Skip to content

Palo Alto Firewall

Palo Alto Firewall

About

Reactive security can’t keep up with today’s threats — or prepare you for tomorrow’s. We’ve changed the game by making network security intelligent and proactive. Driven by innovation, our award-winning security features the world's first ML-Powered NGFW and empowers you to stay ahead.

Product Details

Vendor URL: Palo Alto Firewall

Product Type: Firewall

Product Tier: Tier II

Integration Method: Syslog

Integration URL: Palo Alto Firewall - Cyderes Documentation

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: Syslog (CSV)

Expected Normalization Rate: 90-100%

Data Label: PAN_FIREWALL

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
application security_result.about.application
bytesReceived network.received_bytes
bytesSent network.sent_bytes
category,threatCategory security_result.description
clientHostname network.dhcp.client_hostname
clientHostname principal.hostname
clientMac principal.mac
destinationZone target.cloud.availability_zone
deviceName,serverHostname intermediary.hostname
deviceName,tgthost target.hostname
domain,userdomain principal.administrative_domain
dstAddress target.ip
dstCountry target.location.country_or_region
dstPort target.port
GlobalProtect security_result.about.labels
httpMethod network.http.method
natDstAddress target.nat_ip
natDstPort target.nat_port
natSrcAddress principal.nat_ip
natSrcPort principal.nat_port
param,tgthost target.url
protocol network.ip_protocol
ruleName security_result.rule_name
serverHostname network.dhcp.sname
sourceZone principal.cloud.availability_zone
srcAddress principal.ip
srcCountry principal.location.country_or_region
srcPort principal.port
srcUserName principal.user.userid
srcUserName,userbysource target.user.email_addresses
subtype,type metadata.product_event_type
summary,threatContentName security_result.summary
urlFile target.file.full_path
userAgent network.http.user_agent
userbysource target.user.userid
verdict security_result.about.labels[verdict]
yiaddr network.dhcp.ciaddr

Product Event Types

type,subtype severity UDM Event Classification alerting enabled
dhcp NETWORK_DHCP
GLOBAL_PROTECT, TRAFFIC, THREAT NETWORK_CONNECTION
logout USER_LOGOUT
SYSTEM GENERIC_EVENT
USERID USER_LOGIN
wildfire-virus, wildfire, virus, vulnerability TRUE
critical TRUE

Log Sample

<14>Nov 11 15:09:01 sysloghost 1,2021/11/11 15:09:01,ffffffffffff,THREAT,url,2305,2021/11/11 15:09:01,10.10.5.5,10.4.2.60,10.0.22.16,10.4.2.60,outbound,domain\username,,web-browsing,vsys1,trust,untrust,ae1.1000,ethernet1/1,domain Logs,2021/11/11 15:09:01,4072537,1,64051,443,16392,443,0x140b000,tcp,alert,"site",(9999),low-risk,informational,client-to-server,uid,0xa000000000000000,10.0.0.0-10.255.255.255,United States,0,,0,,,1,,,,,,,,0,130,0,0,0,,sysloghostname,,,,get,0,,0,2021/11/11 15:03:15,N/A,unknown,AppThreat-0-0,0x0,0,random,,"business-and-economy,low-risk",01-ffffffffffff,

Sample Parsing

metadata.event_timestamp = "2021-11-11T15:09:01Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Palo Alto Networks"
metadata.product_name = "NGFW"
metadata.product_event_type = "THREAT - url"
metadata.ingested_timestamp = "2021-11-11T21:09:21.499744Z"
principal.hostname = "host"
principal.user.userid = "username"
principal.ip = "10.10.5.5"
principal.port = 64051
principal.mac = "ff:ff:ff:ff:ff:ff"
principal.administrative_domain = "domain"
principal.nat_ip = "10.0.22.16"
principal.nat_port = 16392
principal.cloud.availability_zone = "trust"
principal.asset.hostname = "host"
principal.asset.ip = "10.10.5.5"
principal.asset.mac = "ff:ff:ff:ff:ff:ff"
target.hostname = "hostname"
target.ip = "10.4.2.60"
target.port = 443
target.url = "site"
target.file.full_path = "site"
target.location.country_or_region = "United States"
target.cloud.availability_zone = "untrust"
target.asset.ip = "10.4.2.60"
intermediary.hostname = "sysloghostname"
security_result.about.application = "web-browsing"
security_result.rule_name = "outbound"
security_result.summary = "(9999)"
security_result.description = "low-risk - AppThreat-0-0"
security_result.action = "ALLOW"
security_result.severity = "LOW"
network.ip_protocol = "TCP"
network.http.method = "GET"
network.http.user_agent = "1"

Parser Alerting

Alerting criteria is listed in the Product Event Types table above. There is an override in this parser which will set all parser-based alerts to LOW severity.