Data Security Alerts
Collects and ingests data security alerts from the Palo Alto Data Security API.
Details
This input collects data security alerts from the Palo Alto Data Security API. It supports incremental sync and handles pagination automatically. On the first sync, it fetches all available alerts. Key features include:
- Incremental sync with state management
- Fetches detailed alert information
Prerequisites
- A Palo Alto Data Security account with API access.
- API Key for authentication.
- Base URL for the Palo Alto Data Security API (e.g.,
https://api.use1.dig.security).
Setup Instructions
- Obtain your API Key from the Palo Alto Data Security console. Refer to this page for instructions.
- Note down the Base URL for the API (varies by region). Refer to this page for more information.
- Configure the input using the API Key and Base URL.
Related Articles
Configuration
Settings
| Field | Description | Type | Required |
|---|---|---|---|
| base_url | Base URL for the Palo Alto Data Security API | string | Yes |
| backfill start time | string | No | The date to start fetching data from. If not specified, no past records will be fetched. |
Secrets
| Field | Description | Type | Required |
|---|---|---|---|
| api_key | API Key for access | string | Yes |
Note on Collection Behavior
The input follows an incremental collection pattern:
- First run: Collects all available alerts
- Subsequent runs: Collects only new alerts since the last successful run
- Implements state management to track the last collection timestamp
Troubleshooting
Common issues and their solutions:
-
Authentication failures
- Verify API Key and Base URL are correct
- Ensure the API key has not expired
-
Connection issues
- Verify the Base URL is correct for your region
- Check network connectivity and firewall rules
- Ensure proper SSL/TLS configuration
Sample Record
{
"id": "623196645",
"detectionTime": "2025-08-11T23:46:48.848879Z",
"policyName": "Suspicious database configuration change",
"assetName": "production-database",
"assetLabels": [
{
"label": {
"id": 841960369,
"name": "PII",
"description": "Confidential company data",
"color": "F39C12",
"prettyName": "Financial"
},
"connectedBy": "AUTOMATION"
}
],
"cloudProvider": "Azure",
"destinationProjects": {},
"projectName": "Production",
"projectId": "123412341234",
"cloudEnvironment": "DEVELOPMENT",
"policySeverity": "CRITICAL",
"policyCategoryType": "ATTACK",
"status": "CLOSED",
"eventActor": "analyst@company.com",
"eventUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36",
"eventActionMedium": "API",
"eventSource": "67.198.104.112",
"policyFrameWorks": [
"MITRE-T1578"
],
"eventRawData": "{}",
"assetId": "arn:aws:rds:us-east-2:001122334455:bucket:production-database"
}