Stay organized with collections Save and categorize content based on your preferences.

Mapping changes in Palo Alto Networks firewall parser

This document describes the field mapping changes made in the Palo Alto Networks firewall default parser on 2022-09-28.

Log types Log fields UDM mapping in previous versions UDM mapping in default parser version 2022-09-28
All log types (LEEF) Session End Reason security_result.detection_fields.key/value security_result.summary
All log types (LEEF) Bytes security_result.detection_fields.key/value about.labels.key/value
All log types (LEEF/CSV) Source Zone security_result.detection_fields.key/value principal.labels.key/value
All log types (LEEF/CSV) Destination Zone security_result.detection_fields.key/value target.labels.key/value
All log types (LEEF) intermediary (observer_hostname) intermediary.hostname observer.hostname
All log types (LEEF) action If "action" is "BLOCK", "event.idm.is_alert" is set to "true".

If "action" is "sinkhole" and format is "LEEF", "security_result.action" is set to "ALLOW_WITH_MODIFICATION".

If "action" is "sinkhole" and format is "CSV", "security_result.action" is set to "BLOCK".

If "action" is "BLOCK", "event.idm.is_alert" isn't set to "true"

If "action" is "sinkhole", "security_result.action" is set to "BLOCK"

TRAFFIC Serial metadata.product_log_id intermediary.asset.hardware.serial_number
TRAFFIC NAT Source IP src.ip, principal.nat_ip principal.nat_ip
TRAFFIC NAT Destination IP If "natDstAddress" is not equal to "dstAddress", NAT Destination IP is mapped to "target.nat_ip" and "target.ip" target.nat_ip
TRAFFIC Destination Zone security_result.detection_fields.key/value target.labels.key/value
TRAFFIC Bytes Sent network.sent_bytes network.received_bytes
TRAFFIC Bytes Received network.received_bytes network.sent_bytes
TRAFFIC Elapsed Time network.session_duration.seconds about.labels.key/value
TRAFFIC Category security_result.description security_result.category_details
TRAFFIC Application CSV is set to security_result.about.application

LEEF is set to principal.application

THREAT Tunnel Type security_result.category_details about.labels.key/value
THREAT Threat/Content Name security_result.summary security_result.threat_name
THREAT NAT Source IP principal.nat_ip


THREAT X-Forwarded-For if index == 0, principal.ip

if index > 0, then, intermediary.ip

THREAT URL/Filename target.file.full_path





THREAT Application [all subtype except "file", "url"] security_result.about.application target.application
THREAT Application [subtype "file", "url"] security_result.about.application network.application_protocol
THREAT Category security_result.description security_result.category_details
THREAT Threat Category security_result.category_details security_result.detection_fields
THREAT HTTP Headers If "httpHeaders" contains "travel" or "computer-and-internet-info", it is mapped to "security_result.category_details", else it is not mapped. about.labels.key/value
THREAT Cloud target.file.sha256 about.labels.key/value
THREAT Serial Number metadata.product_log_id intermediary.asset.hardware.serial_number
THREAT Severity

If Severity is "critical" or subtype is "wildfire-virus", "wildfire", "virus", "vulnerability", "scan", or "spyware", "security_result.severity" is set to "HIGH".

If severity is "low", "security_result.severity" is set to "LOW".

If severity is "medium", "security_result.severity" is set to "MEDIUM"

If severity is "informational", "security_result.severity" is set to "INFORMATIONAL"

If severity is "high", "security_result.severity" is set to "HIGH"

If severity is "error", "security_result.severity" is set to "ERROR"

If severity is "critical", "security_result.severity" is set to "CRITICAL"

THREAT (LEEF) URL/Filename [subtype "virus", "wildfire-virus", "wildfire", "file"] security_result.description target.file.full_path
THREAT (LEEF) URL/Filename [subtype "url"] security_result.description target_url
THREAT (LEEF) Threat Category security_result.category_details security_result.detection_fields.key/value
THREAT (LEEF) URL/Filename [subtype all] "urlHostname" and "urlPath" are extracted from Miscellaneous and "urlHostname" is mapped with "target.hostname" Not mapped
THREAT (LEEF) Application network.application_protocol

If Application is DNS, then

network.dns.opcode is set to 0

metadata.event_type" is set to "NETWORK_DNS"" is set to "%{urlHostname}"" is set to "%{dst}"

If subtype is "file" or "url", map Application to network_application_protocol.
SYSTEM platform_version [subtype globalprotect] principal.platform_version
SYSTEM Description [subtype dhcp] Extracted mac using grok

principal.mac is set to "%{mac}"

"Extracted ""dhcp_client_hostname"" and mapped with network.dhcp.client_hostname and principal.hostname"

Extracted mac using grok

network.dhcp.chaddr is set to "%{mac}"

Extracted ""dhcp_client_hostname"" and mapped with network.dhcp.client_hostname

SYSTEM Device Name [subtype dhcp] network.dhcp.sname and intermediary.hostname intermediary.hostname
SYSTEM Event ID, Description [subtype "url-filtering", "userid","monitoring", syslog", "general", "vpn", "satd", "panorama-check"] metadata.description is set to "%{Event ID}" -- "%{Description}" metadata.description is set to "%{Description}"
SYSTEM action security_result.action = ALLOW or BLOCK or UNKNOWN_ACTION

if type == SYSTEM and subType = auth/globalprotect

action = ALLOW

if [Message] ~= Login Failed

action = BLOCK

If type is SYSTEM and subType is auth/globalprotect and message contains "Login Failed", security_result.action is set to "BLOCK".
SYSTEM deviceName [subtype globalprotect] If "Event ID" includes "globalprotectgateway-config" and deviceName is not empty then, event_type is set to RESOURCE_CREATION, deviceName is mapped to target.resource.resource_name, and target.resource.resource_type is set to ACCESS_POLICY.

target.resource.resource_type is not set

USERID (CSV format) User principal.user.userid






USERID Device Name target.hostname intermediary.hostname
USERID security_result.action IF USER_LOGIN, security_result.action is set to ALLOW

else if USER_LOGOUT, security_result.action is set to UNKNOWN_ACTION

Not Mapped.
USERID User by Source target.user.userid





USERID (LEEF format) User about.user.userid target.user.userid
HIPMATCH Host ID principal.mac principal.asset.product_object_id
HIPMATCH IPv6 System Address src.ip


HIPMATCH Machine Name

resource.resource_type is set to "DEVICE"

HIPMATCH Operating System principal.platform principal.asset.platform_software.platform(enum)
HIPMATCH Device Name target.hostname intermediary.hostname
HIPMATCH (LEEF) Source User about.user.userid principal.user.userid