...
Introduction
The tags beginning with casb.paloaltoidentify events generated by Paloalto.
Valid tags and data tables
The full tag must have 4 at least 3 levels. The first two are fixed ascasb.paloalto. The third level identifies the type of events sent.
...
Technology
...
Brand
...
Type
...
Subtype
...
casb
...
paloalto
...
...
activity_monitoring
admin_audit
incident
invalid
other
policy_violation
prismaBasic
remediation
These are the valid tags and corresponding data tables that will receive the parsers' data:
...
Tag
...
The fourth level indicates the event subtype.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
|---|
Paloalto Prisma Cloud | casb.paloalto.prisma
| casb.paloalto.prisma
|
casb.paloalto.prisma.activity_monitoring
| casb.paloalto.prisma.activity_monitoring
|
casb.paloalto.prisma.admin_audit
| casb.paloalto.prisma.admin_audit
|
casb.paloalto.prisma.incident
| casb.paloalto.prisma.incident
|
casb.paloalto.prisma.invalid
| casb.paloalto.prisma.invalid
|
casb.paloalto.prisma.other
| casb.paloalto.prisma.other
|
casb.paloalto.prisma.policy_violation
| casb.paloalto.prisma.policy_violation
|
casb.paloalto.prisma.remediation
| casb.paloalto.prisma.remediation
|
For more information, read more About Devo tags.
Table structure
These are the fields displayed in these tables:
...
...
...
casb.paloalto.prisma.incident
...
casb.paloalto.prisma.invalid
...
Field | Type | Extra fields |
|---|
eventdate | timestamp
| | log_type | str
| | item_type | str
| | item_name | str
| | user | str
| | source_ip | str
| | location | str
| | action | str
| | target_name | str
| | target_type | str
| | severity | float8
| | serial | str
| | cloud_app_instance | str
| | timestamp | timestamp
| | admin_id | str
| | admin_role | str
| | ip | str
| | event_type | str
| | field | str
| | resource_value_old | str
| | resource_value_new | str
| | asset_id | str
| | item_owner | str
| | container_name | str
| | item_creator | str
| | exposure | str
| | occurrences_by_rule | int4
| | incident_id | str
| | policy_rule_name | str
| | incident_category | str
| | incident_owner | str
| | item_owner_email | str
| | item_creator_email | str
| | action_taken | str
| | action_taken_by | str
| | message | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Field | Type | Extra fields |
|---|
eventdate | timestamp
| | log_type | str
| | item_type | str
| | item_name | str
| | user | str
| | source_ip | str
| | location | str
| | action | str
| | target_name | str
| | target_type | str
| | severity | float8
| | serial | str
| | cloud_app_instance | str
| | timestamp | timestamp
| | message | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Field | Type | Extra fields |
|---|
eventdate | timestamp
| | log_type | str
| | admin_id | str
| | admin_role | str
| | ip | str
| | event_type | str
| | item_type | str
| | item_name | str
| | field | str
| | action | str
| | resource_value_old | str
| | resource_value_new | str
| | timestamp | timestamp
| | serial | str
| | message | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
Field | Type | Extra fields |
|---|
eventdate | timestamp
| | log_type | str
| | item_type | str
| | item_name | str
| | item_unique_id | str
| | asset_id | str
| | item_owner | str
| | container_name | str
| | item_creator | str
| | exposure | str
| | occurrences_by_rule | int8
| | severity | float8
| | serial | str
| | cloud_app_instance | str
| | timestamp | timestamp
| | asset_create_time | timestamp
| | asset_create_time_str | str
| | incident_id | str
| | policy_rule_name | str
| | incident_category | str
| | incident_owner | str
| | item_owner_email | str
| | item_creator_email | str
| | collaborators | str
| | datetime_edited | str
| | item_cloud_url | str
| | item_owner_group | str
| | item_sha256 | str
| | item_size | int4
| | item_verdict | str
| | message | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
|
...
...
...
invalidField | Type | Extra fields |
|---|
eventdate | timestamp
| | message | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
|
...
otherField | Type | Extra fields |
|---|
eventdate | timestamp
| | log_type | str
| | timestamp | timestamp
| | item_type | str
| | item_name | str
| | serial | str
| | message | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
|
...
.policy_violationField | Type | Extra fields |
|---|
eventdate | timestamp
| | log_type | str
| | severity | float8
| | item_type | str
| | item_name | str
| | item_owner | str
| | item_creator | str
| | action_taken | str
| | action_taken_by | str
| | asset_id | str
| | serial | str
| | cloud_app_instance | str
| | timestamp | timestamp
| | policy_rule_name | str
| | incident_id | str
| | item_owner_email | str
| | item_creator_email | str
| | message | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
|
...
Field | Type | Extra fields |
|---|
eventdate | timestamp
| | log_type | str
| | item_type | str
| | item_name | str
| | asset_id | str
| | item_owner | str
| | item_creator | str
| | container_name | str
| | action_taken | str
| | action_taken_by | str
| | serial | str
| | cloud_app_instance | str
| | timestamp | timestamp
| | incident_id | str
| | policy_rule_name | str
| | item_owner_email | str
| | item_creator_email | str
| | message | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
|
