certificate authority. Learn more about creating a certificate authority on a PAN device.
   
2. From your PAN-OS dashboard, click Device.
3. From the Certificate Management dropdown in the navigation pane, click Certificates.
   
   
4. Click Generate.
5. Name your certificate.
6. For Common Name, enter the URL address you acquired from Red Canary in Step 1.11.
7. From the Signed By dropdown, select the trusted CA or the self-signed CA that the syslog server and the firewall both trust.
   Note: The certificate can’t be a Certificate Authority nor an External Authority (certificate signing request [CSR]).
8. Select Certificate Authority.
   
   
9. From the Certificate Attributes section, click +Add.
10. From the Type dropdown, select Email.
11. From the Value dropdown, enter your email address.
12. Click Generate.
13. Click your newly created certificate, and then select Certificate for Secure Syslog.
    
    
    
14. Click OK.
15. From the Device Certificates landing page, select your new certificate, and then click Export Certificate.
    
    
16. Select Export Private Key.
17. Enter a Passphrase.
18. Copy and save this Passphrase for future reference.
19. Confirm your Passphrase.
20. Click OK.
    
    
21. Save the downloaded certificate as you will use it in subsequent steps.
22. With your PAN-OS generated CA certificate downloaded, log in to Red Canary.

Step 4: Red Canary–Upload your PanOS certificates to Red Canary

Connect your custom certificates to Red Canary in order to start receiving PAN-OS alerts.

1. From the Red Canary homepage, click Integrations, and then click Alert Sources.
2. To configure your new alert source, scroll down and click Palo Alto Networks Threat Prevention.
3. Click Edit Configuration.
4. Select Use Custom TLS server certificate for ingest over TLS.
5. Upload the certificates you generated in previous steps:
1. Upload a certificate file (PEM or DER)–Upload the server.crt from Step 2.4.
2. Enter the Private key passphrase used to generate the server key from Step 3.17.
3. Upload the CA certificate corresponding to your certificate (this step is optional)–Upload the ca.crt from Step 3.
6. Click Save Configuration.