1onsuccess: next_stage
2name: crowdsecurity/palo-alto-threat-log
3description: "Parse palo-alto-threat-log logs"
4filter: "evt.Parsed.program == 'palo-alto-threat'"
5pattern_syntax:
6  PAN_TIMESTAMP: "%{YEAR}/%{MONTHNUM}/%{MONTHDAY} %{HOUR}:%{MINUTE}:%{INT}"
7nodes:
8  - grok:
9      pattern: '(%{TIMESTAMP_ISO8601:syslog_timestamp} )?%{SYSLOGHOST:syslog_hostname} %{DATA:pan_reserved},%{DATA},%{WORD:serial_number},%{WORD:log_type},%{WORD:log_subtype},%{DATA:pan_unknown},%{PAN_TIMESTAMP:generation_timestamp},%{IP:src_ip},%{IP:dst_ip},%{IP:nat_src_ip},%{IP:nat_dst_ip},%{DATA:rule},%{DATA:src_user},%{DATA:dst_user},%{DATA:app},%{DATA:vsys},%{DATA:src_zone},%{DATA:dst_zone},%{DATA:ingress_int},%{DATA:egress_int},%{DATA:log_fwd_profile},%{DATA},%{DATA:session_id},%{DATA:repeat_count},%{DATA:src_port},%{DATA:dst_port},%{DATA:nat_src_port},%{DATA:nat_dst_port},%{DATA:pan_log_flags},%{DATA:ip_proto},%{DATA:action},("%{DATA:url_or_filename}")?,%{DATA:threat_id},%{DATA:url_category_or_wildfire_verdict},%{DATA:severity},%{DATA:direction},%{DATA:log_seq_num},%{DATA:fwd_to_panorama},%{DATA:src_country},%{DATA:dst_country},%{DATA:http_content_type},%{DATA:pcap_id},%{DATA:file_hash},%{DATA:wildfire_server},%{GREEDYDATA:unparsed_data}'
10      apply_on: message
11statics:
12  - target: evt.StrTime
13    expression: evt.Parsed.syslog_timestamp
14  - meta: log_type
15    value: palo_alto
16  - meta: source_ip
17    expression: evt.Parsed.src_ip
18  - meta: severity
19    expression: evt.Parsed.severity
20  - meta: threat_id
21    expression: evt.Parsed.threat_id
22  - meta: destination_location
23    expression: evt.Parsed.dst_country
24  - meta: source_location
25    expression: evt.Parsed.src_country
26  - meta: rule_name
27    expression: evt.Parsed.rule
28  - meta: application
29    expression: evt.Parsed.app
30  - meta: threat_type
31    expression: evt.Parsed.threat_id
32