Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Get Log Data workflow

Get Log Data workflow

If Security Incident Response, Threat Intelligence, and Palo Alto Networks - Firewall are activated, the Security Operations Palo Alto Networks - Get Log Data workflow automatically executes when the Source IP for observables in a security incident is changed.

Before you begin

Role required: sn_si.analyst

About this task

During workflow execution, firewall configuration information is retrieved from the database and the API Key is retrieved from the firewall. The Get Log activity queues up a search query on the firewall. When the query runs, it returns a Job ID that is used to retrieve threat logs data from the firewall. It attaches the log data as an XML file to the security incident.
Figure 1. Security Operations Palo Alto Networks - Get Log Data workflow
Get Log Data workflow

Procedure

  1. Navigate to a security incident that contains observables.
  2. Click the Security Incident Observables tab.
  3. In Source IP, add or modify the IP address.
  4. Click Update.
    The Security Operations Palo Alto Networks - Get Log Data workflow executes and enriched threat log data is attached to the security incident. The information is also parsed and displayed in the Firewall Logs section under the Enrichment Data tab.