User Guide: Palo Alto GlobalProtect Log Analyzer

Version 1.4.0 | Last Updated: April 15, 2025

Table of Contents

• Introduction
• Getting Started
• Navigation
• Uploading Log Files
• Viewing Analysis Results
• Reports and Interpretation
• IOC Management
• Search and Filtering
• Admin Functions
• Troubleshooting

Introduction

The Palo Alto GlobalProtect Log Analyzer is a specialized web application designed to analyze VPN log files from Palo Alto GlobalProtect systems. The tool helps security professionals identify potential threats, password spraying attempts, and suspicious login behaviors.

Key features include: - Automated analysis of GlobalProtect log files - Detection of password spraying attacks - Identification of suspicious login patterns - Correlation of threats across multiple log files - Flagging of suspicious IPs and machine names - AI-generated security reports

Getting Started

Requirements

• A modern web browser (Chrome, Firefox, Edge, or Safari)
• Valid login credentials for the application (if required)
• GlobalProtect log files in CSV format

Accessing the Application

1. Navigate to the application URL in your web browser
2. If prompted, enter your authentication credentials
3. You will be directed to the main dashboard

Navigation

The application has several main sections accessible from the navigation menu:

• Home - Dashboard showing recent log files and analysis summary
• Agencies - Manage and organize logs by agency
• Upload - Upload and process new log files
• Search - Search through all successful logins
• IOCs - Manage Indicators of Compromise (Admin only)
• Prompt Templates - Manage AI report generation prompts (Admin only)

Uploading Log Files

1. Navigate to the Upload section using the navigation menu
2. Select an agency from the dropdown menu, or use the default
3. Click "Choose File" to select your GlobalProtect log file (CSV format)
4. Click "Upload" to begin the upload and analysis process
5. The system will process the file and redirect you to the results page when complete

Supported Log Formats: - CSV files exported from Palo Alto GlobalProtect - Files must contain standard column headers such as "Receive Time", "Source User", "Public IP", etc.

Viewing Analysis Results

After uploading a log file, you can view the analysis results in two ways:

Analysis Text Output

1. From the home page, find your log file in the list
2. Click "View Analysis" to see the detailed analysis output
3. This page displays all findings including:
4. Potential password spraying attempts
5. Successful login details
6. Critical security alerts
7. Machine name analysis
8. User activity summaries

AI-Generated Report

1. From the home page, find your log file in the list
2. Click "View Report" to see the AI-generated security report
3. The report provides a structured summary of findings with:
4. Executive summary
5. Key security findings
6. Detailed threat analysis
7. Recommended actions

Reports and Interpretation

The analysis and reports highlight several key areas of security concern:

Critical Security Alerts

Pay special attention to sections labeled with "CRITICAL SECURITY ALERT". These indicate: - Successful logins from known password sprayer IPs - Logins from IPs in suspicious CIDR blocks - Logins from manually flagged IPs or machine names

IOC (Indicators of Compromise) Flags

The system flags suspicious login activities including: - Generic machine names - Shared machine names across multiple users - Service account usage - Mass login events (multiple users from same IP) - Cross-log shared machine names

IOC Management

Administrators can manage Indicators of Compromise to improve future analysis:

Managing Flagged IPs

1. Navigate to the IOCs section
2. View the list of currently flagged IP addresses
3. To add a new flagged IP:
4. Click "Add Flagged IP"
5. Enter the IP address and reason for flagging
6. (Optional) Add notes and other metadata
7. Click "Submit"
8. To edit or delete a flagged IP, use the corresponding buttons

Managing Flagged Machines

1. Navigate to the IOCs section
2. View the list of currently flagged machine names
3. To add a new flagged machine:
4. Click "Add Flagged Machine"
5. Enter the machine name and reason for flagging
6. (Optional) Add notes and other metadata
7. Click "Submit"
8. To edit or delete a flagged machine, use the corresponding buttons

Updating Suspicious Flags

After adding or modifying IOCs, click "Update Suspicious Flags" to apply the changes to existing login records in the database.

Search and Filtering

The search function allows you to find specific login events across all analyzed log files:

1. Navigate to the Search section
2. Use the filters to narrow down results:
3. Username (full or partial)
4. IP address (exact match)
5. Machine name (full or partial)
6. Date range
7. Agency
8. Click "Search" to view matching results
9. Results include timestamp, username, IP address, machine name and other details
10. From the search results, you can:
11. Flag suspicious IPs (click "Flag IP")
12. Flag suspicious machines (click "Flag Machine")
13. View all details of a specific login

Admin Functions

Administrator accounts have access to additional features:

Managing Agencies

1. Navigate to the Agencies section
2. Add new agencies using the form at the top
3. View all agencies and their associated log files
4. Rename agencies if needed (click "Rename")

Managing Prompt Templates

1. Navigate to the Prompt Templates section
2. View existing AI report generation templates
3. Add a new template (click "Add Template")
4. Edit existing templates (click "Edit")
5. Set a template as active for report generation

Refreshing Analysis/Reports

1. From the home page, find your log file in the list
2. Click "Refresh Analysis" to reprocess the log file
3. This is useful after updating IOC flags
4. Click "Regenerate Report" to create a new AI report
5. This is useful after updating prompt templates

Troubleshooting

Common Issues

Log File Upload Fails - Ensure your file is in CSV format - Check that the file is not too large - Verify the file has the expected column headers

Analysis Shows "Error" Status - Check that the file format is correct - Look for error details in the log file record - Try refreshing the analysis

No Report Generated - Verify that Azure OpenAI configuration is set up correctly - Check that there is an active prompt template - Try regenerating the report

Search Returns No Results - Try using fewer search criteria - Use partial matches for username/machine name - Check date range parameters

Getting Help

For additional assistance, please contact your system administrator.

Additional Resources

• Palo Alto Networks Documentation
• Security Best Practices Guide
• Understanding Password Spraying Attacks