Integration

AI Integration for Palo Alto Networks Strata Logging Service

A practical guide to using AI to analyze Palo Alto Strata NGFW logs for proactive security, identifying policy misconfigurations, shadow IT, and anomalous traffic patterns.

Get in touch Learn more

Legal team reviewing EU AI Act compliance documents on laptop in modern office, coffee cups and papers on table, casual meeting.

ARCHITECTURE & ROLLOUT

Where AI Fits into Palo Alto Strata Logging

Integrating AI with Palo Alto Networks Strata Logging Service transforms raw firewall data into proactive security intelligence.

AI integration connects directly to the Strata Logging Service API or via Cortex Data Lake, analyzing the high-volume stream of NGFW traffic, threat, and URL filtering logs. The primary surfaces for AI are:

Traffic Logs: For baselining normal application and user behavior to detect shadow IT, data exfiltration, and anomalous internal lateral movement.
Threat Logs: To correlate isolated threat events into potential campaigns and prioritize alerts based on the target asset's business context.
URL Filtering Logs: To identify trends in policy violations, risky web categories accessed, and potential phishing landing page hits that evade static blocklists.
Policy Logs: To audit configuration changes and identify rule misconfigurations that create security gaps or unnecessary access.

Implementation typically involves a sidecar analytics service that subscribes to log streams. This service uses AI models to perform:

Anomaly Detection: Establishing behavioral baselines for source-destination pairs, port/protocol usage, and data transfer volumes to flag deviations indicative of compromised internal hosts or unauthorized data movement.
Pattern Correlation: Clustering related low-severity threat logs (e.g., multiple "command-and-control" alerts for the same internal IP over time) to surface sustained adversary activity that single alerts miss.
Policy Optimization Analysis: Reviewing firewall rule hit counts and security policy logs to recommend rule consolidation, removal of unused rules, and identification of overly permissive "any-any" policies. The processed insights are fed back into the security workflow via webhooks to Cortex XSOAR for orchestration, creation of dynamic address objects in Panorama, or generation of high-fidelity alerts in Cortex XDR for investigation.

Rollout should be phased, starting with a read-only analysis of historical log data to tune models and establish benchmarks. Governance is critical: all AI-generated recommendations for policy changes or containment actions should route through an approval workflow in Cortex XSOAR, with a human-in-the-loop for initial deployments. Maintain a clear audit trail linking any automated action back to the specific AI analysis and the log data that triggered it. This ensures accountability and allows for continuous refinement of the models based on analyst feedback and false positive rates.

AI-POWERED LOG ANALYSIS

Key Integration Surfaces in the Strata Logging Service

Ingesting and Structuring Firewall Telemetry

The Strata Logging Service ingests vast streams of raw log data from Palo Alto Networks NGFWs, Panorama, and other security appliances. AI integration begins here, applying natural language processing and schema inference to normalize disparate log formats (e.g., Traffic, Threat, URL Filtering, WildFire) into a consistent, queryable structure.

Key AI applications include:

Automated Field Mapping: Using AI to identify and tag critical fields (source/destination IP, user, application, threat ID) from custom log formats or third-party devices forwarding to the service.
Anomalous Volume Detection: Establishing behavioral baselines for log volume per source to detect and alert on sudden drops (potential log forwarding failure) or spikes (indicative of an attack or misconfiguration).
Log Quality Scoring: Flagging logs with missing critical fields or malformed data for review, ensuring the integrity of the data lake for downstream analytics.

This structured, enriched data foundation is essential for reliable AI-driven threat hunting and policy analysis.

PROACTIVE SECURITY OPERATIONS

High-Value AI Use Cases for Strata Logs

Forwarding Palo Alto Networks Strata NGFW logs to the logging service creates a rich data lake for security analysis. AI can transform this raw telemetry into actionable intelligence, moving beyond simple rule-based correlation to detect subtle threats, optimize policy, and automate investigation workflows.

Automated Policy Misconfiguration Analysis

AI analyzes firewall rule hit counts, application usage, and user/group activity to identify shadow IT, overly permissive rules, and unused policies. It generates natural language summaries and specific CLI commands for remediation, turning a monthly audit task into a continuous, automated review.

Monthly -> Continuous

Review cadence

Anomalous Network Traffic Detection

Models establish behavioral baselines for internal host communication (east-west) and external destinations (north-south) using Strata flow logs. AI flags subtle anomalies like low-and-slow data exfiltration, internal lateral movement, or beaconing to new external IPs that evade threshold-based rules, prioritizing them for analyst review.

Batch -> Real-time

Detection mode

Threat Hunting with Natural Language

Empower analysts to hunt across terabytes of Strata logs using plain English. An AI co-pilot translates queries like "show me all successful decrypted outbound traffic to new ASNs in the last 48 hours" into optimized log forwarding query language and returns summarized results, accelerating hypothesis testing.

Hours -> Minutes

Query time

Incident Enrichment & Triage

When a threat is detected (in Cortex XDR or another SIEM), AI automatically queries the Strata Logging Service to pull relevant session logs, threat prevention logs, and URL filtering records. It synthesizes this into a concise narrative of the attack's network activity, providing immediate context for the SOC.

Manual -> Automated

Evidence gathering

Proactive Compromise Assessment

After a new threat advisory (CVE, malware campaign) is published, AI scans historical Strata logs for indicators of compromise (IOCs) and vulnerable traffic patterns. It produces a report detailing potentially affected hosts and timeframes, turning reactive patching into proactive investigation.

Days -> Hours

Retrospective hunt

Log Volume & Cost Optimization

AI analyzes log ingestion patterns and security value to recommend selective forwarding filters. It identifies low-value debug logs or redundant traffic sessions that can be filtered at the source, reducing logging service costs and improving signal-to-noise for critical security events.

1 sprint

Implementation timeline

PALO ALTO NETWORKS STRATA LOGGING SERVICE

Example AI-Driven Workflows for Proactive Security

These workflows demonstrate how AI can analyze firewall and NGFW logs forwarded to the Palo Alto Networks Strata Logging Service to move beyond simple dashboards and into automated, proactive security operations.

Trigger: Daily scheduled analysis of all security-policy-match and traffic logs from the past 24 hours.

Context Pulled: The AI agent queries the Logging Service for logs where the action is allow and matches them against the current, intended security policy baseline (stored externally).

Agent Action:

Uses an LLM to analyze the application and destination fields of allowed traffic, comparing them to a known list of sanctioned SaaS applications and internal subnets.
Flags anomalies such as:
- Traffic to unknown or high-risk cloud IP ranges not in the sanctioned list.
- Use of non-business applications (e.g., consumer file-sharing, gaming) from corporate IPs.
- Rules with overly permissive destination fields (e.g., any).
Generates a summary report categorizing findings by risk level and policy rule name.

System Update: The report is posted to a SOC Slack/Teams channel. High-confidence shadow IT findings automatically create a low-priority ticket in the ITSM platform (e.g., ServiceNow) for review and policy update. The agent can also draft a suggested, more restrictive policy rule for engineer review.

Human Review Point: All recommended policy changes require manual approval and implementation by the firewall admin team. The ticket includes the original log samples and the AI's reasoning.

INGEST, ENRICH, ANALYZE, ACT

Implementation Architecture: Data Flow and Model Layer

A production-ready AI integration for Palo Alto Networks Strata Logging Service connects log streams to custom models for proactive security insights.

The integration architecture begins by subscribing to the Strata Logging Service API or configuring log forwarding to a secure ingestion endpoint. Critical data objects include Traffic Logs, Threat Logs, URL Filtering Logs, and WildFire Submissions. A stream processor (e.g., Apache Kafka, AWS Kinesis) handles the high-volume, real-time flow, applying initial filtering to reduce noise—such as excluding known-benign internal traffic—before landing normalized logs in a cost-effective object store like Amazon S3 or Azure Data Lake.

The core AI layer operates in two modes: batch analysis for historical trend detection and near-real-time inference for immediate anomaly flagging. For batch jobs, a scheduled workflow (Apache Airflow, AWS Step Functions) queries the data lake, vectorizes log sequences, and runs models to identify policy misconfigurations (e.g., overly permissive rules), shadow IT (unapproved external destinations), and anomalous traffic patterns (beaconing, data exfiltration signatures). For real-time, a low-latency inference service (deployed via Kubernetes or serverless functions) receives filtered log events via a message queue, applies lightweight anomaly detection models, and posts high-confidence findings back to the Strata Logging Service as custom log types or to a dedicated security dashboard. Governance is enforced through a model registry (MLflow, Weights & Biases) for version control and an audit log tracking all AI-generated insights and actions.

Rollout follows a phased approach: start with a non-production log feed to validate model accuracy and avoid alert fatigue. Initially, AI insights should be presented in a parallel dashboard or as enriched log metadata, not as automated policy changes. As confidence grows, workflows can be extended to create tickets in ServiceNow ITSM via our /integrations/security-information-and-event-platforms/ai-integration-for-splunk-with-servicenow-itsm pattern or trigger investigative playbooks in Palo Alto Cortex XSOAR. The final architecture ensures AI augments the SOC by highlighting subtle risks in the vast log stream, turning passive logging into a proactive hunting ground.

AI-ENHANCED LOG ANALYSIS

Code and Payload Examples

Ingesting and Structuring Strata Logs for AI

Strata Logging Service forwards NGFW logs (Traffic, Threat, URL Filtering) to a central data lake. Before AI analysis, logs must be enriched with business context. This typically involves a Python-based ingestion service that normalizes fields, tags logs with asset criticality from a CMDB, and appends geolocation data for external IPs.

A key pattern is using the Cortex Data Lake API or a SIEM connector to pull logs in batches. The payload is then transformed into a structured JSON format suitable for vectorization. This step ensures the AI model receives consistent, context-rich data, improving its ability to detect subtle policy misconfigurations or anomalous patterns that span multiple log sources.

python
# Example: Enriching a Palo Alto NGFW log record
import requests

raw_log = {
    "time_generated": "2024-01-15T10:30:00Z",
    "src_ip": "192.168.1.100",
    "dst_ip": "93.184.216.34",
    "app": "ssl",
    "rule": "Internal-Outbound"
}

# Enrich with CMDB data and threat intel
enriched_log = {
    **raw_log,
    "src_asset_criticality": get_cmdb_criticality(raw_log['src_ip']), # e.g., 'high'
    "dst_geo": get_geo(raw_log['dst_ip']), # e.g., {'country': 'United States'}
    "dst_is_malicious": check_threat_intel(raw_log['dst_ip']) # e.g., False
}

# Send to processing queue for AI analysis
send_to_analysis_queue(enriched_log)

AI-ENHANCED LOG ANALYSIS

Realistic Time Savings and Security Impact

This table illustrates the operational and security impact of integrating AI with Palo Alto Networks Strata Logging Service. It compares manual, reactive workflows against AI-assisted, proactive operations for common SOC and network security tasks.

Security Task	Before AI Integration	After AI Integration	Implementation Notes
Policy Misconfiguration Detection	Manual review during audits or after an incident	Weekly automated report of shadow rules and policy drift	AI analyzes rule usage, hit counts, and application dependencies to flag unused or overly permissive policies.
Anomalous Traffic Pattern Identification	Ad-hoc hunting based on known IOCs or threshold alerts	Daily briefing on top behavioral outliers and potential beaconing	Models establish baselines for source/destination pairs, ports, and volumes to surface subtle C2 or data exfiltration.
Threat Hunting for New Attack Patterns	Manual pivot through logs using pre-defined queries	Guided investigation with AI-generated hypotheses and suggested XQL queries	AI clusters related log events and session data to propose novel attack chains for analyst validation.
Compliance Reporting for Firewall Rules	Days of manual data extraction and mapping to controls	On-demand report generation with evidence mapping in hours	AI tags logs and policies against frameworks (e.g., NIST, PCI DSS), automating evidence collection.
Incident Triage for Firewall-Generated Alerts	Analyst reviews raw logs to contextualize each alert	Alerts pre-summarized with relevant session details and risk scoring	AI enriches alerts with user/device context and cross-session history, prioritizing investigatory effort.
Identification of Shadow IT Applications	Quarterly manual analysis of unknown destination domains/IPs	Monthly automated inventory of new, unapproved external services	AI classifies traffic to SaaS and internet services not in the sanctioned catalog, highlighting new risk surfaces.
Root Cause Analysis for Network Issues	Manual correlation of firewall denies with trouble tickets	Assisted correlation suggesting likely misconfigurations or policy blocks	AI links denied sessions from Strata logs to user reports or performance monitors to accelerate troubleshooting.

ARCHITECTING A CONTROLLED, PRODUCTION-READY INTEGRATION

Governance, Data Handling, and Phased Rollout

Integrating AI with Palo Alto Networks Strata Logging Service requires a deliberate approach to data privacy, model governance, and operational rollout to ensure security and value.

The integration architecture typically involves a secure, dedicated processing service that subscribes to log streams from the Strata Logging Service API or Cortex Data Lake. This service acts as a middleware layer, performing essential functions before any data reaches an AI model:

Log Filtering & Sampling: Applying rules to forward only relevant log subsets (e.g., traffic to unknown external domains, policy denies for internal resources) for analysis, controlling volume and cost.
Data Anonymization & Tokenization: Stripping or hashing sensitive fields like internal IP addresses, usernames, or hostnames in the pre-processing pipeline, depending on the use case and compliance requirements.
Contextual Enrichment: Augmenting log records with data from internal sources (CMDB, asset inventory) to provide the AI with business context, such as device criticality or user department.

For governance, we implement a closed-loop feedback system. AI-generated insights—such as a detected policy shadowing a legitimate application or a suspected shadow IT server—are not applied directly. Instead, they are written back to the Strata Logging Service as custom log types or to a Cortex XSOAR incident. This creates an immutable audit trail. A security analyst or network engineer reviews the finding, validates it against existing policies and business knowledge, and then manually or semi-automatically initiates the remediation (e.g., creating a new security policy rule). This human-in-the-loop (HITL) approval step is critical for maintaining control over network policy and preventing model errors from causing outages.

A phased rollout mitigates risk and demonstrates value incrementally. We recommend starting with a read-only analysis phase for a single, high-value use case, such as identifying overly permissive firewall rules. The AI processes historical logs, and findings are delivered via a dashboard or report for manual review. After establishing confidence, move to a near-real-time alerting phase, where the integration pushes enriched alerts to the SOC's primary platform (e.g., Cortex XDR, Splunk ES). The final orchestrated workflow phase integrates the AI's output with automation platforms like Cortex XSOAR to create investigation cases with pre-populated context, but still requires analyst approval for any network changes. Each phase includes defined success metrics, such as reduction in manual log review time or the percentage of AI-identified policies that are validated and corrected by the network team.

Enabling Efficiency, Speed & Accuracy

Intelligent Analysis, Decision & Execution

We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.

Talk to Us

Search across company data

Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.

Useful when people spend too long searching or get different answers from different systems.

Enterprise searchRAGPermissions

Automate internal workflows

Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.

Useful when repetitive work moves across multiple tools and teams.

AI agentsWorkflow automationGovernance

Add AI to products and internal tools

Build assistants, guided actions, or decision support into the software your team or customers already use.

Useful when AI needs to be part of the product, not a separate tool.

AI integrationDecision supportModel routing

AI INTEGRATION FOR PALO ALTO NETWORKS STRATA LOGGING SERVICE

Frequently Asked Questions

Practical questions about implementing AI to analyze firewall and NGFW logs for proactive security.

AI integration typically connects via the Cortex Data Lake API or a configured log forwarder. The primary pattern is:

API-Based Pull: An orchestration service (e.g., a secure container) periodically queries the Cortex Data Lake API for new log batches using time-range filters. This is ideal for scheduled analysis jobs.
Stream Forwarding: Configure the Strata Logging Service to forward logs in near-real-time to a secure cloud queue or object store (e.g., AWS S3, Azure Event Hub). An AI processing service consumes from this stream.

Key Data Objects: The AI models analyze structured log fields such as:

src_ip, dst_ip, app, user, rule
bytes, packets, session_end_reason
threat_id, url_category, action

The integration must handle Palo Alto's log schema and ensure API credentials or forwarding configurations follow least-privilege access.

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.

Limited slotsGet a Free AI Consultation

How We Work

Custom AI workflows for your Business

One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.