>
    Strata Copilot
    Set up SIEM for Integration
    Focus
    Download PDF
    Focus
    1. Home
    2. Device Security
    3. Device Security Integration Guide
    4. Security Information and Event Management
    5. Set up SIEM for Integration
    Download PDF
    Device Security

    Set up SIEM for Integration

    Table of Contents

    Set up SIEM for Integration

    Set up the SIEM server for integration with Device Security through Device Security.
    Where Can I Use This?What Do I Need?
    • Device Security (Managed by Strata Cloud Manager)
    • (Legacy) IoT Security (Standalone portal)
    One of the following subscriptions:
    • Device Security subscription for an advanced Device Security product (Enterprise Plus, Industrial OT, or Medical)
    • Device Security X subscription
    One of the following Cortex XSOAR setups:
    • A free, cohosted, limited-featured Cortex XSOAR instance
      AND
      A free Cortex XSOAR Engine (on-premises integration)
    • A full-featured Cortex XSOAR server
    1. Configure the SIEM server to accept the following device attributes from Device Security.
      The field names in the first three rows are predefined, standard names. The field names in the remaining rows must be defined for Device Security device attributes.
      Device Attribute (Device Security)SIEM Field Name
      1IP Addressdvc
      2MAC Addressdvcmac
      3Hostnamedvchost
      4Profilecs1Label=Profile
      5Categorycs2Label=Category
      6Profile Typecs3Label=Profile
      7Vendorcs4Label=Vendor
      8Modelcs5Label=Model
      9VLAN IDcs6Label=Vlan
      10Sitecs7Label=Site
      11Risk Scorecs8Label=RiskScore
      12Risk Levelcs9Label=RiskLevel
      13Subnetcs10Label=Subnet
      14Number of Critical Alertscs11Label=NumCriticalAlerts
      15Number of Warning Alertscs12Label=NumWarningAlerts
      16Number of Caution Alertscs13Label=NumCautionAlerts
      17Number of Info Alertscs14Label=NumInfoAlerts
      18First Seen Datecs15Label=FirstSeenDate
      19Confidence Scorecs16Label=ConfidenceScore
      20OS Groupcs17Label=OsGroup
      21OS/Firmware Versioncs18Label=OsFirmwareVersion
      22OS Supportcs19Label=OsSupport
      23OS End of Supportcs20Label=OsEndOfSupport
      24Serial Numbercs21Label=SerialNumber
      25Endpoint Protectioncs22Label=EndpointProtection
      26Network Locationcs23Label=NetworkLocation
      27AETcs24Label=AET
      28DHCPcs25Label=DHCP
      29Wired or Wirelesscs26Label=WireOfWireless
      30SMBcs27Label=SMB
      31Switch Portcs28Label=SwitchPort
      32Switch Namecs29Label=SwitchName
      33Switch IP Addresscs30Label=SwitchIp
      34Servicescs31Label=Services
      35Servercs32Label=IsServer
      36NAC Profilecs33Label=NAC_Profile
      37NAC Profile Sourcecs34Label=NAC_ProfileSource
      38Access Point IP Addresscs35Label=AccessPointIp
      39Access Point Namecs36Label=AccessPointName
      40SSIDcs37Label=SSID
      41Authentication Methodcs38Label=AuthMethod
      42Encryption Ciphercs39Label=EncryptionCipher
      43AD Usernamecs40Label=AD_Username
      44AD Domaincs41Label=AD_Domain
      45Applicationscs42Label=Applications
      46Tagscs43Label=Tags
      47OS Combinedcs44Label=os_combined
      Device Security supplies Cortex XSOAR with device attributes, and XSOAR converts them into Common Event Format (CEF) before sending them to the SIEM server.
      Example of the device attributes for an Apple iPad in CEF:
      "INFO:siem-syslog:CEF:0|PaloAltoNetworks|PANWIOT|1.0|asset|Asset Identification|1|dvc=10.1.1.39 dvcmac=cc:d2:81:33:bd:6a dvchost=iPad cs1Label=Profile cs1=iPad cs2Label=Category cs2=Smartphone or Tablet cs3Label=Type cs3=Non_IoT cs4Label=Vendor cs4=Apple Inc. cs5Label=Model cs5=iPad11,1 cs6Label=Vlan cs6=330 cs7Label=Site cs7=test-1117-04 cs8Label=RiskScore cs8=20 cs9Label=RiskLevel cs9=Low cs10Label=Subnet cs10=10.1.1.0/24 cs15Label=FirstSeenDate cs15=2020-04-07T22:04:20.000Z cs16Label=ConfidenceScore cs16=95 cs17Label=OsGroup cs17=iOS cs22Label=EndpointProtection cs22=not_protected cs25Label=DHCP cs25=Yes cs26Label=WireOrWireless cs26=wireless cs42Label=Applications cs42=Zoom,iCloud,iTunes cs44Label=os_combined cs44=iOS"
      Example of an alert about an outdated version of Chrome:
      "CEF:0|PaloAltoNetworks|PANWIOT|1.0|PaloAltoNetworks Alert:policy_alert|Outdated Chrome version used by IoT device|2|dvcmac=14:91:38:b5:22:18 src=10.1.20.14 shost=unknown dhost=UNKNOWN URL fileId=0oakC30 fileType=alert rt=2020-12-30T23:07:24.000Z deviceCustomDate1=1609369890526 cs1Label=Description cs1=The usage of an outdated Chrome version has been detected on this device. Using older versions of a web browser can expose your device to security risks. cs2Label=Values cs2=[{'label': 'user agent', 'value': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36'}]"
      Example of a vulnerability test:
      "INFO:siem-syslog:CEF:0|PaloAltoNetworks|PANWIOT|1.0|vulnerability|Vulnerability Test - Medium|1|dvc=10.1.3.54 dvcmac=64:16:7f:4c:d1:53 dvchost=Polycom_64167f4cd153 cs1Label=Profile cs1=Polycom Video Conferencing Device cs2Label=Category cs2=Video Audio Conference cs3Label=Profile cs3=Office cs4Label=Vendor cs4=Polycom cs5Label=Model cs5=Trio8800 cs8Label=RiskScore cs8=26 cs9Label=RiskLevel cs9=Low cs11Label=vulnerabilityName cs11=Vulnerability Test - Medium cs12Label=DetectionDate cs12=2020-12-23T23:59:59.000Z cs17Label=OsGroup cs17=Embedded cs19Label=OsSupport cs19=Embedded"
    2. Note the IP address of the SIEM server and the port number on which it listens for syslog messages.
      You will need this information when configuring the SIEM instance in Cortex XSOAR.

    © 2026 Palo Alto Networks, Inc. All rights reserved.