IoT Security is supported starting with App/Add-on 6.6.0.
IoT Security is cloud-hosted so logs are retrieved by Splunk using the IoT Security logging API. Logs are pulled down in JSON format with sourcetype="pan:iot_alert", sourcetype="pan:iot_device" and eventtype="pan_iot_device", eventtype="pan_iot_alert".
Create API Key in IoT Security
Use the instruction in the IoT Security Administrator's Guide to gain API access:
This action will provide you a Key and Key ID. The Key be shown only once, so make sure to record it or you'll need to re-create the Key.
Create IoT Security Input and add Key to Splunk
In Splunk, navigate to the Palo Alto Networks Add-on.
Within the Add-on, click the Input tab at the top left. Then click Create New Input and select IoT Security.
In the dialog window, enter the following:
|Name||Any friendly name (eg. "iot_security")|
|Interval||Frequency in seconds to check for new logs (60 seconds recommended)|
|Index||The index in which to put the IoT Security logs|
|Customer ID||Found in the hostname when accessing IoT Security. (eg. https://customer-id.iot.paloaltonetworks.com)|
|Access Key ID||Enter Key ID|
|Secret Access Key||Enter Key|
Then click Add to save the modular input.
After waiting the interval time, check that logs are coming into Splunk by clicking Search at the top and entering this search:
You should see some JSON formatted logs show up. If nothing shows up, wait a little longer, ensure there is activity in IoT Security to generate logs, and try the Troubleshooting Guide.