Mapping changes in Palo Alto Networks firewall parser

This document describes the field mapping changes made in the Palo Alto Networks firewall default parser on 2022-09-28.

Log types Log fields UDM mapping in previous versions UDM mapping in default parser version 2022-09-28
All log types (LEEF) Session End Reason security_result.detection_fields.key/value security_result.summary
All log types (LEEF) Bytes security_result.detection_fields.key/value about.labels.key/value
All log types (LEEF/CSV) Source Zone security_result.detection_fields.key/value principal.labels.key/value
All log types (LEEF/CSV) Destination Zone security_result.detection_fields.key/value target.labels.key/value
All log types (LEEF) intermediary (observer_hostname) intermediary.hostname observer.hostname
All log types (LEEF) action If "action" is "BLOCK", "event.idm.is_alert" is set to "true".

If "action" is "sinkhole" and format is "LEEF", "security_result.action" is set to "ALLOW_WITH_MODIFICATION".

If "action" is "sinkhole" and format is "CSV", "security_result.action" is set to "BLOCK".

If "action" is "BLOCK", "event.idm.is_alert" isn't set to "true"

If "action" is "sinkhole", "security_result.action" is set to "BLOCK"

TRAFFIC Serial metadata.product_log_id intermediary.asset.hardware.serial_number
TRAFFIC NAT Source IP src.ip, principal.nat_ip principal.nat_ip
TRAFFIC NAT Destination IP If "natDstAddress" is not equal to "dstAddress", NAT Destination IP is mapped to "target.nat_ip" and "target.ip" target.nat_ip
TRAFFIC Destination Zone security_result.detection_fields.key/value target.labels.key/value
TRAFFIC Bytes Sent network.sent_bytes network.received_bytes
TRAFFIC Bytes Received network.received_bytes network.sent_bytes
TRAFFIC Elapsed Time network.session_duration.seconds about.labels.key/value
TRAFFIC Category security_result.description security_result.category_details
TRAFFIC Application CSV is set to security_result.about.application

LEEF is set to principal.application

target.application
THREAT Tunnel Type security_result.category_details about.labels.key/value
THREAT Threat/Content Name security_result.summary security_result.threat_name
THREAT NAT Source IP principal.nat_ip

src.ip

principal.nat_ip
THREAT X-Forwarded-For if index == 0, principal.ip

if index > 0, then, intermediary.ip

principal.ip
THREAT URL/Filename target.file.full_path

target.hostname

target.url

target.file.full_path

target.url

THREAT Application [all subtype except "file", "url"] security_result.about.application target.application
THREAT Application [subtype "file", "url"] security_result.about.application network.application_protocol
THREAT Category security_result.description security_result.category_details
THREAT Threat Category security_result.category_details security_result.detection_fields
THREAT HTTP Headers If "httpHeaders" contains "travel" or "computer-and-internet-info", it is mapped to "security_result.category_details", else it is not mapped. about.labels.key/value
THREAT Cloud target.file.sha256 about.labels.key/value
THREAT Serial Number metadata.product_log_id intermediary.asset.hardware.serial_number
THREAT Severity

If Severity is "critical" or subtype is "wildfire-virus", "wildfire", "virus", "vulnerability", "scan", or "spyware", "security_result.severity" is set to "HIGH".

If severity is "low", "security_result.severity" is set to "LOW".

If severity is "medium", "security_result.severity" is set to "MEDIUM"

If severity is "informational", "security_result.severity" is set to "INFORMATIONAL"

If severity is "high", "security_result.severity" is set to "HIGH"

If severity is "error", "security_result.severity" is set to "ERROR"

If severity is "critical", "security_result.severity" is set to "CRITICAL"

security_result.severity_details
THREAT (LEEF) URL/Filename [subtype "virus", "wildfire-virus", "wildfire", "file"] security_result.description target.file.full_path
THREAT (LEEF) URL/Filename [subtype "url"] security_result.description target_url
THREAT (LEEF) Threat Category security_result.category_details security_result.detection_fields.key/value
THREAT (LEEF) URL/Filename [subtype all] "urlHostname" and "urlPath" are extracted from Miscellaneous and "urlHostname" is mapped with "target.hostname" Not mapped
THREAT (LEEF) Application network.application_protocol

If Application is DNS, then

network.dns.opcode is set to 0

metadata.event_type" is set to "NETWORK_DNS"

dnsQuestion.name" is set to "%{urlHostname}"

dnsQuestion.name" is set to "%{dst}"

If subtype is "file" or "url", map Application to network_application_protocol.
SYSTEM platform_version [subtype globalprotect] principal.platform_version principal.asset.software.platform_version
SYSTEM Description [subtype dhcp] Extracted mac using grok

principal.mac is set to "%{mac}"

"Extracted ""dhcp_client_hostname"" and mapped with network.dhcp.client_hostname and principal.hostname"

Extracted mac using grok

network.dhcp.chaddr is set to "%{mac}"

Extracted ""dhcp_client_hostname"" and mapped with network.dhcp.client_hostname

SYSTEM Device Name [subtype dhcp] network.dhcp.sname and intermediary.hostname intermediary.hostname
SYSTEM Event ID, Description [subtype "url-filtering", "userid","monitoring", syslog", "general", "vpn", "satd", "panorama-check"] metadata.description is set to "%{Event ID}" -- "%{Description}" metadata.description is set to "%{Description}"
SYSTEM action security_result.action = ALLOW or BLOCK or UNKNOWN_ACTION

if type == SYSTEM and subType = auth/globalprotect

action = ALLOW

if [Message] ~= Login Failed

action = BLOCK

If type is SYSTEM and subType is auth/globalprotect and message contains "Login Failed", security_result.action is set to "BLOCK".
SYSTEM deviceName [subtype globalprotect] If "Event ID" includes "globalprotectgateway-config" and deviceName is not empty then, event_type is set to RESOURCE_CREATION, deviceName is mapped to target.resource.resource_name, and target.resource.resource_type is set to ACCESS_POLICY. target.resource.name

target.resource.resource_type is not set

USERID (CSV format) User principal.user.userid

principal.administrative_domain

target.user.email_addresses

target.user.userid

target.administrative_domain

target.user.email_addresses

USERID Device Name target.hostname intermediary.hostname
USERID security_result.action IF USER_LOGIN, security_result.action is set to ALLOW

else if USER_LOGOUT, security_result.action is set to UNKNOWN_ACTION

Not Mapped.
USERID User by Source target.user.userid

target.user.email_addresses

principal.user.userid

principal.administrative_domain

principal.user.email_addresses

USERID (LEEF format) User about.user.userid target.user.userid
HIPMATCH Host ID principal.mac principal.asset.product_object_id
HIPMATCH IPv6 System Address src.ip

principal.nat_ip

principal.asset.ip
HIPMATCH Machine Name target.resource.name

resource.resource_type is set to "DEVICE"

principal.hostname
HIPMATCH Operating System principal.platform principal.asset.platform_software.platform(enum)
HIPMATCH Device Name target.hostname intermediary.hostname
HIPMATCH UDM EVENT TYPE SCAN_HOST STATUS_UPDATE
HIPMATCH (LEEF) Source User about.user.userid principal.user.userid