Palo Alto Firewall¶
About¶
Reactive security can’t keep up with today’s threats — or prepare you for tomorrow’s. We’ve changed the game by making network security intelligent and proactive. Driven by innovation, our award-winning security features the world's first ML-Powered NGFW and empowers you to stay ahead.
Product Details¶
Vendor URL: Palo Alto Firewall
Product Type: Firewall
Product Tier: Tier II
Integration Method: Syslog
Integration URL: Palo Alto Firewall - Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: Syslog (CSV)
Expected Normalization Rate: 90-100%
Data Label: PAN_FIREWALL
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
application | security_result.about.application |
bytesReceived | network.received_bytes |
bytesSent | network.sent_bytes |
category,threatCategory | security_result.description |
clientHostname | network.dhcp.client_hostname |
clientHostname | principal.hostname |
clientMac | principal.mac |
destinationZone | target.cloud.availability_zone |
deviceName,serverHostname | intermediary.hostname |
deviceName,tgthost | target.hostname |
domain,userdomain | principal.administrative_domain |
dstAddress | target.ip |
dstCountry | target.location.country_or_region |
dstPort | target.port |
GlobalProtect | security_result.about.labels |
httpMethod | network.http.method |
natDstAddress | target.nat_ip |
natDstPort | target.nat_port |
natSrcAddress | principal.nat_ip |
natSrcPort | principal.nat_port |
param,tgthost | target.url |
protocol | network.ip_protocol |
ruleName | security_result.rule_name |
serverHostname | network.dhcp.sname |
sourceZone | principal.cloud.availability_zone |
srcAddress | principal.ip |
srcCountry | principal.location.country_or_region |
srcPort | principal.port |
srcUserName | principal.user.userid |
srcUserName,userbysource | target.user.email_addresses |
subtype,type | metadata.product_event_type |
summary,threatContentName | security_result.summary |
urlFile | target.file.full_path |
userAgent | network.http.user_agent |
userbysource | target.user.userid |
verdict | security_result.about.labels[verdict] |
yiaddr | network.dhcp.ciaddr |
Product Event Types¶
type,subtype | severity | UDM Event Classification | alerting enabled |
---|---|---|---|
dhcp | NETWORK_DHCP | ||
GLOBAL_PROTECT, TRAFFIC, THREAT | NETWORK_CONNECTION | ||
logout | USER_LOGOUT | ||
SYSTEM | GENERIC_EVENT | ||
USERID | USER_LOGIN | ||
wildfire-virus, wildfire, virus, vulnerability | TRUE | ||
critical | TRUE |
Log Sample¶
<14>Nov 11 15:09:01 sysloghost 1,2021/11/11 15:09:01,ffffffffffff,THREAT,url,2305,2021/11/11 15:09:01,10.10.5.5,10.4.2.60,10.0.22.16,10.4.2.60,outbound,domain\username,,web-browsing,vsys1,trust,untrust,ae1.1000,ethernet1/1,domain Logs,2021/11/11 15:09:01,4072537,1,64051,443,16392,443,0x140b000,tcp,alert,"site",(9999),low-risk,informational,client-to-server,uid,0xa000000000000000,10.0.0.0-10.255.255.255,United States,0,,0,,,1,,,,,,,,0,130,0,0,0,,sysloghostname,,,,get,0,,0,2021/11/11 15:03:15,N/A,unknown,AppThreat-0-0,0x0,0,random,,"business-and-economy,low-risk",01-ffffffffffff,
Sample Parsing¶
metadata.event_timestamp = "2021-11-11T15:09:01Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Palo Alto Networks"
metadata.product_name = "NGFW"
metadata.product_event_type = "THREAT - url"
metadata.ingested_timestamp = "2021-11-11T21:09:21.499744Z"
principal.hostname = "host"
principal.user.userid = "username"
principal.ip = "10.10.5.5"
principal.port = 64051
principal.mac = "ff:ff:ff:ff:ff:ff"
principal.administrative_domain = "domain"
principal.nat_ip = "10.0.22.16"
principal.nat_port = 16392
principal.cloud.availability_zone = "trust"
principal.asset.hostname = "host"
principal.asset.ip = "10.10.5.5"
principal.asset.mac = "ff:ff:ff:ff:ff:ff"
target.hostname = "hostname"
target.ip = "10.4.2.60"
target.port = 443
target.url = "site"
target.file.full_path = "site"
target.location.country_or_region = "United States"
target.cloud.availability_zone = "untrust"
target.asset.ip = "10.4.2.60"
intermediary.hostname = "sysloghostname"
security_result.about.application = "web-browsing"
security_result.rule_name = "outbound"
security_result.summary = "(9999)"
security_result.description = "low-risk - AppThreat-0-0"
security_result.action = "ALLOW"
security_result.severity = "LOW"
network.ip_protocol = "TCP"
network.http.method = "GET"
network.http.user_agent = "1"
Parser Alerting¶
Alerting criteria is listed in the Product Event Types table above. There is an override in this parser which will set all parser-based alerts to LOW severity.