Reference vendor documentation |
|---|
Introduction
The tags that begin with firewall.paloalto identify events generated by Palo Alto Networks Firewall.
Tag structure
The full tag must have at least three levels. The first two are fixed as firewall.paloalto. The third level identifies the event's log type and will be determined dynamically by the rule you define in the Devo Relay. The fourth element is only used in some specific cases.
Technology | Brand | Type | Subtype |
|---|---|---|---|
|
|
| The tag levels below are only used with This is used to indicate the parser version. Depending on the Palo Alto firewall version used by each client, some fields can arrive in a different order, so we need to add this tag level to indicate the parser version. The possible values are:
The tag level below is only used with
These tables allow sending events in LEEF format instead of the default CSV format. To indicate this, all logs must have an additional tag level (leef). Threats can also have logs in JSON format using the tag level JSON at the end. CSV format tags are:
|
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
| |
|
|
|
|
|
|
| |
|
|
For more information, read more about Devo tags.
How is the data sent to Devo?
Since there is no functionality to apply the Devo tag in the source system, the events should be forwarded to a Devo Relay to be identified, tagged, and then forwarded securely to the Devo Cloud.
You will need to define a relay rule that can correctly identify the event type and apply the corresponding tag. The event type is determined by the source port specified when creating the rule and by whether it matches a format defined by a regular expression. When the source conditions are met, the relay will apply a tag that begins with firewall.paloalto. A regular expression in the Source data field describes the format of the event data. Data is extracted from the event and used to create the third tag level.
Define the rule using the following values (the port number can be any free port on your relay):
Relay rule 1 - CSV events
Source port →
13004Source data →
([^,]+,){3}([^,]+)Target tag →
firewall.paloalto.\\D2Target message →
\\D0
Check the Sent without syslog tag and Stop processing checkboxes.
Relay rule 2 - LEEF events
Source port →
13004Source data →
LEEF:(?:[^\|]+\|){4}([^\|]+)\|.*$Target tag →
firewall.paloalto.\\D1.leef
Check the Sent without syslog tag and Stop processing checkboxes.
Note that the number between curly braces in the rules above may vary depending on your firewall version and the format of your events. Contact us if you need assistance.
Palo Alto Firewall configuration
In Pan-OS, you will need to create a Syslog Server Pron Pan-OS and a Syslog Server Profile for your Devo Relay, as well as the necessary Log Forwarding Profiles and Security Policy Rules. See the vendor documentation for instructions.
If you want to send your Palo Alto firewall events to a Devo relay that exist in a different network, check out the article about sending events to the Devo relay using SSL.
Table structure
These are the fields displayed in these tables:
firewall.paloalto.system
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
|
| |
machine |
|
| |
timestamp |
|
| |
recvdate |
|
| |
serial |
|
| |
subType |
|
| |
vsys |
|
| |
eventId |
|
| |
object |
|
| |
future_use_4 |
|
| |
future_use_5 |
|
| |
module |
|
| |
severity |
|
| |
description |
| opaque | |
client_ip |
|
| |
client_port |
| ||
user_name |
|
| |
seqno |
|
| |
actionflags |
|
| |
dev_group_hierarchy_1 |
|
| |
dev_group_hierarchy_2 |
|
| |
dev_group_hierarchy_3 |
|
| |
dev_group_hierarchy_4 |
|
| |
virtual_sys_name |
|
| |
log_source_name |
| ||
device_name |
|
| |
reason |
| ||
protocol |
| ||
high_res_timestamp |
| high_res_timestamp_fmt high_res_timestamp_tmp | |
auth_username |
|
| |
auth_srcIp |
|
| |
auth_status |
|
| |
lease_ip_address |
| ||
lease_hardware_address |
| ||
src_host |
| ||
interface |
| ||
lease_time_of |
| ||
server_ip |
| ||
server_mask |
| ||
gateway |
| ||
dns1 |
| ||
dns2 |
| ||
dns_sufix |
| ||
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
|
| ✓ |
firewall.paloalto.threat
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
|
| |
machine |
|
| |
timestamp |
| createdate | |
recvdate |
|
| |
serial |
|
| |
subType |
|
| |
vendor |
|
| |
product |
|
| |
version |
|
| |
event_id |
|
| |
delimiter |
|
| |
srcIp |
|
| |
dstIp |
|
| |
srcNatIp |
| srcXIp | |
dstNatIp |
| dstXIp | |
srcIp_str |
|
| |
rule |
|
| |
srcUser |
|
| |
dstUser |
|
| |
app |
|
| |
virtSys |
|
| |
srcZone |
|
| |
dstZone |
|
| |
srcIface |
|
| |
dstIface |
|
| |
logForwardingProfile |
|
| |
logAction |
|
| |
session |
|
| |
repCnt |
|
| |
srcPort |
|
| |
dstPort |
|
| |
srcNatPort |
| srcXPort | |
dstNatPort |
| dstXPort | |
flags |
|
| |
proto |
|
| |
action |
|
| |
url_filename |
| misc | |
threatid |
|
| |
category |
|
| |
severity |
|
| |
sevNum |
|
| |
direction |
|
| |
seqno |
|
| |
actionflags |
|
| |
srcloc |
|
| |
dstloc |
|
| |
cpadding |
|
| |
contenttype |
|
| |
pcap_id |
|
| |
src_category |
|
| |
dst_category |
|
| |
threatname |
|
| |
pcapId |
| pcadId | |
fileDigest |
|
| |
cloud |
|
| |
urlIdx |
|
| |
userAgent |
|
| |
fileType |
|
| |
xff |
|
| |
referer |
|
| |
sender |
|
| |
subject |
|
| |
recipient |
|
| |
reportid |
|
| |
dgHierLevel1 |
|
| |
dgHierLevel2 |
|
| |
dgHierLevel3 |
|
| |
dgHierLevel4 |
|
| |
vsysName |
|
| |
deviceName |
|
| |
srcVMuuid |
|
| |
dstVMuuid |
|
| |
httpMethod |
|
| |
tunnelIDimsi |
|
| |
monitorTagIMEI |
|
| |
parentSessID |
|
| |
parentStartTime |
|
| |
tunnel |
|
| |
thrCategory |
|
| |
contentver |
|
| |
sctpAssociationID |
|
| |
payloadProtocolID |
|
| |
httpHeaders |
|
| |
url |
|
| |
urlCategory |
|
| |
urlCategoryList |
|
| |
uuidForRule |
|
| |
http2Connection |
|
| |
dynusergroup_name |
|
| |
xff_ip |
|
| |
src_profile |
|
| |
src_model |
|
| |
src_vendor |
|
| |
src_osfamily |
|
| |
src_osversion |
|
| |
src_host |
|
| |
src_mac |
|
| |
dst_profile |
|
| |
dst_model |
|
| |
dst_vendor |
|
| |
dst_osfamily |
|
| |
dst_osversion |
|
| |
dst_host |
|
| |
dst_mac |
|
| |
container_id |
|
| |
pod_namespace |
|
| |
src_edl |
|
| |
dst_edl |
|
| |
hostid |
|
| |
serialnumber |
|
| |
domain_edl |
|
| |
src_dag |
|
| |
dst_dag |
|
| |
partial_hash |
|
| |
high_res_timestamp |
|
| |
nsdsai_sst |
|
| |
log_type |
|
| |
xff_address |
|
| |
source_external_dynamic_list |
|
| |
destination_external_dynamic_list |
|
| |
source_dynamic_address_group |
|
| |
destination_dynamic_address_group |
|
| |
justification |
|
| |
slice_service_type |
|
| |
application_subcategory |
|
| |
application_category |
|
| |
application_technology |
|
| |
application_risk |
|
| |
application_characteristic |
|
| |
application_container |
|
| |
tunneled_application |
|
| |
application_saas |
|
| |
application_sanctioned_state |
|
| |
cloud_report_id |
|
| |
cluster_name |
|
| |
flow_type |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
|
| ✓ |
firewall.paloalto.traffic
Field | Type | Field transformation | Source field name | Extra fields |
|---|---|---|---|---|
eventdate |
|
|
| |
machine |
|
|
| |
timestamp |
|
| createdate | |
recvdate |
|
|
| |
serial |
|
|
| |
subType |
|
|
| |
srcIp |
|
|
| |
dstIp |
|
|
| |
srcNatIp |
|
| srcXIp | |
dstNatIp |
|
| dstXIp | |
srcIp_str |
|
|
| |
dstIp_str |
|
|
| |
rule |
|
|
| |
srcUser |
|
|
| |
dstUser |
|
|
| |
app |
|
|
| |
virtSys |
|
|
| |
srcZone |
|
|
| |
dstZone |
|
|
| |
srcIface |
|
|
| |
dstIface |
|
|
| |
logAction |
|
|
| |
session |
|
|
| |
repCnt |
|
|
| |
srcPort |
|
|
| |
dstPort |
|
|
| |
srcNatPort |
|
| srcXPort | |
dstNatPort |
|
| dstXPort | |
flags |
|
|
| |
proto |
|
|
| |
action |
|
|
| |
bytes |
|
|
| |
sentBytes |
|
|
| |
recvBytes |
|
|
| |
pkts |
|
|
| |
startdate |
|
|
| |
elapsedTime |
|
|
| |
category |
|
|
| |
padding |
|
|
| |
seqno |
|
|
| |
actionFlags |
|
|
| |
srcCountry |
|
|
| |
dstCountry |
|
|
| |
cpadding |
|
|
| |
sentPkts |
|
|
| |
recvPkts |
|
|
| |
session_end_reason |
|
|
| |
dg_hier_level_1 |
|
|
| |
dg_hier_level_2 |
|
|
| |
dg_hier_level_3 |
|
|
| |
dg_hier_level_4 |
|
|
| |
vsys_name |
|
|
| |
device_name |
|
|
| |
action_source |
|
|
| |
srcVMuuid |
|
|
| |
dstVMuuid |
|
|
| |
tunnelIDimsi |
|
|
| |
monitorTagIMEI |
|
|
| |
parentSessID |
|
|
| |
parentStartTime |
|
|
| |
tunnel |
|
|
| |
sctpAssociationID |
|
|
| |
sctpChunks |
|
|
| |
sctpChunksSent |
|
|
| |
sctpChunksReceived |
|
|
| |
uuidForRule |
|
|
| |
http2Connection |
|
|
| |
link_change_count |
|
|
| |
policy_id |
|
|
| |
link_switches |
|
|
| |
sdwan_cluster |
|
|
| |
sdwan_device_type |
|
|
| |
sdwan_cluster_type |
|
|
| |
sdwan_site |
|
|
| |
dynusergroup_name |
|
|
| |
xff_ip |
|
|
| |
src_category |
|
|
| |
src_profile |
|
|
| |
src_model |
|
|
| |
src_vendor |
|
|
| |
src_osfamily |
|
|
| |
src_osversion |
|
|
| |
src_host |
|
|
| |
src_mac |
|
|
| |
dst_category |
|
|
| |
dst_profile |
|
|
| |
dst_model |
|
|
| |
dst_vendor |
|
|
| |
dst_osfamily |
|
|
| |
dst_osversion |
|
|
| |
dst_host |
|
|
| |
dst_mac |
|
|
| |
container_id |
|
|
| |
pod_namespace |
|
|
| |
pod_name |
|
|
| |
src_edl |
|
|
| |
dst_edl |
|
|
| |
hostid |
|
|
| |
serialnumber |
|
|
| |
src_dag |
|
|
| |
dst_dag |
|
|
| |
session_owner |
|
|
| |
high_res_timestamp |
| ifthenelse(isnotnull(high_res_timestamp_fmt), parsedate(high_res_timestamp_tmp, dateformat(high_res_timestamp_fmt)), null(timestamp(0))) | high_res_timestamp_fmt high_res_timestamp_tmp | |
nsdsai_sst |
|
|
| |
nsdsai_sd |
|
|
| |
app_category |
|
|
| |
app_subcategory |
|
|
| |
app_technology |
|
|
| |
app_risk |
|
|
| |
app_characteristic |
|
|
| |
app_container |
|
|
| |
app_tunneled |
|
|
| |
app_saas |
|
|
| |
app_sanctioned_state |
|
|
| |
offloaded |
|
|
| |
flow_type |
|
|
| |
cluster_name |
|
|
| |
devTimeFormat |
|
|
| |
hostchain |
|
|
| ✓ |
tag |
|
|
| ✓ |
rawMessage |
|
|
| ✓ |