Introduction
The tags beginning with firewall.paloalto identify events generated by Palo Alto Networks Firewall.
The full tag must have at least three levels. The first two are fixed as firewall.paloalto. The third level identifies the event's log type and will be determined dynamically by the rule you define on the Devo Relay. The fourth element is only used in some specific cases.
Technology | Brand | Type | Subtype |
---|
firewall | paloalto | - config
- system
- threat
- traffic
- correlation
- hipmatch
- url
- userid
| The tag levels below are only used with firewall.paloalto.config This is used to indicate the parser version. Depending on the Palo Alto firewall version used by each client, some fields can arrive in a different order, so we need to add this tag level to indicate the parser version. The possible values are: - v1 - It's the default value, and also used if no value is set at this level. In this case, the parser uses the default fields order (fields affected: seqno, actionflags, beforechangedetail and afterchangedetail).
- v2 - Used to indicate that the fields beforechangedetail and afterchangedetail are not part of the event and must be ignored and initialized with null.
- v3 - Used to indicate that the fields beforechangedetail and afterchangedetail come before the seqno and actionflags fields.
The tag level below is only used with firewall.paloalto.traffic, firewall.paloalto.system and firewall.paloalto.threats These tables allow sending events in LEEF format instead of the default CSV format. To indicate this, all logs must have an additional tag level (leef). |
Therefore, the valid tags are:
firewall.paloalto.config
- firewall.paloalto.config.v1
- firewall.paloalto.config.v2t
- firewall.paloalto.config.v3
firewall.paloalto.system
firewall.paloalto.threat
firewall.paloalto.traffic
firewall.paloalto.correlation
firewall.paloalto.hipmatch
firewall.paloalto.url
firewall.paloalto.userid
- firewall.paloalto.traffic.leef
- firewall.paloalto.system.leef
- firewall.paloalto.threats.leef
For more information, read more about Devo tags.
How is the data sent to Devo?
Since there is no facility for applying the Devo tag in the source system, the events should be forwarded to a Devo Relay to be identified, tagged, and forwarded securely to the Devo Cloud.
You will need to define a relay rule that can correctly identify the event type and apply the corresponding tag. The rule identifies the event's type by the source port that it was received on and by whether it matches a format defined by a regular expression. When the source conditions are met, the relay will apply a tag that begins with firewall.paloalto. A regular expression in the Source data field describes the format of the event data. Data is extracted from the event and used to create the third tag level.
Define the rule using the following values (the port number can be any free port on your relay):
Relay rule 1 - CSV events
- Source port → 13004
- Source data → ^[^,]+,[^,]+,[^,]+,([^,]+)
- Target tag → firewall.paloalto.\\D1
- Check the Sent without syslog tag and Stop processing checkboxes
Relay rule 2 - LEEF events
- Source port → 13004
- Source data → LEEF:(?:[^\|]+\|){4}([^\|]+)\|
- Target tag → firewall.paloalto.\\D1.leef
- Check the Sent without syslog tag and Stop processing checkboxes
Palo Alto Firewall configuration
In Pan-OS, you will need to create a Syslog Server Profile for your Devo Relay, as well as the necessary Log Forwarding Profiles and Security Policy Rules. See the vendor documentation for instructions.
If you want to send your Palo Alto firewall events to a Devo relay that resides in a different network, check out the article about sending events to the Devo relay using SSL.
Log samples
The following are sample logs sent to each of the firewall.paloalto tags. Also, find how the information will be parsed in your data table under each sample log.
firewall.paloalto.traffic.leef
2021 - 03 - 09 11 : 39 : 49.860 localhost= 127.0 . 0.1 firewall.paloalto.traffic.leef: LEEF: 2.0 |Palo Alto Networks|LF| 2.0 |TRAFFIC| |TimeReceived= 2021 - 03 -09T11: 23 : 14 .000000Z DeviceSN= 012001012124 EventID=TRAFFIC cat=end ConfigVersion= 9.0 devTime= 2021 - 03 -09T11: 23 : 02 .000000Z src= 192.168 . 1.195 dst= 3.232 . 0.203 srcPostNAT= 211.24 . 95.14 dstPostNAT= 3.232 . 0.203 Rule=LAN-WAN_AllowAD usrName= "jumpcloud.com\\chuwong" DestinationUser= Application=ssl VirtualLocation=vsys1 FromZone=LAN ToZone=WAN_TIME InboundInterface=ethernet1/ 4 OutboundInterface=ethernet1/ 2 LogSetting=Log-Forwarding SessionID= 113464 RepeatCount= srcPort= 56354 dstPort= 443 srcPostNATPort= 27427 dstPostNATPort= 443 proto=tcp Action=allow Bytes= 8298 srcBytes= 3489 dstBytes= 4809 totalPackets= 26 SessionStartTime= 2021 - 03 -09T11: 22 : 36 .000000Z SessionDuration= 11 URLCategory=computer-and-internet-info SequenceNo= 887767286 SourceLocation= 192.168 . 0.0 - 192.168 . 255.255 DestinationLocation=US srcPackets= 1 dstPackets= 11 SessionEndReason=tcp-rst-from-server DGHierarchyLevel1= 0 DGHierarchyLevel2= 0 DGHierarchyLevel3= 0 DGHierarchyLevel4= 0 VirtualSystemName= DeviceName=pan-ml-kl ActionSource=from-policy SourceUUID= DestinationUUID= IMSI= 0 IMEI= ParentSessionID= 0 ParentStarttime= 1970 - 01 -01T00: 00 : 00 .000000Z Tunnel=N/A EndpointAssociationID= 0 ChunksTotal= 0 ChunksSent= 0 ChunksReceived= 0 RuleUUID=e97a0d84-24e4- 4556 -ae9d-32dc0fbd59be HTTP2Connection= 0 LinkChangeCount= SDWANPolicyName= LinkSwitches= SDWANCluster= SDWANDeviceType= SDWANClusterType= SDWANSite= DynamicUserGroupName= X-Forwarded-ForIP= SourceDeviceCategory= SourceDeviceProfile= SourceDeviceModel= SourceDeviceVendor= SourceDeviceOSFamily= SourceDeviceOSVersion= SourceDeviceHost= SourceDeviceMac= DestinationDeviceCategory= DestinationDeviceProfile= DestinationDeviceModel= DestinationDeviceVendor= DestinationDeviceOSFamily= DestinationDeviceOSVersion= DestinationDeviceHost= DestinationDeviceMac= ContainerID= ContainerNameSpace= ContainerName= SourceEDL= DestinationEDL= GPHostID= EndpointSerialNumber= SourceDynamicAddressGroup= DestinationDynamicAddressGroup= HASessionOwner= TimeGeneratedHighResolution= NSSAINetworkSliceType= NSSAINetworkSliceDifferentiator= devTimeFormat=YYYY-MM-DDTHH:mm:ss.SSSSSSZ
|
And this is how the logs would be parsed:
Field | Value | Type | Source field name | Extra fields |
---|
eventdate | 2021-03-09 11:39:49.860
| eventdate
|
|
|
machine | localhost
| str
|
|
|
future_use_1 | null
| str
|
| ✓ |
createdate | 2021-03-09 11:23:02.000
| timestamp
|
| ✓ |
timestamp | 2021-03-09 11:23:02.000
| timestamp
| createdate |
|
recvdate | 2021-03-09 11:23:14.000
| timestamp
|
|
|
serial | 012001012124
| str
|
|
|
logType | TRAFFIC
| str
|
| ✓ |
subType | end
| str
|
|
|
confVer | 9.0
| str
|
| ✓ |
srcIp | 192.168.1.195
| ip4
|
|
|
dstIp | 3.232.0.203
| ip4
|
|
|
srcXIp | 211.24.95.14
| ip4
|
| ✓ |
dstXIp | 3.232.0.203
| ip4
|
| ✓ |
srcNatIp | 211.24.95.14
| ip4
| srcXIp |
|
dstNatIp | 3.232.0.203
| ip4
| dstXIp |
|
rule | LAN-WAN_AllowAD
| str
|
|
|
srcUser | "jumpcloud.com\\chuwong"
| str
|
|
|
dstUser | null
| str
|
|
|
app | ssl
| str
|
|
|
virtSys | vsys1
| str
|
|
|
srcZone | LAN
| str
|
|
|
dstZone | WAN_TIME
| str
|
|
|
srcIface | ethernet1/4
| str
|
|
|
dstIface | ethernet1/2
| str
|
|
|
logAction | Log-Forwarding
| str
|
|
|
logdate | null
| timestamp
|
| ✓ |
session | 113464
| str
|
|
|
repCnt | null
| int4
|
|
|
srcPort | 56354
| int4
|
|
|
dstPort | 443
| int4
|
|
|
srcXPort | 27427
| int4
|
| ✓ |
dstXPort | 443
| int4
|
| ✓ |
srcNatPort | 27427
| int4
| srcXPort |
|
dstNatPort | 443443
| int4
| dstXPort |
|
flags | null
| str
|
|
|
proto | tcp
| str
|
|
|
action | allow
| str
|
|
|
bytes | 8298
| int8
|
|
|
sentBytes | 3489
| int8
|
|
|
recvBytes | 4809
| int8
|
|
|
pkts | 26
| int4
|
|
|
startdate | 2021-03-09 11:22:36.000
| timestamp
|
|
|
elapsedTime | 11
| int8
|
|
|
category | computer-and-internet-info
| str
|
|
|
seqno | 887767286
| int8
|
|
|
srcCountry | 192.168.0.0-192.168.255.255
| str
|
|
|
dstCountry | US
| str
|
|
|
cpadding | null
| int4
|
|
|
sentPkts | 1
| int4
|
|
|
recvPkts | 11
| int4
|
|
|
session_end_reason | tcp-rst-from-server
| str
|
|
|
dg_hier_level_1 | 0
| int4
|
|
|
dg_hier_level_2 | 0
| int4
|
|
|
dg_hier_level_3 | 0
| int4
|
|
|
dg_hier_level_4 | 0
| int4
|
|
|
vsys_name | null
| str
|
|
|
device_name | pan-ml-kl
| str
|
|
|
action_source | from-policy
| str
|
|
|
srcVMuuid | null
| str
|
|
|
dstVMuuid | null
| str
|
|
|
tunnelIDimsi | 0
| str
|
|
|
monitorTagIMEI | null
| str
|
|
|
parentSessID | 0
| int4
|
|
|
parentStartTime | 1970-01-01 00:00:00.000
| timestamp
|
|
|
tunnel | N/A
| str
|
|
|
sctpAssociationID | 0
| int4
|
|
|
sctpChunks | 0
| int8
|
|
|
sctpChunksSent | 0
| int8
|
|
|
sctpChunksReceived | 0
| int8
|
|
|
uuidForRule | e97a0d84-24e4-4556-ae9d-32dc0fbd59be
| str
|
|
|
http2Connection | 0
| str
|
|
|
client |
| str
| vclient | ✓ |
hostchain | localhost=127.0.0.1
| str
|
| ✓ |
tag | firewall.paloalto.traffic.leef
| str
|
| ✓ |
rawMessage | LEEF:2.0|Palo Alto Networks|LF|2.0|TRAFFIC| |TimeReceived=2021-03-09T11:23:14.000000Z DeviceSN=012001012124 EventID=TRAFFIC cat=end ConfigVersion=9.0 devTime=2021-03-09T11:23:02.000000Z src=192.168.1.195 dst=3.232.0.203 srcPostNAT=211.24.95.14 dstPostNAT=3.232.0.203 Rule=LAN-WAN_AllowAD usrName="jumpcloud.com\\chuwong" DestinationUser= Application=ssl VirtualLocation=vsys1 FromZone=LAN ToZone=WAN_TIME InboundInterface=ethernet1/4 OutboundInterface=ethernet1/2 LogSetting=Log-Forwarding SessionID=113464 RepeatCount= srcPort=56354 dstPort=443 srcPostNATPort=27427 dstPostNATPort=443 proto=tcp Action=allow Bytes=8298 srcBytes=3489 dstBytes=4809 totalPackets=26 SessionStartTime=2021-03-09T11:22:36.000000Z SessionDuration=11 URLCategory=computer-and-internet-info SequenceNo=887767286 SourceLocation=192.168.0.0-192.168.255.255 DestinationLocation=US srcPackets=1 dstPackets=11 SessionEndReason=tcp-rst-from-server DGHierarchyLevel1=0 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= DeviceName=pan-ml-kl ActionSource=from-policy SourceUUID= DestinationUUID= IMSI=0 IMEI= ParentSessionID=0 ParentStarttime=1970-01-01T00:00:00.000000Z Tunnel=N/A EndpointAssociationID=0 ChunksTotal=0 ChunksSent=0 ChunksReceived=0 RuleUUID=e97a0d84-24e4-4556-ae9d-32dc0fbd59be HTTP2Connection=0 LinkChangeCount= SDWANPolicyName= LinkSwitches= SDWANCluster= SDWANDeviceType= SDWANClusterType= SDWANSite= DynamicUserGroupName= X-Forwarded-ForIP= SourceDeviceCategory= SourceDeviceProfile= SourceDeviceModel= SourceDeviceVendor= SourceDeviceOSFamily= SourceDeviceOSVersion= SourceDeviceHost= SourceDeviceMac= DestinationDeviceCategory= DestinationDeviceProfile= DestinationDeviceModel= DestinationDeviceVendor= DestinationDeviceOSFamily= DestinationDeviceOSVersion= DestinationDeviceHost= DestinationDeviceMac= ContainerID= ContainerNameSpace= ContainerName= SourceEDL= DestinationEDL= GPHostID= EndpointSerialNumber= SourceDynamicAddressGroup= DestinationDynamicAddressGroup= HASessionOwner= TimeGeneratedHighResolution= NSSAINetworkSliceType= NSSAINetworkSliceDifferentiator= devTimeFormat=YYYY-MM-DDTHH:mm:ss.SSSSSSZ
| str
|
|
|
rawSource | LEEF:2.0|Palo Alto Networks|LF|2.0|TRAFFIC| |TimeReceived=2021-03-09T11:23:14.000000Z DeviceSN=012001012124 EventID=TRAFFIC cat=end ConfigVersion=9.0 devTime=2021-03-09T11:23:02.000000Z src=192.168.1.195 dst=3.232.0.203 srcPostNAT=211.24.95.14 dstPostNAT=3.232.0.203 Rule=LAN-WAN_AllowAD usrName="jumpcloud.com\\chuwong" DestinationUser= Application=ssl VirtualLocation=vsys1 FromZone=LAN ToZone=WAN_TIME InboundInterface=ethernet1/4 OutboundInterface=ethernet1/2 LogSetting=Log-Forwarding SessionID=113464 RepeatCount= srcPort=56354 dstPort=443 srcPostNATPort=27427 dstPostNATPort=443 proto=tcp Action=allow Bytes=8298 srcBytes=3489 dstBytes=4809 totalPackets=26 SessionStartTime=2021-03-09T11:22:36.000000Z SessionDuration=11 URLCategory=computer-and-internet-info SequenceNo=887767286 SourceLocation=192.168.0.0-192.168.255.255 DestinationLocation=US srcPackets=1 dstPackets=11 SessionEndReason=tcp-rst-from-server DGHierarchyLevel1=0 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= DeviceName=pan-ml-kl ActionSource=from-policy SourceUUID= DestinationUUID= IMSI=0 IMEI= ParentSessionID=0 ParentStarttime=1970-01-01T00:00:00.000000Z Tunnel=N/A EndpointAssociationID=0 ChunksTotal=0 ChunksSent=0 ChunksReceived=0 RuleUUID=e97a0d84-24e4-4556-ae9d-32dc0fbd59be HTTP2Connection=0 LinkChangeCount= SDWANPolicyName= LinkSwitches= SDWANCluster= SDWANDeviceType= SDWANClusterType= SDWANSite= DynamicUserGroupName= X-Forwarded-ForIP= SourceDeviceCategory= SourceDeviceProfile= SourceDeviceModel= SourceDeviceVendor= SourceDeviceOSFamily= SourceDeviceOSVersion= SourceDeviceHost= SourceDeviceMac= DestinationDeviceCategory= DestinationDeviceProfile= DestinationDeviceModel= DestinationDeviceVendor= DestinationDeviceOSFamily= DestinationDeviceOSVersion= DestinationDeviceHost= DestinationDeviceMac= ContainerID= ContainerNameSpace= ContainerName= SourceEDL= DestinationEDL= GPHostID= EndpointSerialNumber= SourceDynamicAddressGroup= DestinationDynamicAddressGroup= HASessionOwner= TimeGeneratedHighResolution= NSSAINetworkSliceType= NSSAINetworkSliceDifferentiator= devTimeFormat=YYYY-MM-DDTHH:mm:ss.SSSSSSZ
| str
| rawMessage | ✓ |
firewall.paloalto.system.leef
2021- 03- 11 15: 28: 01.062 localhost= 127.0. 0.1 firewall.paloalto.system.leef: LEEF: 2.0|Palo Alto Networks|LF| 2.0|SYSTEM| |LogTime= 2021- 03-11T15: 28: 00.000000Z LogSourceID= 012001017258 EventID=SYSTEM cat=dhcp ConfigVersion= 0.0 devTime= 2021- 03-11T15: 27: 40.000000Z VirtualLocation= EventName=lease-start EventComponent= VendorSeverity=Informational EventDescription=DHCP lease started ip 192.168. 110.134 --> mac 86:9d:c5:ce:be:f1 - hostname Dees-iPhone, interface ethernet1/ 3.30 SequenceNo= 6305112 DGHierarchyLevel1= 0 DGHierarchyLevel2= 0 DGHierarchyLevel3= 0 DGHierarchyLevel4= 0 VirtualSystemName= LogSourceName=pan-ml-nyc DeviceGroup= Template= TimeGeneratedHighResolution= devTimeFormat=YYYY-MM-DDTHH:mm:ss.SSSSSSZ
|
And this is how the logs would be parsed:
Field | Value | Type | Source field name | Extra fields |
---|
eventdate | 2021-03-09 11:39:49.860
| eventdate
|
|
|
machine | localhost
| str
|
|
|
future_use_1 | null
| str
|
| ✓ |
timestamp | 2021-03-09 11:23:02.000
| timestamp
|
|
|
recvdate | 2021-03-09 11:23:14.000
| timestamp
|
|
|
serial | 012001017258
| str
|
|
|
logType | SYSTEM
| str
|
| ✓ |
subType | dhcp
| str
|
|
|
future_use_2 | 0.0 | str
|
| ✓ |
vsys | null | str
|
|
|
eventId | lease-start | str
|
|
|
object | null | str
|
|
|
future_use_3 |
| str
|
|
|
future_use_4 |
| str
|
|
|
module |
| str
|
|
|
severity | Informational | timestamp
|
|
|
opaque | DHCP lease started ip 192.168.110.134 --> mac 86:9d:c5:ce:be:f1 - hostname Dees-iPhone, interface ethernet1/3.30 | str
|
| ✓ |
description | DHCP lease started ip 192.168.110.134 --> mac 86:9d:c5:ce:be:f1 - hostname Dees-iPhone, interface ethernet1/3.30 | str
| opaque |
|
actionflags |
| str
|
|
|
dev_group_hierarchy_1 | 0
| int4
|
|
|
dev_group_hierarchy_2 | 0
| int4
|
|
|
dev_group_hierarchy_3 | 0
| int4
|
|
|
dev_group_hierarchy_4 | 0
| int4
|
|
|
virtual_sys_name | null
| str
|
|
|
device_name | null
| str
|
|
|
client |
| str
| vclient | ✓ |
hostchain | localhost=127.0.0.1
| str
|
| ✓ |
tag | firewall.paloalto.system.leef
| str
|
| ✓ |
rawMessage | LEEF:2.0|Palo Alto Networks|LF|2.0|SYSTEM| |LogTime=2021-03-11T15:28:00.000000Z LogSourceID=012001017258 EventID=SYSTEM cat=dhcp ConfigVersion=0.0 devTime=2021-03-11T15:27:40.000000Z VirtualLocation= EventName=lease-start EventComponent= VendorSeverity=Informational EventDescription=DHCP lease started ip 192.168.110.134 --> mac 86:9d:c5:ce:be:f1 - hostname Dees-iPhone, interface ethernet1/3.30 SequenceNo=6305112 DGHierarchyLevel1=0 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= LogSourceName=pan-ml-nyc DeviceGroup= Template= TimeGeneratedHighResolution= devTimeFormat=YYYY-MM-DDTHH:mm:ss.SSSSSSZ
| str
|
|
|
firewall.paloalto.threat.leef
2021 - 03 - 11 09 : 18 : 39.383 localhost= 127.0 . 0.1 firewall.paloalto.threat.leef: LEEF: 2.0 |Palo Alto Networks|LF| 2.0 |THREAT| |TimeReceived= 2021 - 03 -11T09: 18 : 37 .000000Z DeviceSN= 012001012124 EventID=THREAT cat=vulnerability ConfigVersion= 9.0 devTime= 2021 - 03 -11T09: 18 : 22 .000000Z src= 192.168 . 1.232 dst= 140.82 . 114.3 srcPostNAT= 211.24 . 95.14 dstPostNAT= 140.82 . 114.3 Rule=LAN-WAN_AllowAD usrName= DestinationUser= Application=ssh VirtualLocation=vsys1 FromZone=LAN ToZone=WAN_TIME InboundInterface=ethernet1/ 4 OutboundInterface=ethernet1/ 2 LogSetting=Log-Forwarding SessionID= 112575 RepeatCount= 2 srcPort= 50176 dstPort= 22 srcPostNATPort= 53783 dstPostNATPort= 22 proto=tcp Action=drop FileName= ThreatID=SSH User Authentication Brute Force Attempt( 40015 ) VendorSeverity=High DirectionOfAttack=client to server SequenceNo= 154995599 SourceLocation= 192.168 . 0.0 - 192.168 . 255.255 DestinationLocation=US PacketID= 0 FileHash= ApplianceOrCloud= URLCounter= 0 FileType= SenderEmail= EmailSubject= RecipientEmail= ReportID= 0 DGHierarchyLevel1= 0 DGHierarchyLevel2= 0 DGHierarchyLevel3= 0 DGHierarchyLevel4= 0 VirtualSystemName= DeviceName=pan-ml-kl SourceUUID= DestinationUUID= IMSI= 0 IMEI= ParentSessionID= 0 ParentStarttime= 1970 - 01 -01T00: 00 : 00 .000000Z Tunnel=N/A ThreatCategory=brute-force ContentVersion= 549329324 SigFlags= 0x0 RuleUUID=e97a0d84-24e4- 4556 -ae9d-32dc0fbd59be HTTP2Connection= 0 DynamicUserGroupName= X-Forwarded-ForIP= SourceDeviceCategory= SourceDeviceProfile= SourceDeviceModel= SourceDeviceVendor= SourceDeviceOSFamily= SourceDeviceOSVersion= SourceDeviceHost= SourceDeviceMac= DestinationDeviceCategory= DestinationDeviceProfile= DestinationDeviceModel= DestinationDeviceVendor= DestinationDeviceOSFamily= DestinationDeviceOSVersion= DestinationDeviceHost= DestinationDeviceMac= ContainerID= ContainerNameSpace= ContainerName= SourceEDL= DestinationEDL= HostID= EndpointSerialNumber= DomainEDL= SourceDynamicAddressGroup= DestinationDynamicAddressGroup= PartialHash= TimeGeneratedHighResolution= NSSAINetworkSliceType= devTimeFormat=YYYY-MM-DDTHH:mm:ss.SSSSSSZ
|
And this is how the logs would be parsed:
Field | Value | Type | Source field name | Extra fields |
---|
eventdate | 2021-03-11 09:18:39.383
| eventdate
|
|
|
machine | localhost
| str
|
|
|
future_use | null
| str
|
| ✓ |
createdate | 2021-03-11 09:18:22.000
| timestamp
|
| ✓ |
timestamp | 2021-03-11 09:18:22.000
| timestamp
| createdate |
|
recvdate | 2021-03-11 09:18:37.000
| timestamp
|
|
|
serial | 012001012124
| str
|
|
|
logType | TRAFFIC
| str
|
| ✓ |
subType | vulnerability
| str
|
|
|
confVer | 9.0
| str
|
| ✓ |
srcIp | 192.168.1.232
| ip4
|
|
|
dstIp | 140.82.114.3
| ip4
|
|
|
srcXIp | 211.24.95.14
| ip4
|
| ✓ |
dstXIp | 140.82.114.3
| ip4
|
| ✓ |
srcNatIp | 211.24.95.14
| ip4
| srcXIp |
|
dstNatIp | 140.82.114.3
| ip4
| dstXIp |
|
rule | LAN-WAN_AllowAD
| str
|
|
|
srcUser | null
| str
|
|
|
dstUser | null
| str
|
|
|
app | ssh
| str
|
|
|
virtSys | vsys1
| str
|
|
|
srcZone | LAN
| str
|
|
|
dstZone | WAN_TIME
| str
|
|
|
srcIface | ethernet1/4
| str
|
|
|
dstIface | ethernet1/2
| str
|
|
|
logAction | Log-Forwarding
| str
|
|
|
logdate | null
| timestamp
|
| ✓ |
session | 112575
| str
|
|
|
repCnt | 22
| int4
|
|
|
srcPort | 50176
| int4
|
|
|
dstPort | 22
| int4
|
|
|
srcXPort | 53783
| int4
|
|
|
dstXPort | 22
| int4
|
|
|
srcNatPort | 53783
| int4
| srcXPort |
|
dstNatPort | 22
| int4
| dstXPort |
|
flags | null
| str
|
|
|
proto | tcp
| str
|
|
|
action | drop
| str
|
|
|
misc | null
| str
|
| ✓ |
url_filename | null
| str
| misc |
|
threatid | SSH User Authentication Brute Force Attempt(40015)
| str
|
|
|
category | null
| str
|
|
|
severity | High
| str
|
|
|
direction | client to server
| str
|
|
|
seqno | 154995599 | int8
|
|
|
actionflags | null
| str
|
|
|
srcloc | 192.168.0.0-192.168.255.255
| str
|
|
|
dstloc | US
| str
|
|
|
cpadding | null
| int4
|
|
|
contenttype | null
| str
|
|
|
pcadId | 0
| int8
|
|
|
pcapId | 0
| int8
| pcadId |
|
fileDigest | null
| str
|
|
|
cloud | null
| str
|
|
|
urlIdx | 0
| int4
|
|
|
userAgent | null
| str
|
|
|
fileType | null
| str
|
|
|
xff | null
| str
|
|
|
referer | null
| str
|
|
|
sender | null
| str
|
|
|
subject | null
| str
|
|
|
recipient | null
| str
|
|
|
reportid | 0
| int4
|
|
|
dgHierLevel1 | 0
| int4
|
|
|
dgHierLevel2 | 0
| int4
|
|
|
dgHierLevel3 | 0
| int4
|
|
|
dgHierLevel4 | 0
| int4
|
|
|
vsysName | null
| str
|
|
|
deviceName | pan-ml-kl
| str
|
|
|
future_use_1 | null
| str
|
| ✓ |
srcVMuuid | null
| str
|
|
|
dstVMuuid | null
| str
|
|
|
httpMethod | null
| str
|
|
|
tunnelIDimsi | 0
| str
|
|
|
monitorTagIMEI | null
| str
|
|
|
parentSessID | 0
| int4
|
|
|
parentStartTime | 1970-01-01 00:00:00.000
| timestamp
|
|
|
tunnel | N/A
| str
|
|
|
thrCategory | brute-force
| str
|
|
|
contentver | 549329324
| str
|
|
|
future_use_2 | 0x0
| str
|
| ✓ |
sctpAssociationID | null
| int4
|
|
|
payloadProtocolID | null
| int8
|
|
|
httpHeaders | null
| str
|
|
|
urlCategoryList | null
| str
|
|
|
uuidForRule | e97a0d84-24e4-4556-ae9d-32dc0fbd59be
| str
|
|
|
http2Connection | 0
| str
|
|
|
client | null
| str
| vclient | ✓ |
hostchain | localhost=127.0.0.1
| str
|
| ✓ |
tag | firewall.paloalto.threat.leef
| str
|
| ✓ |
rawMessage | LEEF:2.0|Palo Alto Networks|LF|2.0|THREAT| |TimeReceived=2021-03-11T09:18:37.000000Z DeviceSN=012001012124 EventID=THREAT cat=vulnerability ConfigVersion=9.0 devTime=2021-03-11T09:18:22.000000Z src=192.168.1.232 dst=140.82.114.3 srcPostNAT=211.24.95.14 dstPostNAT=140.82.114.3 Rule=LAN-WAN_AllowAD usrName= DestinationUser= Application=ssh VirtualLocation=vsys1 FromZone=LAN ToZone=WAN_TIME InboundInterface=ethernet1/4 OutboundInterface=ethernet1/2 LogSetting=Log-Forwarding SessionID=112575 RepeatCount=2 srcPort=50176 dstPort=22 srcPostNATPort=53783 dstPostNATPort=22 proto=tcp Action=drop FileName= ThreatID=SSH User Authentication Brute Force Attempt(40015) VendorSeverity=High DirectionOfAttack=client to server SequenceNo=154995599 SourceLocation=192.168.0.0-192.168.255.255 DestinationLocation=US PacketID=0 FileHash= ApplianceOrCloud= URLCounter=0 FileType= SenderEmail= EmailSubject= RecipientEmail= ReportID=0 DGHierarchyLevel1=0 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= DeviceName=pan-ml-kl SourceUUID= DestinationUUID= IMSI=0 IMEI= ParentSessionID=0 ParentStarttime=1970-01-01T00:00:00.000000Z Tunnel=N/A ThreatCategory=brute-force ContentVersion=549329324 SigFlags=0x0 RuleUUID=e97a0d84-24e4-4556-ae9d-32dc0fbd59be HTTP2Connection=0 DynamicUserGroupName= X-Forwarded-ForIP= SourceDeviceCategory= SourceDeviceProfile= SourceDeviceModel= SourceDeviceVendor= SourceDeviceOSFamily= SourceDeviceOSVersion= SourceDeviceHost= SourceDeviceMac= DestinationDeviceCategory= DestinationDeviceProfile= DestinationDeviceModel= DestinationDeviceVendor= DestinationDeviceOSFamily= DestinationDeviceOSVersion= DestinationDeviceHost= DestinationDeviceMac= ContainerID= ContainerNameSpace= ContainerName= SourceEDL= DestinationEDL= HostID= EndpointSerialNumber= DomainEDL= SourceDynamicAddressGroup= DestinationDynamicAddressGroup= PartialHash= TimeGeneratedHighResolution= NSSAINetworkSliceType= devTimeFormat=YYYY-MM-DDTHH:mm:ss.SSSSSSZ
| str
|
|
|
Related articles