Palo Alto XSIAM

Palo Alto XSIAM (Extended Security Intelligence and Automation Management) is an AI-driven security operations platform that unifies SIEM, XDR, and SOAR capabilities for comprehensive threat detection and response. This document provides step-by-step instructions for configuring Observo AI's Palo Alto XSIAM destination to ingest logs using the Splunk-compatible HEC (HTTP Event Collector) ingestion protocol. The integration enables secure, efficient delivery of security telemetry from Observo AI pipelines to XSIAM for advanced threat hunting and automated incident response.

Purpose

The Observo AI Palo Alto XSIAM destination allows organizations to forward security events, network telemetry, and operational logs to Palo Alto's XSIAM platform for intelligent security analytics and automated response workflows. This integration combines XSIAM's AI-powered threat detection capabilities with Observo AI's data optimization to maximize security visibility while controlling ingestion volumes and costs.

Prerequisites

Before configuring the Palo Alto XSIAM destination in Observo AI, ensure the following requirements are met to enable seamless data ingestion:

• Palo Alto XSIAM Instance:

  • Active XSIAM tenant with appropriate access credentials

  • Administrative permissions to configure data ingestion

  • Configured tenant and region information

• HEC Token:

  • Valid HTTP Event Collector token generated within XSIAM

  • Token must have appropriate permissions for log ingestion

  • Securely stored and managed credentials

• Network Connectivity:

  • Outbound HTTPS access from Observo AI to XSIAM endpoint

  • Firewall rules permitting traffic on port 443

  • Proper DNS resolution for XSIAM API endpoints

Integration

The Integration section details default configurations for the Palo Alto XSIAM destination. For advanced customization options, refer to the Configuration Parameters section in the Palo Alto XSIAM documentation.

To configure Palo Alto XSIAM as a destination in Observo AI, follow these steps:

1. Log in to Observo AI

• Access the Destinations section from the main navigation

• Click Add Destinations and select Create New

• Select Palo Alto XSIAM from the available destination types to begin setup

2. General Settings

Configure the primary connection parameters:

• Name: Assign a descriptive, unique identifier for this destination

  • Examples: xsiam-production-logs, palo-alto-security-events, xsiam-network-telemetry

• Description (Optional): Document the destination's purpose and data scope

  • Example: "Production security telemetry to XSIAM for threat detection and automated response"

• Endpoint: The base URL of your Palo Alto XSIAM tenant

  • Must include the protocol scheme (https)

  • No path components should be included

  • Format: https://api-{tenant}.{region}.paloaltonetworks.com

  Examples

  https://api-tenant.region.paloaltonetworks.com

  https://hec.splunk.com:8088

  https://example.com

• Default Token: HEC authentication token from XSIAM

  • Generated through XSIAM Settings → Data Ingestion → HEC Tokens

  • Use environment variables or secure vaults in production

  Examples

  ${XSIAM_HEC_TOKEN}

  B7C9E2A1D4F6H8J3K5L7

• Host Key (Optional): Field name containing the source hostname

  • Default: host

  • Override for custom field mappings

  • Examples: source_host, device_name, endpoint_id

• Index (Optional): Target index for log storage in XSIAM

  • Common indexes: xsiam_logs, security_events, threat_intel

  • Can use dynamic values from event fields

  Examples

  {{ host }}

  xsiam_logs

  security_events

• Timestamp Key (Optional): Field name containing event timestamp

  • Default: timestamp

  • Set to empty string ("") to disable timestamp extraction

  Examples

  timestamp

  @timestamp

  event_time

  time

• Timestamp Format: Format specification for timestamp parsing

  • Default: Native Timestamp Parsing

  • Options: Native, Unix seconds, Unix milliseconds, Unix microseconds, Unix nanoseconds, Date Format

  Format

  Description

  Example

  Native Timestamp Parsing

  Let XSIAM handle timestamp parsing

  Automatic detection

  Unix seconds

  Epoch time in seconds

  1701360000

  Unix milliseconds

  Epoch time in milliseconds

  1701360000000

  Unix microseconds

  Epoch time in microseconds

  1701360000000000

  Unix nanoseconds

  Epoch time in nanoseconds

  1701360000000000000

  Date Format

  Custom format string

  %Y-%m-%dT%H:%M:%S.%f

• Preserve timestamp Key in Event: Control timestamp field in payload

  • Default: true

  • When enabled: Timestamp field remains in event data

  • When disabled: Timestamp field is removed from payload after extraction

3. Acknowledgement

Configure delivery guarantees and acknowledgement tracking:

• Acknowledgements Enabled: Enable end-to-end acknowledgement tracking

  • Default: false

  • When enabled: Sources await confirmation from XSIAM before acknowledging events

  • Recommended: Enable for critical security data requiring guaranteed delivery

• Acknowledgements Indexer Acknowledgements Enabled: Integrate with XSIAM indexer acknowledgements

  • Default: true

  • Leverages XSIAM's HEC indexer acknowledgement mechanism

  • Provides confirmation of successful indexing

• Acknowledgements Max Pending Acks: Maximum unacknowledged events

  • No default (unlimited)

  • Once reached, backpressure is applied to upstream sources

  • Recommended: 1000-5000 for production workloads

• Acknowledgements Query Interval (Seconds): Polling interval for acknowledgement status

  • Default: 10 seconds

  • Controls frequency of status checks to XSIAM

  • Balance between latency and API overhead

• Acknowledgements Retry Limit: Maximum acknowledgement status queries

  • Default: 30

  • Number of attempts to verify acknowledgement before considering failed

  • Total wait time = query_interval × retry_limit

4. Encoding

Select and configure the data serialization format:

• Encoding Codec: Choose the format for encoding events

  • Default: Common Event Format (CEF)

  • Available options: JSON, logfmt, Avro, NDJSON, Raw, Text, Parquet, CEF, CSV, Protobuf, GELF

JSON Encoding

Structured JSON format for flexible data representation.

• Pretty JSON (Boolean, Default: false)

  • Enable: Add indentation and line breaks for readability

  • Disable: Compact format for production efficiency

• Encoding Metric Tag Values (Default: single)

  • single: Display only the last non-bare tag value

  • full: Display all metric tags as separate assignments

• Encoding Timestamp Format

  • RFC 3339: ISO 8601 format (2025-11-27T10:30:00Z)

  • Unix: Epoch timestamp in seconds

• Fields to exclude from serialization (Optional): Array of field names to omit

  • Example: ["message.payload", "internal_metadata"]

logfmt Encoding

Key-value format optimized for log aggregation systems.

• Encoding Metric Tag Values (Default: single)

• Encoding Timestamp Format

  • RFC 3339: ISO 8601 format

  • Unix: Epoch timestamp in seconds

• Fields to exclude from serialization (Optional)

Apache Avro Encoding

Binary format with schema enforcement for data integrity.

• Avro Schema (Required): JSON schema definition

  • Example:

• Encoding Metric Tag Values (Default: single)

• Encoding Timestamp Format

• Fields to exclude from serialization (Optional)

Newline Delimited JSON Encoding

JSON objects separated by newlines for streaming efficiency.

• Encoding Metric Tag Values (Default: single)

• Encoding Timestamp Format

• Fields to exclude from serialization (Optional)

No encoding (Raw Message)

Forward data without transformation.

• Encoding Metric Tag Values (Default: single)

• Encoding Timestamp Format

• Fields to exclude from serialization (Optional)

Plain text encoding

Text-only format without structure.

• Encoding Metric Tag Values (Default: single)

• Encoding Timestamp Format

• Fields to exclude from serialization (Optional)

Parquet

Columnar storage format for analytical queries.

• Include Raw Log (Boolean, Default: false)

  • When enabled: Includes observo_record field with complete original event

  • Preserves raw data alongside structured schema

• Parquet Schema (Required): Schema definition in Parquet message format

  • Example:

• Encoding Metric Tag Values (Default: single)

• Encoding Timestamp Format

• Fields to exclude from serialization (Optional)

Common Event Format (CEF)

Industry-standard format for security event exchange.

• CEF Device Event Class ID (Required): Event classification identifier (max 1023 chars)

  • Examples: network-intrusion, malware-detected, data-exfiltration-attempt

• CEF Device Product (Required): Product generating the events (max 63 chars)

  • Examples: Next-Gen Firewall, Endpoint Protection, Cloud Security Gateway

• CEF Device Vendor (Required): Vendor name (max 63 chars)

  • Examples: Observo, Security Vendor Inc

• CEF Device Version (Required): Product version (max 31 chars)

  • Examples: 2.0.0, 3.5.1, 4.0.0-release

• CEF Extensions (Key-Value Pairs): Additional event attributes

  • Define custom fields for security context

  • Examples: src, dst, spt, dpt, act, outcome, request, cs1Label

• CEF Name (Required): Human-readable event description (max 512 chars)

  • Example: Attempted lateral movement detected from compromised host

• CEF Severity (Required): Event severity level (0-10)

  • 0-3: Informational events

  • 4-6: Warning events

  • 7-8: Critical events

  • 9-10: Emergency events

• CEF Version (Select, Default: V0): CEF specification version

  • V0: CEF specification version 0.1

  • V1: CEF specification version 1.x

CSV Format

Tabular format with comma-separated values.

• CSV Fields (Required): Ordered list of field names for columns

  • Examples: ["timestamp", "source_ip", "destination_ip", "protocol", "action", "threat_level"]

• CSV Buffer Capacity (Number, Default: 8192)

  • Buffer size in bytes (minimum: 1024)

• CSV Delimiter (String, Default: ,)

  • Field separator character

  • Alternatives: \t, |, ;

• Enable Double Quote Escapes (Boolean, Default: true)

  • Enabled: Escape quotes by doubling

  • Disabled: Use escape character

• CSV Escape Character (String, Default: ")

  • Character for escaping when double quote disabled

• CSV Quote Character (String, Default: ")

  • Character for quoting field values

• CSV Quoting Style (Select, Default: necessary)

  • always: Quote all fields

  • necessary: Quote only when required

  • never: Never quote fields

  • non_numeric: Quote all non-numeric fields

Protocol Buffers

Binary serialization using Protocol Buffers schema.

• Protobuf Message Type (Required): Fully qualified message type

  • Example: com.observo.xsiam.SecurityEvent

• Protobuf Descriptor File (Required): Path to compiled descriptor file

  • Example: /etc/observo/schemas/xsiam_events.desc

• Encoding Metric Tag Values (Default: single)

• Encoding Timestamp Format

• Fields to exclude from serialization (Optional)

Graylog Extended Log Format (GELF)

JSON-based format designed for structured logging.

• Encoding Metric Tag Values (Default: single)

• Encoding Timestamp Format

• Fields to exclude from serialization (Optional)

5. Request Configuration

Optimize HTTP request behavior and performance:

• Request Concurrency: Control parallel request processing

  • Default: Adaptive concurrency

  • Options:

    • Adaptive concurrency: Dynamically scales based on load

    • A fixed concurrency of 1: Sequential processing for strict ordering

• Request Rate Limit Duration Secs: Time window for rate limiting

  • Default: 1 second

  • Defines the period for rate limit calculations

• Request Rate Limit Num: Maximum requests per time window

  • Default: Unlimited

  • Example: 200 requests per second

• Request Retry Attempts: Maximum retry count for failed requests

  • Default: Unlimited

  • Recommended: 3-7 for production environments

• Request Retry Initial Backoff Secs: Initial retry delay

  • Default: 1 second

  • Subsequent retries follow Fibonacci sequence

• Request Retry Max Duration Secs: Maximum backoff duration

  • Default: 3600 seconds (1 hour)

  • Caps exponential backoff growth

• Request Timeout Secs: Request timeout threshold

  • Default: 60 seconds

  • Should exceed XSIAM's internal timeout

• Request Headers: Custom HTTP headers for requests

  • Default:

    • X-Splunk-Request-Channel: xsiam-observo

    • Content-Type: application/json

  • Add custom headers for authentication or routing

6. Batching Configuration

Control event batching for optimal throughput:

• Batch Max Bytes: Maximum batch size in bytes (uncompressed)

  • No default (unlimited)

  • Recommended: 500000-1000000 (500 KB - 1 MB)

  • Adjust based on event size and network capacity

• Batch Max Events: Maximum events per batch

  • No default (unlimited)

  • Recommended: 500-2000 events

  • Lower values reduce latency, higher values improve efficiency

• Batch Timeout Secs: Maximum batch age before flush

  • Default: 1.0 second

  • Ensures timely delivery during low-volume periods

7. TLS Configuration

Configure transport layer security:

• TLS CA: CA certificate in PEM format

  • Required for custom certificate authorities

  • Necessary for self-signed certificates

• TLS CRT: Client certificate in PEM format

  • Required for mutual TLS authentication

• TLS Key: Private key in PEM format

  • Must match TLS CRT certificate

  • Store securely with restricted access

• TLS Verify Certificate: Enable certificate validation

  • Default: false

  • Production recommendation: Set to true

  • Validates certificate chain and issuer trust

• TLS Verify Hostname: Enable hostname verification

  • Default: false

  • Production recommendation: Set to true

  • Prevents man-in-the-middle attacks

8. Buffering Configuration

Configure event buffering strategy:

• Buffer Type: Buffering mechanism selection

  • Options: Memory, Disk

Memory Buffer

High-performance in-memory buffering for low latency.

• Max Events: Maximum events in buffer

  • Default: 500

  • Adjust based on available memory

• When Full: Behavior when buffer is full

  • Default: Block

  • Options:

    • Block: Apply backpressure to sources

    • Drop Newest: Discard new events (data loss)

Disk Buffer

Persistent disk-based buffering for reliability.

• Max Bytes Size: Maximum buffer size in bytes

  • Minimum: 268435488 (256 MB)

  • Adjust based on available disk space

• When Full: Behavior when buffer is full

  • Default: Block

  • Options:

    • Block: Apply backpressure to sources

    • Drop Newest: Discard new events (data loss)

9. Advanced Settings

Additional configuration for specialized scenarios:

• Compression: Data compression algorithm

  • Default: No compression

  • Options:

    • No compression: No CPU overhead

    • Gzip compression: Balanced compression ratio

    • Zlib compression: DEFLATE-based compression

  • Recommended: Gzip for bandwidth optimization

• Endpoint Target: HEC endpoint type selection

  • Default: Event endpoint (Metadata sent with event payload)

  • Options:

    • Event endpoint: Metadata in payload

    • Raw endpoint: Metadata as query parameters

• Source (Optional): Log source identifier

  • Typically the originating system or file

  • XSIAM will attempt to set if unspecified

  Examples

  {{ file }}

  /var/log/firewall.log

  endpoint-security-agent

  TCP:514

• Sourcetype (Optional): Event type classification

  • Default: httpevent (if unset)

  • Used by XSIAM for parsing and categorization

  Examples

  {{ sourcetype }}

  _json

  pan:traffic

  pan:threat

• Path (Optional): Custom HEC endpoint path

  • Default: /services/collector/event?isParsed=true&channel=xsiam

  • Override for custom routing or parsing

  Examples

  /app/xsiam/hec

  /custom/ingest/path

10. Save and Test Configuration

• Save the configuration in Observo AI

• Transmit test events to validate connectivity

• Verify events appear in XSIAM with correct parsing

• Review field extraction and data formatting

Troubleshooting

If issues occur with the Palo Alto XSIAM destination, follow these diagnostic steps:

Verify Configuration Settings

• Confirm all fields match XSIAM tenant configuration

• Validate endpoint URL format and tenant/region information

• Ensure Index (if configured) aligns with XSIAM data organization

Check Authentication

• Verify HEC token validity and permissions

• Confirm token has not been revoked or expired

• Regenerate token if necessary and update configuration

Monitor Logs

• Review Observo AI logs for transmission errors

• Check XSIAM ingestion logs for parsing errors

• Verify events arrive with expected metadata

Validate Network Connectivity

• Confirm HTTPS access to XSIAM endpoint

• Check firewall rules for port 443 traffic

• Verify DNS resolution for XSIAM API endpoints

Test Data Flow

• Send sample events through Observo AI

• Monitor arrival in XSIAM using the Search interface

• Use Observo AI Analytics to track throughput

Check Quotas and Limits

• Verify XSIAM ingestion quotas are not exceeded

• Review daily ingestion limits for your tenant

• Adjust batching if encountering backpressure

Common Issues

Common Errors

Resources

For additional information and detailed guidance, refer to these resources:

• Palo Alto XSIAM Overview

• XSIAM Data Ingestion Documentation

• XSIAM HEC Ingestion Guide

• XSIAM API Reference

• Palo Alto Networks Support Portal