...
Technology | Brand | Type | Subtype |
---|
firewall
| paloalto
| config
system
threat
traffic
correlation
hipmatch
url
userid
| The tag levels below are only used withfirewall.paloalto.config This is used to indicate the parser version. Depending on the Palo Alto firewall version used by each client, some fields can arrive in a different order, so we need to add this tag level to indicate the parser version. The possible values are: v1 - This is the default value, also used if no value is set at this level. In this case, the parser uses the default field order (fields affected: seqno, actionflags, beforechangedetail and afterchangedetail). v2 - Used to indicate that the fields beforechangedetail and afterchangedetail are not part of the event and must be ignored and initialized with null. v3 - Used to indicate that the fields beforechangedetail and afterchangedetail come before the seqno and actionflags fields.
The tag level below is only used with These tables allow sending events in LEEF format instead of the default CSV format. To indicate this, all logs must have an additional tag level (leef ). Threats can also have logs in JSON format using the tag level JSON json at the end. CSV format tags are: |
...
Tag | Data table |
---|
firewall.paloalto.all
| firewall.paloalto.all
Note |
---|
Union table - firewall.paloalto.all This is a union table that collect events from a set of tables for easy access and analysis. Learn more about these union table in this article. |
|
| firewall.paloalto.auth
|
firewall.paloalto.config.json
firewall.paloalto.config.leef
firewall.paloalto.config.v2
firewall.paloalto.config.v3
| firewall.paloalto.config
|
firewall.paloalto.correlation
| firewall.paloalto.correlation
|
firewall.paloalto.decryption
| firewall.paloalto.decryption
|
| firewall.paloalto.globalprotect
|
firewall.paloalto.hipmatch
| firewall.paloalto.hipmatch
|
firewall.paloalto.iptag
| firewall.paloalto.iptag
|
| firewall.paloalto.system
|
| firewall.paloalto.threat
|
firewall.paloalto.traffic
firewall.paloalto.traffic.json
firewall.paloalto.traffic.leef
| firewall.paloalto.traffic
|
| firewall.paloalto.url
|
| firewall.paloalto.userid
|
For more information, read more about Devo tags.
How is the data sent to Devo?
Since there is no functionality to apply the Devo tag in the source system, the events should be forwarded to a Devo Relay to be identified, tagged, and then forwarded securely to the Devo Cloud.
...