IoT Security
IoT Security is supported starting with App/Add-on 6.6.0.
IoT Security is cloud-hosted so logs are retrieved by Splunk using the IoT Security logging API. Logs are pulled down in JSON format with sourcetype="pan:iot_alert", sourcetype="pan:iot_device" and eventtype="pan_iot_device", eventtype="pan_iot_alert".
Create API Key in IoT Security
Use the instruction in the IoT Security Administrator's Guide to gain API access:
This action will provide you a Key and Key ID. The Key be shown only once, so make sure to record it or you'll need to re-create the Key.
Create IoT Security Input and add Key to Splunk
In Splunk, navigate to the Palo Alto Networks Add-on.
Within the Add-on, click the Input tab at the top left. Then click Create New Input and select IoT Security.
In the dialog window, enter the following:
| Field | Value |
|---|---|
| Name | Any friendly name (eg. "iot_security") |
| Interval | Frequency in seconds to check for new logs (60 seconds recommended) |
| Index | The index in which to put the IoT Security logs |
| Customer ID | Found in the hostname when accessing IoT Security. (eg. https://customer-id.iot.paloaltonetworks.com) |
| Access Key ID | Enter Key ID |
| Secret Access Key | Enter Key |
Then click Add to save the modular input.
Verify
After waiting the interval time, check that logs are coming into Splunk by clicking Search at the top and entering this search:
eventtype="pan_iot_device"
You should see some JSON formatted logs show up. If nothing shows up, wait a little longer, ensure there is activity in IoT Security to generate logs, and try the Troubleshooting Guide.