Get Log Data workflow If Security Incident Response, Threat Intelligence, and Palo Alto Networks - Firewall are activated, the Security Operations Palo Alto Networks - Get Log Data workflow automatically executes when the Source IP for observables in a security incident is changed. Before you beginRole required: sn_si.analyst About this taskDuring workflow execution, firewall configuration information is retrieved from the database and the API Key is retrieved from the firewall. The Get Log activity queues up a search query on the firewall. When the query runs, it returns a Job ID that is used to retrieve threat logs data from the firewall. It attaches the log data as an XML file to the security incident.Figure 1. Security Operations Palo Alto Networks - Get Log Data workflow Procedure Navigate to a security incident that contains observables. Click the Security Incident Observables tab. In Source IP, add or modify the IP address. Click Update. The Security Operations Palo Alto Networks - Get Log Data workflow executes and enriched threat log data is attached to the security incident. The information is also parsed and displayed in the Firewall Logs section under the Enrichment Data tab. Create Enrichment Data records activityThis workflow activity stores workflow output data in a table. Palo Alto Firewall: Get API Key activityThis activity retrieves the API key from the firewall. Palo Alto Firewall: Get Firewall Config activityThe Palo Alto Firewall: Get Firewall Config workflow activity gets all the related firewall configuration information from the database, and makes it available for use by the subsequent activity.Palo Alto Firewall: Get Log activityThe Palo Alto Firewall: Get Log workflow activity schedules a query on the firewall to retrieve logs and returns a JobID used to retrieve the log data.Palo Alto Firewall: Job Data Action activityAfter the Palo Alto Firewall: Get Log activity queues the search query to the firewall and the job runs, the Palo Alto Firewall: Job Data Action activity retrieves the threat log data from the firewall.Write content to record as attachment activityThis activity writes the content passed in from an input and creates a designated attachment to a given record.