Get Log Data Flow

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read

    • If Security Incident Response, Threat Intelligence, and Palo Alto Networks - Firewall are activated, the Security Operations Palo Alto Networks - Get Log Data flow automatically executes when the Source IP for observables in a security incident is changed.

    Before you begin

    Role required: sn_si.analyst

    About this task

    During flow execution, firewall configuration information is retrieved from the database and the API Key is retrieved from the firewall. The Get Log action queues up a search query on the firewall. When the query runs, it returns a Job ID that is used to retrieve threat logs data from the firewall. It attaches the log data as an XML file to the security incident.

    Procedure

    1. Navigate to a security incident that contains observables.
    2. Select the Security Incident Observables tab.
    3. In Source IP, add or modify the IP address.
    4. Select Update.
      The Security Operations Palo Alto Networks - Get Log Data flow executes and enriched threat log data is attached to the security incident. The information is also parsed and displayed in the Firewall Logs section under the Enrichment Data tab.

    Palo Alto Firewall- Get Log Action

    The Palo Alto Firewall: Get Log flow action schedules a query on the firewall to retrieve logs and returns a JobID used to retrieve the log data.

    Input variables

    Input variables determine the initial behavior of the action.

    Table 1. Input variables
    Variable Description
    FirewallIpAddress [string] The IP address of the firewall. This input variable is mandatory.
    FirewallApiKey [string] The API access key of the firewall. This input variable is mandatory.
    FirewallLogType [string] The type of log data to be retrieved (set to threat). This input variable is mandatory.
    FirewallLogFilterQuery [string] The query to be executed to search for logs on the firewall. This input variable is mandatory.
    LogDirection [string] Specifies whether logs are shown oldest first (backward) or newest first (forward) order.
    LogNumber [string] Specifies the number of logs to retrieve.
    LogSkipCount [string] Specifies the number of logs to skip when doing a log retrieval.

    Output variables

    The output variables contain data that can be used in subsequent actions. The output consists of data from the firewall configuration, as well as dynamically generated data.

    Table 2. Output variables
    Variable Description
    QueuedJobID [string] The Job ID returned from the firewall.
    JobScheduled [string] Specifies (success or failure) whether the job was sent to the firewall.
    error [string] Any errors returned.

    Palo Alto Firewall- Job Data Action

    After the Palo Alto Firewall: Get Log action queues the search query to the firewall and the job runs, the Palo Alto Firewall: Job Data Action action retrieves the threat log data from the firewall.

    Input variables

    Input variables determine the initial behavior of the action. All input fields are mandatory.

    Table 3. Input variables
    Variable Description
    FirewallIpAddress [string] The IP address of the firewall.
    FirewallApiKey [string] The API access key of the firewall.
    JobID [string] The ID of the queued job.

    Output variables

    The output variables contain data that can be used in subsequent actions. The output consists of data from the firewall configuration, as well as dynamically generated data.

    Table 4. Output variables
    Variable Description
    commandStatus [string] Specifies (success or failure) whether data was retrieved from the firewall.
    JobData [string] The data collected from the firewall.
    error [string] Any errors returned.