Versions Compared

Old Version 26

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version Current

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
typeflat

...

Technology

Brand

Type

Subtype

firewall

paloalto

  • config

  • system

  • threat

  • traffic

  • correlation

  • hipmatch

  • url

  • userid

The tag levels below are only used withfirewall.paloalto.config

This is used to indicate the parser version. Depending on the Palo Alto firewall version used by each client, some fields can arrive in a different order, so we need to add this tag level to indicate the parser version. The possible values are:

  • v1 - This is the default value, also used if no value is set at this level. In this case, the parser uses the default field order (fields affected: seqno, actionflags, beforechangedetail and afterchangedetail).

  • v2 - Used to indicate that the fields beforechangedetail and afterchangedetail are not part of the event and must be ignored and initialized with null.

  • v3 - Used to indicate that the fields beforechangedetail and afterchangedetail come before the seqno and actionflags fields.

The tag level below is only used with

  • firewall.paloalto.traffic

  • firewall.paloalto.system

  • firewall.paloalto.url

  • firewall.paloalto.threat

These tables allow sending events in LEEF format instead of the default CSV format. To indicate this, all logs must have an additional tag level (leef). Threats can also have logs in JSON format using the tag level JSON json at the end.

CSV format tags are:

  • firewall.paloalto.traffic

  • firewall.paloalto.system

  • firewall.paloalto.threats

  • firewall.paloalto.url

...

Tag

Data table

firewall.paloalto.all

firewall.paloalto.all

Note

Union table - firewall.paloalto.all

This is a union table that collect events from a set of tables for easy access and analysis.

Learn more about these union table in this article.

  • firewall.paloalto.auth

  • firewall.paloalto.auth.leef

  • firewall.paloalto.auth.json

firewall.paloalto.auth

  • firewall.paloalto.config.json

  • firewall.paloalto.config.leef

  • firewall.paloalto.config.v2

  • firewall.paloalto.config.v3

firewall.paloalto.config

firewall.paloalto.correlation

firewall.paloalto.correlation

firewall.paloalto.decryption

firewall.paloalto.decryption

  • firewall.paloalto.globalprotect

  • firewall.paloalto.globalprotect.leef

firewall.paloalto.globalprotect

firewall.paloalto.hipmatch

firewall.paloalto.hipmatch

firewall.paloalto.iptag

firewall.paloalto.iptag

  • firewall.paloalto.system

  • firewall.paloalto.system.json

  • firewall.paloalto.system.leef

firewall.paloalto.system

  • firewall.paloalto.threat

  • firewall.paloalto.threat.json

  • firewall.paloalto.threat.leef

firewall.paloalto.threat

  • firewall.paloalto.traffic

  • firewall.paloalto.traffic.json

  • firewall.paloalto.traffic.leef

firewall.paloalto.traffic

  • firewall.paloalto.url

  • firewall.paloalto.url.json

  • firewall.paloalto.url.leef

firewall.paloalto.url

  • firewall.paloalto.userid

  • firewall.paloalto.userid.leef

firewall.paloalto.userid

For more information, read more about Devo tags.

How is the data sent to Devo?

Since there is no functionality to apply the Devo tag in the source system, the events should be forwarded to a Devo Relay to be identified, tagged, and then forwarded securely to the Devo Cloud.

...