PaloAlto
PaloAlto Network Threat Syslog Format
PANW-Threat-Syslog-D
<Syslog Priority>Syslog Time Syslog Host : FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source IP, Destination IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Ingress Interface, Egress Interface, Log Forwarding Profile, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Miscellaneous, Threat ID, Category, Severity, Direction, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Content Type
PANW-Threat
true
<11>1 2016-07-29T17:31:33-05:00 PA01.internal.exebridge.com 1,2016 - - - 17:31:33,001801031451,THREAT,vulnerability,1,2016/07/29 17:31:33,10.1.20.11,199.181.133.61,75.148.241.193,199.181.133.61,Permit Outbound,exb\mcrook,,web-browsing,vsys1,L3_Trust,L3_Untrust,ae1,ethernet1/1,Alert Critical,2016/07/29 17:31:33,103143,1,55448,80,19347,80,0x80420000,tcp,reset-both,"results",Apache Wicket Unspecified XSS Vulnerability(36041),sports,critical,client-to-server,124975,0x0,RM Location 2,US,0,,1201889085355049529,,,1,,,,,,,,0,0,0,0,0,,PA01,
filter {
grok {
match => {'message' => '<%{POSINT:syslog_priority}>%{POSINT:version}%{SPACE}%{TIMESTAMP_ISO8601:syslog_timestamp} %{HOSTNAME:syslog_hostName} %{DATA:identifier},%{DATA:year} %{DATA:future_use1a} %{DATA:future_use1b} %{DATA:future_use1c} %{GREEDYDATA:paloalto_message}'}
add_tag => [ "PANW-Threat" ]
}
mutate {
rename => ["paloalto_message", "message"]
}
csv {
columns => ["ReceiveTime", "SerialNum", "Type", "Threat-ContentType", "ConfigVersion", "GenerateTime", "SourceAddress", "DestinationAddress", "NATSourceIP", "NATDestinationIP", "Rule", "SourceUser", "DestinationUser", "Application", "VirtualSystem", "SourceZone", "DestinationZone", "InboundInterface", "OutboundInterface", "LogAction", "TimeLogged", "SessionID", "RepeatCount", "SourcePort", "DestinationPort", "NATSourcePort", "NATDestinationPort" , "Flags", "IPprotocol", "Action", "URL", "Threat-ContentName", "Category", "Severity", "Direction", "seqno", "actionflags", "SourceCountry", "DestinationCountry", "cpadding", "ContentType", "pcap_id", "filedigest", "cloud", "data1", "data2", "data3", "data4", "data5", "data6", "data7","url_idx", "user_agent", "filetype", "xff", "referer", "sender", "subject", "recipient"]
}
date{
match => ["GenerateTime", "yyyy/MM/dd HH:mm:ss"]
target => "GenerateTime"
}
date{
match => ["TimeLogged", "yyyy/MM/dd HH:mm:ss"]
target => "TimeLogged"
}
if("PANW-Threat" in [tags]){
mutate {
gsub => ["miscellaneous", "\"", ""]
remove_field => ['@version','path','@message','message']
add_field => [ 'Event:Event-Name', '%{Type}' ]
add_field => [ 'Event:Threat-Name', '%{Threat-ContentType}' ]
add_field => [ 'Event:Source-IP-Address', '%{SourceAddress}' ]
add_field => [ 'Event:Destination-IP-Address', '%{DestinationAddress}' ]
add_field => [ 'Event:Timestamp', '%{syslog_timestamp}' ]
add_field => [ 'Event:Username', '%{SourceUser}' ]
add_field => [ 'Event:Pattern-Name', 'PANW-Threat' ]
}
ruby {
code => "
data = event.clone.to_hash;
data.each do |k,v|
if (!k.start_with?('Event:') and !k.start_with?('@'))
newFieldName = 'Event:PANW-Threat:'+ k
event[newFieldName] = v
event.remove(k)
end
end
tstamp = Time.now.to_i
tstamp_str = Time.at(tstamp).strftime('%Y-%m-%d %H:%M:%S')
event['Event:Timestamp'] = tstamp_str
"
}
}
}