Skip to content

Configure Device Security (formerly IoT Security) input for the Splunk Add-on for Palo Alto Networks

Overview

Device Security (formerly IoT Security) is cloud-hosted so Splunk retrieves logs using the Device Security API through Strata Cloud Manager. Logs are pulled down in JSON format with the following source types and event types:

  • sourcetype=”pan:iot_alert”
  • sourcetype=”pan:iot_device”
  • sourcetype=”pan:iot_vulnerability”
  • eventtype=”pan_iot_alert”
  • eventtype=”pan_iot_device”
  • eventtype=”pan_iot_vulnerability”

Prerequisites

Before creating the input, you must configure a Device Security account in the add-on. See Configure accounts for instructions on setting up a Strata Cloud Manager service account with a TSG ID, Client ID, and Client Secret.

Create Device Security input

If you plan to use the Device Security input, perform the following steps:

  1. In Splunk, navigate to the Splunk Add-on for Palo Alto Networks.
  2. Go to the Inputs page and select Create New Input > IoT Security.

  3. In the window that opens, enter the following values:

    Field Value Description
    Name String A unique name for this input.
    Interval Positive integer Frequency in seconds to check for new logs (recommended: 60 seconds).
    Index Selection The index in which to put the Device Security logs. The default is main.
    IoT account Selection Select the Device Security account used to pull data from.
    Collection date time start UTC datetime Specify a date and time in UTC format (YYYY-MM-DD HH:MM:SS) from which to start collecting data. For example, 2024-03-10 09:35:00.

  4. Select Add to save the modular input.

Device inventory collection

Device inventory can contain tens of thousands of entries and may take longer than a single polling interval to retrieve. The add-on fetches a maximum of 20,000 devices (20 pages of 1,000 each) per polling interval and waits at least 5 minutes between device inventory pulls. Progress is saved automatically and resumes on the next interval.

Verify data ingestion

After waiting the appropriate interval time, check that logs are coming into Splunk by clicking Search at the top and entering this search:

Search

sourcetype=”pan:iot*”

Some JSON formatted logs show up. If nothing shows up, wait a little longer, ensure there is activity in Device Security to generate logs, and try the Troubleshooting Guide.