Security incident observable enrichment

When certain applications and integrations are set up, including Threat Intelligence and the Palo Alto Networks Firewall integration, observables information in a security incident can be automatically enriched with threat log data whenever the Source IP for its observables is modified.

When a modification occurs, a business rule initiates a workflow that retrieves data from threat logs on your firewall and enriches the observables information in the security incident.

Before observables can be enriched, the following steps must be performed.

After that setup has been completed, the act of changing the Source IP of observables associated with a security incident causes a business rule to execute the Security Operations Palo Alto Networks - Get Log Data workflow. Workflow activities queue up a search query on the firewall and return a Job ID that is used to retrieve threat logs data from the firewall and attach them as an XML file to the security incident.