Integrate IoT Security with SIEM

Palo Alto Networks IoT Security supports security information and event management (SIEM) logging, which allows you to send information about discovered devices, security alerts, and device vulnerabilities to your SIEM server for further actions. IoT Security integrates through Cortex XSOAR with any SIEM that supports the CEF format.

After the setup is complete, you initiate an initial export of the entire device inventory from IoT Security through XSOAR to the SIEM server. After that, XSOAR requests incremental updates at 15-minute intervals by default. IoT Security determines if there are any newly discovered devices, alerts, or vulnerabilities, or if there are changes in any attribute fields of previously discovered devices in the past 15 minutes and, if found, responds with an update. In contrast to these periodic automated updates, you can also initiate commands in the IoT Security portal to send security alerts and device vulnerabilities to SIEM.

After the setup is complete, XSOAR makes an initial request to IoT Security for its entire device inventory. After that, XSOAR periodically requests incremental updates at 15-minute intervals. IoT Security determines if there were changes in any of device attribute fields since the previous update and, if found, responds with a delta. XSOAR and IoT Security apply the same logic for security alerts and vulnerabilities.

Integrating with SIEM requires either a full-featured Cortex XSOAR server or the purchase and activation of an IoT Security third-party integration add-on license, which comes with a free cohosted Cortex XSOAR instance. The basic plan includes a license for three integration add-ons, one of which can be used for SIEM. The advanced plan includes a license for all supported third-party integrations.