Elastic Integrations

Palo Alto Networks

Palo Alto Networks Integration

Last updated on September 7th, 2021.

What's an integration?

This integration is powered by Elastic Agent. Elastic Agent is a single, unified agent that you can deploy to hosts or containers to collect data and send it to the Elastic Stack. Behind the scenes, Elastic Agent runs the Beats shippers or Elastic Endpoint required for your configuration. Please refer to our documentation for a detailed comparison between Beats and Elastic Agent.

Prefer to use Beats for this use case? See Filebeat modules for logs or Metricbeat modules for metrics.

Overview

This integration is for Palo Alto Networks PAN-OS firewall monitoring logs received over Syslog or read from a file. It currently supports messages of Traffic and Threat types.

Compatibility

This module has been tested with logs generated by devices running PAN-OS versions 7.1 to 9.0 but limited compatibility is expected for earlier versions.

The ingest-geoip Elasticsearch plugin is required to run this module.

Logs

PAN-OS

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
client.bytes
Bytes sent from the client to the server.
long
client.ip
IP address of the client.
ip
client.nat.ip
Client NAT ip address
ip
client.nat.port
Client NAT port
long
client.packets
Packets sent from the client to the server.
long
client.port
Port of the client.
long
client.user.name
Short name or login of the user.
keyword
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
destination.address
Destination network address.
keyword
destination.as.number
Unique number allocated to the autonomous system.
long
destination.as.organization.name
Organization name.
keyword
destination.bytes
Bytes sent from the destination to the source.
long
destination.geo.city_name
City name.
keyword
destination.geo.continent_name
Name of the continent.
keyword
destination.geo.country_iso_code
Country ISO code.
keyword
destination.geo.country_name
Country name.
keyword
destination.geo.location
Longitude and latitude.
geo_point
destination.geo.name
User-defined description of a location.
keyword
destination.geo.region_iso_code
Region ISO code.
keyword
destination.geo.region_name
Region name.
keyword
destination.ip
IP address of the destination.
ip
destination.nat.ip
Destination NAT ip
ip
destination.nat.port
Destination NAT Port
long
destination.packets
Packets sent from the destination to the source.
long
destination.port
Port of the destination.
long
destination.user.email
User email address.
keyword
destination.user.name
Short name or login of the user.
keyword
ecs.version
ECS version this event conforms to.
keyword
error.message
Error message.
text
event.action
The action captured by the event.
keyword
event.category
Event category. The second categorization field in the hierarchy.
keyword
event.created
Time when the event was first read by an agent or by your pipeline.
date
event.dataset
Event dataset
constant_keyword
event.duration
Duration of the event in nanoseconds.
long
event.end
event.end contains the date when the event ended or when the activity was last observed.
date
event.ingested
Timestamp when an event arrived in the central data store.
date
event.kind
The kind of the event. The highest categorization field in the hierarchy.
keyword
event.module
Event module
constant_keyword
event.outcome
The outcome of the event. The lowest level categorization field in the hierarchy.
keyword
event.severity
Numeric severity of the event.
long
event.start
event.start contains the date when the event started or when the activity was first observed.
date
event.timezone
Event time zone.
keyword
event.type
Event type. The third categorization field in the hierarchy.
keyword
file.type
File type (file, dir, or symlink).
keyword
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
hostname
Name of host parsed from syslog message.
keyword
http.request.referer
Referrer for this HTTP request.
keyword
input.type
Type of Filebeat input.
keyword
labels
Custom key/value pairs.
object
labels.captive_portal
boolean
labels.container_page
boolean
labels.http_proxy
boolean
labels.ipv6_session
boolean
labels.nat_translated
boolean
labels.pcap_included
boolean
labels.ssl_decrypted
boolean
labels.symmetric_return
boolean
labels.temporary_match
boolean
labels.url_filter_denied
boolean
labels.x_forwarded_for
boolean
log.file.path
Path to the log file.
keyword
log.flags
Flags for the log file.
keyword
log.level
Log level of the log event.
keyword
log.offset
Offset of the entry in the log file.
long
log.original
Original log message with light interpretation only (encoding, newlines).
keyword
log.source.address
Source address from which the log event was read / sent from.
keyword
message
Log message optimized for viewing in a log viewer.
text
network.application
Application level protocol name.
keyword
network.bytes
Total bytes transferred in both directions.
long
network.community_id
A hash of source and destination IPs and ports.
keyword
network.direction
Direction of the network traffic.
keyword
network.forwarded_ip
Host IP address when the source IP address is the proxy.
ip
network.packets
Total packets transferred in both directions.
long
network.transport
Protocol Name corresponding to the field iana_number.
keyword
network.type
In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
keyword
observer.egress.interface.name
Interface name
keyword
observer.egress.zone
Observer Egress zone
keyword
observer.hostname
Hostname of the observer.
keyword
observer.ingress.interface.name
Interface name
keyword
observer.ingress.zone
Observer ingress zone
keyword
observer.product
The product name of the observer.
keyword
observer.serial_number
Observer serial number.
keyword
observer.type
The type of the observer the data is coming from.
keyword
observer.vendor
Vendor name of the observer.
keyword
panw.panos.action
Action taken for the session.
keyword
panw.panos.action_flags
32-bit field that provides details on session, details about specific values is found in the Palo Alto Traffic Field documentation.
keyword
panw.panos.action_source
Specifies whether the action taken to allow or block an application was defined in the application or in policy. The actions can be allow, deny, drop, reset- server, reset-client or reset-both for the session.
keyword
panw.panos.content_version
Applications and Threats version on your firewall when the log was generated.
keyword
panw.panos.destination.interface
Destination interface for this session.
keyword
panw.panos.destination.nat.ip
Post-NAT destination IP.
ip
panw.panos.destination.nat.port
Post-NAT destination port.
long
panw.panos.destination.zone
Destination zone for this session.
keyword
panw.panos.destination_vm_uuid
Identifies the destination universal unique identifier for a guest virtual machine in the VMware NSX environment.
keyword
panw.panos.device_group_hierarchy1
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
keyword
panw.panos.device_group_hierarchy2
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
keyword
panw.panos.device_group_hierarchy3
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
keyword
panw.panos.device_group_hierarchy4
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
keyword
panw.panos.endreason
The reason a session terminated.
keyword
panw.panos.file.hash
Binary hash for a threat file sent to be analyzed by the WildFire service.
keyword
panw.panos.flow_id
Internal numeric identifier for each session.
keyword
panw.panos.http_content_type
Content type of the HTTP response data
keyword
panw.panos.http_headers
Indicates the inserted HTTP header in the URL log entries on the firewall.
keyword
panw.panos.imei
International Mobile Equipment Identity (IMEI) is a unique 15 or 16 digit number allocated to each mobile station equipment.
keyword
panw.panos.imsi
International Mobile Subscriber Identity (IMSI) is a unique number allocated to each mobile subscriber in the GSM/UMTS/EPS system
keyword
panw.panos.log_profile
Log Forwarding Profile that was applied to the session.
keyword
panw.panos.network.nat.community_id
Community ID flow-hash for the NAT 5-tuple.
keyword
panw.panos.network.pcap_id
Packet capture ID for a threat.
keyword
panw.panos.parent_session.id
ID of the session in which this session is tunneled. Applies to inner tunnel (if two levels of tunneling) or inside content (if one level of tunneling) only.
keyword
panw.panos.parent_session.start_time
Date that the parent tunnel session began.
date
panw.panos.payload_protocol_id
ID of the protocol for the payload in the data portion of the data chunk.
keyword
panw.panos.related_vsys
Virtual System associated with the session.
keyword
panw.panos.repeat_count
Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds.
long
panw.panos.ruleset
Name of the rule that matched this session.
keyword
panw.panos.scp.assoc_id
Number that identifies all connections for an association between two SCTP endpoints.
keyword
panw.panos.scp.chunks
Sum of SCTP chunks sent and received for an association.
long
panw.panos.scp.chunks_received
Number of SCTP chunks received for an association.
long
panw.panos.scp.chunks_sent
Number of SCTP chunks sent for an association.
long
panw.panos.sequence_number
Log entry identifier that is incremented sequentially. Unique for each log type.
long
panw.panos.source.interface
Source interface for this session.
keyword
panw.panos.source.nat.ip
Post-NAT source IP.
ip
panw.panos.source.nat.port
Post-NAT source port.
long
panw.panos.source.zone
Source zone for this session.
keyword
panw.panos.source_vm_uuid
Identifies the source universal unique identifier for a guest virtual machine in the VMware NSX environment.
keyword
panw.panos.sub_type
Specifies the sub type of the log.
keyword
panw.panos.threat.id
Palo Alto Networks identifier for the threat.
keyword
panw.panos.threat.name
Palo Alto Networks name for the threat.
keyword
panw.panos.threat.resource
URL or file name for a threat.
keyword
panw.panos.threat_category
Describes threat categories used to classify different types of threat signatures.
keyword
panw.panos.tunnel_type
Type of tunnel, such as GRE or IPSec.
keyword
panw.panos.type
Specifies the type of the log.
keyword
panw.panos.url.category
For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'.
keyword
panw.panos.url_idx
When an application uses TCP keepalives to keep a connection open for a length of time, all the log entries for that session have a single session ID. In such cases, when you have a single threat log (and session ID) that includes multiple URL entries, the url_idx is a counter that allows you to correlate the order of each log entry within the single session.
keyword
panw.panos.vsys_name
The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
keyword
panw.panos.wildfire.name
Displays the FQDN of either the WildFire appliance (private) or the WildFire cloud (public) from where the file was uploaded for analysis.
keyword
panw.panos.wildfire.report_id
Identifies the analysis request on the WildFire cloud or the WildFire appliance.
keyword
panw.panos.wildfire_name
Displays the FQDN of either the WildFire appliance (private) or the WildFire cloud (public) from where the file was uploaded for analysis.
keyword
related.hash
All the hashes seen on your event.
keyword
related.hosts
All the host identifiers seen on your event.
keyword
related.ip
All of the IPs seen on your event.
ip
related.user
All the user names seen on your event.
keyword
rule.name
Rule name
keyword
server.bytes
Bytes sent from the server to the client.
long
server.ip
IP address of the server.
ip
server.nat.ip
Server NAT ip
ip
server.nat.port
Server NAT port
long
server.packets
Packets sent from the server to the client.
long
server.port
Port of the server.
long
server.user.name
Short name or login of the user.
keyword
source.address
Source network address.
keyword
source.as.number
Unique number allocated to the autonomous system.
long
source.as.organization.name
Organization name.
keyword
source.bytes
Bytes sent from the source to the destination.
long
source.geo.city_name
City name.
keyword
source.geo.continent_name
Name of the continent.
keyword
source.geo.country_iso_code
Country ISO code.
keyword
source.geo.country_name
Country name.
keyword
source.geo.location
Longitude and latitude.
geo_point
source.geo.name
User-defined description of a location.
keyword
source.geo.region_iso_code
Region ISO code.
keyword
source.geo.region_name
Region name.
keyword
source.ip
IP address of the source.
ip
source.nat.ip
Source NAT ip
ip
source.nat.port
Source NAT port
long
source.packets
Packets sent from the source to the destination.
long
source.port
Port of the source.
long
source.user.email
User email address.
keyword
source.user.name
Short name or login of the user.
keyword
syslog.facility
Syslog numeric facility of the event.
long
syslog.facility_label
Syslog text-based facility of the event.
keyword
syslog.priority
Syslog priority of the event.
long
syslog.severity_label
Syslog text-based severity of the event.
keyword
tags
List of keywords used to tag each event.
keyword
url.original
Unmodified original url as seen in the event source.
wildcard
user_agent.original
Unparsed user_agent string.
keyword
Need support? Find us in the following places

On this page


Start a free trial
No credit card required. Get up and running in 3-minutes!