Table of Contents | ||||
---|---|---|---|---|
|
Introduction
The tags that begin with firewall.paloalto
identify events generated by Palo Alto Networks Firewall.
...
The full tag must have at least three levels. The first two are fixed as firewall.paloalto
. The third level identifies the event's log type and will be determined dynamically by the rule you define in the Devo Relay. The fourth element is only used in some specific cases.
Technology | Brand | Type | Subtype |
---|---|---|---|
|
|
| The tag levels below are only used with firewall.paloalto.config This is used to indicate the parser version. Depending on the Palo Alto firewall version used by each client, some fields can arrive in a different order, so we need to add this tag level to indicate the parser version. The possible values are:
The tag level below is only used with
These tables allow sending events in LEEF format instead of the default CSV format. To indicate this, all logs must have an additional tag level (leef). Threats can also have logs in JSON format using the tag level JSON at the end. CSV format tags are:
|
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table | |
---|---|---|
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| traffic
|
| ||
|
| .leef|
| ||
|
| |
|
| |
|
| |
| ||
|
|
For more information, read more about Devo tags.
How is the data sent to Devo?
Since there is no functionality to apply the Devo tag in the source system, the events should be forwarded to a Devo Relay to be identified, tagged, and then forwarded securely to the Devo Cloud.
...
If you want to send your Palo Alto firewall events to a Devo relay that exist in a different network, check out the article about sending events to the Devo relay using SSL.
Table structure
These are the fields displayed in these tables:
firewall.paloalto.system
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
|
| |
machine |
|
| |
timestamp |
|
| |
recvdate |
|
| |
serial |
|
| |
subType |
|
| |
vsys |
|
| |
eventId |
|
| |
object |
|
| |
future_use_4 |
|
| |
future_use_5 |
|
| |
module |
|
| |
severity |
|
| |
description |
| opaque | |
client_ip |
|
| |
user_name |
|
| |
seqno |
|
| |
actionflags |
|
| |
dev_group_hierarchy_1 |
|
| |
dev_group_hierarchy_2 |
|
| |
dev_group_hierarchy_3 |
|
| |
dev_group_hierarchy_4 |
|
| |
virtual_sys_name |
|
| |
device_name |
|
| |
high_res_timestamp |
|
| |
auth_username |
|
| |
auth_srcIp |
|
| |
auth_status |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
|
| ✓ |
firewall.paloalto.threat
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
|
| |
machine |
|
| |
timestamp |
| createdate | |
recvdate |
|
| |
serial |
|
| |
subType |
|
| |
vendor |
|
| |
product |
|
| |
version |
|
| |
event_id |
|
| |
delimiter |
|
| |
srcIp |
|
| |
dstIp |
|
| |
srcNatIp |
| srcXIp | |
dstNatIp |
| dstXIp | |
srcIp_str |
|
| |
rule |
|
| |
srcUser |
|
| |
dstUser |
|
| |
app |
|
| |
virtSys |
|
| |
srcZone |
|
| |
dstZone |
|
| |
srcIface |
|
| |
dstIface |
|
| |
logForwardingProfile |
|
| |
logAction |
|
| |
session |
|
| |
repCnt |
|
| |
srcPort |
|
| |
dstPort |
|
| |
srcNatPort |
| srcXPort | |
dstNatPort |
| dstXPort | |
flags |
|
| |
proto |
|
| |
action |
|
| |
url_filename |
| misc | |
threatid |
|
| |
category |
|
| |
severity |
|
| |
sevNum |
|
| |
direction |
|
| |
seqno |
|
| |
actionflags |
|
| |
srcloc |
|
| |
dstloc |
|
| |
cpadding |
|
| |
contenttype |
|
| |
pcap_id |
|
| |
src_category |
|
| |
dst_category |
|
| |
threatname |
|
| |
pcapId |
| pcadId | |
fileDigest |
|
| |
cloud |
|
| |
urlIdx |
|
| |
userAgent |
|
| |
fileType |
|
| |
xff |
|
| |
referer |
|
| |
sender |
|
| |
subject |
|
| |
recipient |
|
| |
reportid |
|
| |
dgHierLevel1 |
|
| |
dgHierLevel2 |
|
| |
dgHierLevel3 |
|
| |
dgHierLevel4 |
|
| |
vsysName |
|
| |
deviceName |
|
| |
srcVMuuid |
|
| |
dstVMuuid |
|
| |
httpMethod |
|
| |
tunnelIDimsi |
|
| |
monitorTagIMEI |
|
| |
parentSessID |
|
| |
parentStartTime |
|
| |
tunnel |
|
| |
thrCategory |
|
| |
contentver |
|
| |
sctpAssociationID |
|
| |
payloadProtocolID |
|
| |
httpHeaders |
|
| |
url |
|
| |
urlCategory |
|
| |
urlCategoryList |
|
| |
uuidForRule |
|
| |
http2Connection |
|
| |
dynusergroup_name |
|
| |
xff_ip |
|
| |
src_profile |
|
| |
src_model |
|
| |
src_vendor |
|
| |
src_osfamily |
|
| |
src_osversion |
|
| |
src_host |
|
| |
src_mac |
|
| |
dst_profile |
|
| |
dst_model |
|
| |
dst_vendor |
|
| |
dst_osfamily |
|
| |
dst_osversion |
|
| |
dst_host |
|
| |
dst_mac |
|
| |
container_id |
|
| |
pod_namespace |
|
| |
src_edl |
|
| |
dst_edl |
|
| |
hostid |
|
| |
serialnumber |
|
| |
domain_edl |
|
| |
src_dag |
|
| |
dst_dag |
|
| |
partial_hash |
|
| |
high_res_timestamp |
|
| |
nsdsai_sst |
|
| |
log_type |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
|
| ✓ |
firewall.paloalto.traffic
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
|
| |
machine |
|
| |
timestamp |
| createdate | |
recvdate |
|
| |
serial |
|
| |
subType |
|
| |
srcIp |
|
| |
dstIp |
|
| |
srcNatIp |
| srcXIp | |
dstNatIp |
| dstXIp | |
srcIp_str |
|
| |
dstIp_str |
|
| |
rule |
|
| |
srcUser |
|
| |
dstUser |
|
| |
app |
|
| |
virtSys |
|
| |
srcZone |
|
| |
dstZone |
|
| |
srcIface |
|
| |
dstIface |
|
| |
logAction |
|
| |
session |
|
| |
repCnt |
|
| |
srcPort |
|
| |
dstPort |
|
| |
srcNatPort |
| srcXPort | |
dstNatPort |
| dstXPort | |
flags |
|
| |
proto |
|
| |
action |
|
| |
bytes |
|
| |
sentBytes |
|
| |
recvBytes |
|
| |
pkts |
|
| |
startdate |
|
| |
elapsedTime |
|
| |
category |
|
| |
padding |
|
| |
seqno |
|
| |
actionFlags |
|
| |
srcCountry |
|
| |
dstCountry |
|
| |
cpadding |
|
| |
sentPkts |
|
| |
recvPkts |
|
| |
session_end_reason |
|
| |
dg_hier_level_1 |
|
| |
dg_hier_level_2 |
|
| |
dg_hier_level_3 |
|
| |
dg_hier_level_4 |
|
| |
vsys_name |
|
| |
device_name |
|
| |
action_source |
|
| |
srcVMuuid |
|
| |
dstVMuuid |
|
| |
tunnelIDimsi |
|
| |
monitorTagIMEI |
|
| |
parentSessID |
|
| |
parentStartTime |
|
| |
tunnel |
|
| |
sctpAssociationID |
|
| |
sctpChunks |
|
| |
sctpChunksSent |
|
| |
sctpChunksReceived |
|
| |
uuidForRule |
|
| |
http2Connection |
|
| |
link_change_count |
|
| |
policy_id |
|
| |
link_switches |
|
| |
sdwan_cluster |
|
| |
sdwan_device_type |
|
| |
sdwan_cluster_type |
|
| |
sdwan_site |
|
| |
dynusergroup_name |
|
| |
xff_ip |
|
| |
src_category |
|
| |
src_profile |
|
| |
src_model |
|
| |
src_vendor |
|
| |
src_osfamily |
|
| |
src_osversion |
|
| |
src_host |
|
| |
src_mac |
|
| |
dst_category |
|
| |
dst_profile |
|
| |
dst_model |
|
| |
dst_vendor |
|
| |
dst_osfamily |
|
| |
dst_osversion |
|
| |
dst_host |
|
| |
dst_mac |
|
| |
container_id |
|
| |
pod_namespace |
|
| |
pod_name |
|
| |
src_edl |
|
| |
dst_edl |
|
| |
hostid |
|
| |
serialnumber |
|
| |
src_dag |
|
| |
dst_dag |
|
| |
session_owner |
|
| |
high_res_timestamp |
|
| |
nsdsai_sst |
|
| |
nsdsai_sd |
|
| |
app_category |
|
| |
app_subcategory |
|
| |
app_technology |
|
| |
app_risk |
|
| |
devTimeFormat |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
|
| ✓ |