diff --git a/paloalto/AX-generation/README b/paloalto/AX-generation/README deleted file mode 100644 index 0ef583df..00000000 --- a/paloalto/AX-generation/README +++ /dev/null @@ -1,7 +0,0 @@ -This directory contains tools to generate autoextractors for Palo Alto log types. - -Running `makeax.sh` will create a single file, `palo.ax`, which contains all the extractor definitions. - -The .txt files contain field names (e.g. "Source Address") as described in the topics under https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions.html - -Those field names are converted to appropriate short names via the lookup table maintained in the `map` file. diff --git a/paloalto/AX-generation/auth.txt b/paloalto/AX-generation/auth.txt deleted file mode 100644 index c27c83a8..00000000 --- a/paloalto/AX-generation/auth.txt +++ /dev/null @@ -1,46 +0,0 @@ -FUTURE_USE1 -Receive Time -Serial Number -Type -Threat/Content Type -FUTURE_USE2 -Generated Time -Virtual System -Source IP -User -Normalize User -Object -Authentication Policy -Repeat Count -Authentication ID -Vendor -Log Action -Server Profile -Description -Client Type -Event Type -Factor Number -Sequence Number -Action Flags -Device Group Hierarchy 1 -Device Group Hierarchy 2 -Device Group Hierarchy 3 -Device Group Hierarchy 4 -Virtual System Name -Device Name -Virtual System ID -Authentication Protocol -UUID for rule -High Resolution Timestamp -Source Device Category -Source Device Profile -Source Device Model -Source Device Vendor -Source Device OS Family -Source Device OS Version -Source Hostname -Source Mac Address -Region -FUTURE_USE3 -User Agent -Session ID \ No newline at end of file diff --git a/paloalto/AX-generation/check.rc b/paloalto/AX-generation/check.rc deleted file mode 100755 index 389149fe..00000000 --- a/paloalto/AX-generation/check.rc +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/local/plan9/bin/rc -for (i in *.txt) { - echo $i: - awk -F ' ' 'NR==FNR { map[$1] = $2; next } - $0 in map { $0 = map[$0] } - { print }' map $i | grep '^[A-Z]' -} diff --git a/paloalto/AX-generation/config.txt b/paloalto/AX-generation/config.txt deleted file mode 100644 index 4977b7c4..00000000 --- a/paloalto/AX-generation/config.txt +++ /dev/null @@ -1,26 +0,0 @@ -FUTURE_USE1 -Receive Time -Serial Number -Type -Subtype -FUTURE_USE2 -Generated Time -Host -Virtual System -Command -Admin -Client -Result -Configuration Path -Before Change Detail -After Change Detail -Sequence Number -Action Flags -Device Group Hierarchy Level 1 -Device Group Hierarchy Level 2 -Device Group Hierarchy Level 3 -Device Group Hierarchy Level 4 -Virtual System Name -Device Name -Device Group -Audit Comment \ No newline at end of file diff --git a/paloalto/AX-generation/convert.sh b/paloalto/AX-generation/convert.sh deleted file mode 100755 index 200ba3f5..00000000 --- a/paloalto/AX-generation/convert.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -awk -F ' ' 'NR==FNR { map[$1] = $2; next } -$0 in map { $0 = map[$0] } -{ print }' map $1 \ -| sed ':a;N;$!ba;s/\n/, /g' \ No newline at end of file diff --git a/paloalto/AX-generation/correlation.txt b/paloalto/AX-generation/correlation.txt deleted file mode 100644 index 4a642aa5..00000000 --- a/paloalto/AX-generation/correlation.txt +++ /dev/null @@ -1,22 +0,0 @@ -FUTURE_USE1 -Receive Time -Serial Number -Type -Content/Threat Type -FUTURE_USE2 -Generated Time -Source Address -Source User -Virtual System -Category -Severity -Device Group Hierarchy Level 1 -Device Group Hierarchy Level 2 -Device Group Hierarchy Level 3 -Device Group Hierarchy Level 4 -Virtual System Name -Device Name -Virtual System ID -Object Name -Object ID -Evidence \ No newline at end of file diff --git a/paloalto/AX-generation/decryption.txt b/paloalto/AX-generation/decryption.txt deleted file mode 100644 index ba14652b..00000000 --- a/paloalto/AX-generation/decryption.txt +++ /dev/null @@ -1,106 +0,0 @@ -FUTURE_USE1 -Receive Time -Serial Number -Type -Threat/Content Type -Config Version -Generate Time -Source Address -Destination Address -NAT Source IP -NAT Destination IP -Rule -Source User -Destination User -Application -Virtual System -Source Zone -Destination Zone -Inbound Interface -Outbound Interface -Log Action -Time Logged -Session ID -Repeat Count -Source Port -Destination Port -NAT Source Port -NAT Destination Port -Flags -IP Protocol -Action -Tunnel -FUTURE_USE2 -FUTURE_USE3 -Source VM UUID -Destination VM UUID -UUID for rule -Stage for Client to Firewall -Stage for Firewall to Server -TLS Version -Key Exchange Algorithm -Encryption Algorithm -Hash Algorithm -Policy Name -Elliptic Curve -Error Index -Root Status -Chain Status -Proxy Type -Certificate Serial Number -Fingerprint -Certificate Start Date -Certificate End Date -Certificate Version -Certificate Size -Common Name Length -Issuer Common Name Length -Root Common Name Length -SNI Length -Certificate Flags -Subject Common Name -Issuer Subject Common Name -Root Subject Common Name -Server Name Indication -Error -Container ID -POD Namespace -POD Name -Source External Dynamic List -Destination External Dynamic List -Source Dynamic Address Group -Destination Dynamic Address Group -High Res Timestamp -Source Device Category -Source Device Profile -Source Device Model -Source Device Vendor -Source Device OS Family -Source Device OS Version -Source Hostname -Source Mac Address -Destination Device Category -Destination Device Profile -Destination Device Model -Destination Device Vendor -Destination Device OS Family -Destination Device OS Version -Destination Hostname -Destination Mac Address -Sequence Number -Action Flags -Device Group Hierarchy Level 1 -Device Group Hierarchy Level 2 -Device Group Hierarchy Level 3 -Device Group Hierarchy Level 4 -Virtual System Name -Device Name -Virtual System ID -Application Subcategory -Application Category -Application Technology -Application Risk -Application Characteristic -Application Container -Application SaaS -Application Sanctioned State \ No newline at end of file diff --git a/paloalto/AX-generation/globalprotect.txt b/paloalto/AX-generation/globalprotect.txt deleted file mode 100644 index 5a79e986..00000000 --- a/paloalto/AX-generation/globalprotect.txt +++ /dev/null @@ -1,49 +0,0 @@ -FUTURE_USE1 -Receive Time -Serial Number -Type -Threat/Content Type -FUTURE_USE2 -Generated Time -Virtual System -Event ID -Stage -Authentication Method -Tunnel Type -Source User -Source Region -Machine Name -Public IP -Public IPv6 -Private IP -Private IPv6 -Host ID -User Device Serial Number -Client Version -Client OS -Client OS Version -Repeat Count -Reason -Error -Description -Status -Location -Login Duration -Connect Method -Error Code -Portal -Sequence Number -Action Flags -High Res Timestamp -Selection Type -Response Time -Priority -Attempted Gateways -Gateway -Device Group Hierarchy Level 1 -Device Group Hierarchy Level 2 -Device Group Hierarchy Level 3 -Device Group Hierarchy Level 4 -Virtual System Name -Device Name -Virtual System ID \ No newline at end of file diff --git a/paloalto/AX-generation/gtp.txt b/paloalto/AX-generation/gtp.txt deleted file mode 100644 index 4689cb70..00000000 --- a/paloalto/AX-generation/gtp.txt +++ /dev/null @@ -1,94 +0,0 @@ -FUTURE_USE1 -Receive Time -Serial Number -Type -Threat/Content Type -FUTURE_USE2 -Generated Time -Source Address -Destination Address -FUTURE_USE3 -FUTURE_USE4 -Rule Name -FUTURE_USE5 -FUTURE_USE6 -Application -Virtual System -Source Zone -Destination Zone -Inbound Interface -Outbound Interface -Log Action -FUTURE_USE7 -Session ID -FUTURE_USE8 -Source Port -Destination Port -FUTURE_USE9 -FUTURE_USE10 -FUTURE_USE11 -Protocol -Action -GTP Event Type -MSISDN -Access Point Name -Radio Access Technology -GTP Message Type -End User IP Address -Tunnel Endpoint Identifier1 -Tunnel Endpoint Identifier2 -GTP Interface -GTP Cause -Severity -Serving Country MCC -Serving Network MNC -Area Code -Cell ID -GTP Event Code -FUTURE_USE12 -FUTURE_USE13 -Source Location -Destination Location -FUTURE_USE14 -FUTURE_USE15 -FUTURE_USE16 -FUTURE_USE17 -FUTURE_USE18 -FUTURE_USE19 -FUTURE_USE20 -Tunnel ID/IMSI -Monitor Tag/IMEI -FUTURE_USE21 -FUTURE_USE22 -FUTURE_USE23 -FUTURE_USE24 -FUTURE_USE25 -FUTURE_USE26 -FUTURE_USE27 -FUTURE_USE28 -FUTURE_USE29 -FUTURE_USE30 -FUTURE_USE31 -FUTURE_USE32 -FUTURE_USE33 -FUTURE_USE34 -FUTURE_USE35 -FUTURE_USE36 -Start Time -Elapsed Time -Tunnel Inspection Rule -Remote User IP -Remote User ID -UUID for rule -PCAP ID -High Resolution Timestamp -A Slice Service Type -A Slice Differentiator -Application Subcategory -Application Category -Application Technology -Application Risk -Application Characteristic -Application Container -Application SaaS -Application Sanctioned State \ No newline at end of file diff --git a/paloalto/AX-generation/hipmatch.txt b/paloalto/AX-generation/hipmatch.txt deleted file mode 100644 index 00665a6f..00000000 --- a/paloalto/AX-generation/hipmatch.txt +++ /dev/null @@ -1,31 +0,0 @@ -FUTURE_USE1 -Receive Time -Serial Number -Type -Threat/Content Type -FUTURE_USE2 -Generated Time -Source User -Virtual System -Machine Name -Operating System -Source Address -HIP -Repeat Count -HIP Type -FUTURE_USE3 -FUTURE_USE4 -Sequence Number -Action Flags -Device Group Hierarchy Level 1 -Device Group Hierarchy Level 2 -Device Group Hierarchy Level 3 -Device Group Hierarchy Level 4 -Virtual System Name -Device Name -Virtual System ID -IPv6 Source Address -Host ID -User Device Serial Number -Device MAC Address -High Resolution Timestamp diff --git a/paloalto/AX-generation/iptag.txt b/paloalto/AX-generation/iptag.txt deleted file mode 100644 index 93ebbbf4..00000000 --- a/paloalto/AX-generation/iptag.txt +++ /dev/null @@ -1,26 +0,0 @@ -FUTURE_USE1 -Receive Time -Serial -Type -Threat/Content Type -FUTURE_USE2 -Generate Time -Virtual System -Source IP -Tag Name -Event ID -Repeat Count -Timeout -Data Source Name -Data Source Type -Data Source Subtype -Sequence Number -Action Flags -DG Hierarchy Level 1 -DG Hierarchy Level 2 -DG Hierarchy Level 3 -DG Hierarchy Level 4 -Virtual System Name -Device Name -Virtual System ID -High Resolution Timestamp \ No newline at end of file diff --git a/paloalto/AX-generation/makeax.sh b/paloalto/AX-generation/makeax.sh deleted file mode 100755 index 18fb9492..00000000 --- a/paloalto/AX-generation/makeax.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash -rm palo.ax -for i in *.txt -do - # generate the CSV "params" - NAME=`basename -s .txt $i` - # now build the AX TOML file - echo '[[extraction]]' >> palo.ax - echo name = \"Palo Alto $NAME\" >> palo.ax - echo tag = \"pan_$NAME\" >> palo.ax - echo desc = \"Palo Alto $NAME log format\" >> palo.ax - echo module = \"csv\" >> palo.ax - echo params = \"`./convert.sh $i`\" >> palo.ax - echo >> palo.ax -done -cat palo.ax diff --git a/paloalto/AX-generation/map b/paloalto/AX-generation/map deleted file mode 100644 index e1985b89..00000000 --- a/paloalto/AX-generation/map +++ /dev/null @@ -1,335 +0,0 @@ -Action action -Action Flags actionflags -Action Source action_source -App Flap Count link_change_count -Application app -Application Category category_of_app -Application Characteristic characteristic_of_app -Application Container container_of_app -Application Risk risk_of_app -Application SaaS is_saas_of_app -Application Sanctioned State sanctioned_state_of_app -Application Subcategory subcategory_of_app -Application Technology technology_of_app -A Slice Differentiator nsdsai_sd -A Slice Service Type nsdsai_sst -Attempted Gateways attempted_gateways -Authentication Method auth_method -Bytes bytes -Bytes Received bytes_received -Bytes Sent bytes_sent -Category category -Certificate End Date notafter -Certificate Flags cert_flags -Certificate Serial Number cert_serial -Certificate Size cert_size -Certificate Start Date notbefore -Certificate Version cert_ver -Chain Status chain_status -Client OS client_os -Client OS Version client_os_ver -Client Version client_ver -Cloud cloud -Cloud Report ID cloud_reportid -Common Name Length cn_len -Config Version config_ver -Connect Method connect_method -Container ID container_id -Content Type contenttype -Content Version contentver -Data Source datasource -Data Source Name datasourcename -Data Source Subtype datasource_subtype -Data Source Type datasource_type -Description description -Destination Address dst -Destination Country dstloc -Destination Device Category dst_category -Destination Device Model dst_model -Destination Device OS Family dst_osfamily -Destination Device OS Version dst_osversion -Destination Device Profile dst_profile -Destination Device Vendor dst_vendor -Destination Dynamic Address Group dst_dag -Destination External Dynamic List dst_edl -Destination Hostname dst_host -Destination Location dstloc -Destination Mac Address dst_mac -Destination MAC Address dst_mac -Destination Port dport -Destination User dstuser -Destination VM UUID dst_uuid -Destination Zone to -Device Group Hierarchy 1 dg_hier_level_1 -Device Group Hierarchy 2 dg_hier_level_2 -Device Group Hierarchy 3 dg_hier_level_3 -Device Group Hierarchy 4 dg_hier_level_4 -Device Group Hierarchy Level 1 dg_hier_level_1 -Device Group Hierarchy Level 2 dg_hier_level_2 -Device Group Hierarchy Level 3 dg_hier_level_3 -Device Group Hierarchy Level 4 dg_hier_level_4 -Device MAC Address mac -Device Name device_name -DG Hierarchy Level 1 dg_hier_level_1 -DG Hierarchy Level 2 dg_hier_level_2 -DG Hierarchy Level 3 dg_hier_level_3 -DG Hierarchy Level 4 dg_hier_level_4 -Direction direction -Domain EDL domain_edl -Dynamic User Group dynusergroup_name -Dynamic User Group Name dynusergroup_name -Elapsed Time elapsed -Elliptic Curve ec_curve -Encryption Algorithm tls_enc -Error Code error_code -Error error -Error Index err_index -Event ID eventid -Factor Completion Time factorcompletiontime -Factor Number factorno -Factor Type factortype -File Digest filedigest -File Type filetype -Fingerprint fingerprint -Flags flags -FUTURE_USE1 future_use1 -FUTURE_USE2 future_use2 -FUTURE_USE3 future_use3 -FUTURE_USE4 future_use4 -FUTURE_USE5 future_use5 -FUTURE_USE6 future_use6 -FUTURE_USE7 future_use7 -FUTURE_USE8 future_use8 -FUTURE_USE9 future_use9 -FUTURE_USE10 future_use10 -FUTURE_USE11 future_use11 -FUTURE_USE12 future_use12 -FUTURE_USE13 future_use13 -FUTURE_USE14 future_use14 -FUTURE_USE15 future_use15 -FUTURE_USE16 future_use16 -FUTURE_USE17 future_use17 -FUTURE_USE18 future_use18 -FUTURE_USE19 future_use19 -FUTURE_USE20 future_use20 -FUTURE_USE21 future_use21 -FUTURE_USE22 future_use22 -FUTURE_USE23 future_use23 -FUTURE_USE24 future_use24 -FUTURE_USE25 future_use25 -FUTURE_USE26 future_use26 -FUTURE_USE27 future_use27 -FUTURE_USE28 future_use28 -FUTURE_USE29 future_use29 -FUTURE_USE30 future_use30 -FUTURE_USE31 future_use31 -FUTURE_USE32 future_use32 -FUTURE_USE33 future_use33 -FUTURE_USE34 future_use34 -FUTURE_USE35 future_use35 -FUTURE_USE36 future_use36 -Gateway gateway -Generated Time time_generated -Generate Time time_generated -Hash Algorithm tls_auth -High Resolution Timestamp high_res_timestamp -High Res Timestamp high_res_timestamp -HIP matchname -HIP Type matchtype -Host ID hostid -HTTP/2 Connection http2_connection -HTTP Headers http_headers -HTTP Method http_method -Inbound Interface inbound_if -IP Protocol proto -IPv6 Source Address srcipv6 -Issuer Common Name Length issuer_len -Issuer Subject Common Name issuer_cn -Justification justification -Key Exchange Algorithm tls_keyxchg -Link Switches link_switches -Location location -Log Action logset -Login Duration login_duration -Machine Name machinename -Maximum Encapsulation max_encap -Monitor Tag/IMEI monitortag -NAT Destination IP natdst -NAT Destination Port natdport -NAT Source IP natsrc -NAT Source Port natsport -Offloaded offloaded -Operating System os -Outbound Interface outbound_if -Packets packets -Packets Received pkts_received -Packets Sent pkts_sent -Parent Session ID parent_session_id -Parent Session Start Time parent_start_time -Parent Start Time parent_start_time -Partial Hash partial_hash -Payload Protocol ID ppid -PCAP ID pcap_id -PCAP_ID pcap_id -PDU Session ID pdu_session_id -POD Name pod_name -POD Namespace pod_namespace -Policy ID policy_id -Policy Name policy_name -Portal portal -Priority priority -Private IP private_ip -Private IPv6 private_ipv6 -Protocol proto -Proxy Type proxy_type -Public IP public_ip -Public IPv6 public_ipv6 -Reason reason -Receive Time receive_time -Recipient recipient -Referer referer -Remote User ID remote_user_id -Remote User IP remote_user_ip -Repeat Count repeatcnt -Report ID reportid -Response Time response_time -Root Common Name Length rootcn_len -Root Status root_status -Root Subject Common Name root_cn -Rule Name rule -Rule rule -Rule UUID rule_uuid -SCTP Association ID assoc_id -SCTP Chunks chunks -SCTP Chunks Received chunks_received -SCTP Chunks Sent chunks_sent -SD-WAN Cluster sdwan_cluster -SD-WAN Cluster Type sdwan_cluster_type -SD-WAN Device Type sdwan_device_type -SD-WAN Site sdwan_site -Selection Type selection_type -Sender sender -Sequence Number seqno -Serial Number serial -Serial serial -Server Name Indication sni -Session End Reason session_end_reason -Session ID sessionid -Session Owner session_owner -Sessions Closed sessions_closed -Sessions Created sessions_created -Severity severity -SNI Length sni_len -Source Address src -Source Country srcloc -Source Device Category src_category -Source Device Model src_model -Source Device OS Family src_osfamily -Source Device OS Version src_osversion -Source Device Profile src_profile -Source Device Vendor src_vendor -Source Dynamic Address Group src_dag -Source External Dynamic List src_edl -Source Hostname src_host -Source IP src -Source Location srcloc -Source Mac Address src_mac -Source MAC Address src_mac -Source Port sport -Source Region srcregion -Source User srcuser -Source VM UUID src_uuid -Source Zone from -Stage for Client to Firewall hs_stage_c2f -Stage for Firewall to Server hs_stage_f2s -Stage stage -Start Time start -Status status -Strict Check strict_check -Subject Common Name cn -Subject subject -Subtype subtype -Tag Name tag_name -Threat Category thr_category -Threat/Content Type subtype -Threat ID threatid -Time Logged time_received -Time Out Threshold timeout -Timeout timeout -TLS Version tls_version -Tunneled Application tunneled_app -Tunnel Fragment tunnel_fragment -Tunnel ID/IMSI tunnel_id -Tunnel Inspection Rule tunnel_insp_rule -Tunnel tunnel -Tunnel Type tunnel -Type type -Unknown Protocol unknown_proto -URL Category List url_category_list -URL/Filename misc -URL Index url_idx -User Agent user_agent -User by Source userbysource -User Device Serial Number serialnumber -User Group Flags ugflags -User user -UUID for rule rule_uuid -Virtual System ID vsys_id -Virtual System Name vsys_name -Virtual System vsys -XFF Address xff_ip -X-Forwarded-For xff -SCTP Chunk Type sctp_chunk_type -SCTP Verification Tag 1 verif_tag_1 -SCTP Verification Tag 2 verif_tag_2 -SCTP Cause Code sctp_cause_code -Diameter App ID diam_app_id -Diameter Command Code diam_cmd_code -Diameter AVP Code diam_avp_code -SCTP Stream ID stream_id -SCTP Association End Reason assoc_end_reason -Op Code op_code -SCCP Calling Party SSN sccp_calling_ssn -SCCP Calling Party Global Title sccp_calling_gt -SCTP Filter sctp_filter -Host host -Command cmd -Admin admin -Client client -Result result -Configuration Path path -Before Change Detail before_change_detail -After Change Detail after_change_detail -Device Group dg_id -Audit Comment comment -Normalize User normalize_user -Object object -Authentication Policy authpolicy -Authentication ID authid -Vendor vendor -Server Profile serverprofile -Client Type clienttype -Event Type event -Authentication Protocol authproto -Region region -Content/Threat Type subtype -Object Name objectname -Object ID object_id -Evidence evidence -GTP Event Type event_type -MSISDN msisdn -Access Point Name apn -Radio Access Technology rat -GTP Message Type msg_type -End User IP Address end_ip_addr -Tunnel Endpoint Identifier1 teid1 -Tunnel Endpoint Identifier2 teid2 -GTP Interface gtp_interface -GTP Cause cause_code -Serving Country MCC mcc -Serving Network MNC mnc -Area Code area_code -Cell ID cell_id -GTP Event Code event_code -Module module -User Device Serial Number user_serialnumber diff --git a/paloalto/AX-generation/palo.ax b/paloalto/AX-generation/palo.ax deleted file mode 100644 index 827a5bc4..00000000 --- a/paloalto/AX-generation/palo.ax +++ /dev/null @@ -1,98 +0,0 @@ -[[extraction]] -name = "Palo Alto auth" -tag = "pan_auth" -desc = "Palo Alto auth log format" -module = "csv" -params = "future_use1, receive_time, serial, type, subtype, future_use2, time_generated, vsys, src, user, normalize_user, object, authpolicy, repeatcnt, authid, vendor, logset, serverprofile, description, clienttype, event, factorno, seqno, actionflags, dg_hier_level_1, dg_hier_level_2, dg_hier_level_3, dg_hier_level_4, vsys_name, device_name, vsys_id, authproto, rule_uuid, high_res_timestamp, src_category, src_profile, src_model, src_vendor, src_osfamily, src_osversion, src_host, src_mac, region, future_use3, user_agent, sessionid" - -[[extraction]] -name = "Palo Alto config" -tag = "pan_config" -desc = "Palo Alto config log format" -module = "csv" -params = "future_use1, receive_time, serial, type, subtype, future_use2, time_generated, host, vsys, cmd, admin, client, result, path, before_change_detail, after_change_detail, seqno, actionflags, dg_hier_level_1, dg_hier_level_2, dg_hier_level_3, dg_hier_level_4, vsys_name, device_name, dg_id, comment" - -[[extraction]] -name = "Palo Alto correlation" -tag = "pan_correlation" -desc = "Palo Alto correlation log format" -module = "csv" -params = "future_use1, receive_time, serial, type, subtype, future_use2, time_generated, src, srcuser, vsys, category, severity, dg_hier_level_1, dg_hier_level_2, dg_hier_level_3, dg_hier_level_4, vsys_name, device_name, vsys_id, objectname, object_id, evidence" - -[[extraction]] -name = "Palo Alto decryption" -tag = "pan_decryption" -desc = "Palo Alto decryption log format" -module = "csv" -params = "future_use1, receive_time, serial, type, subtype, config_ver, time_generated, src, dst, natsrc, natdst, rule, srcuser, dstuser, app, vsys, from, to, inbound_if, outbound_if, logset, time_received, sessionid, repeatcnt, sport, dport, natsport, natdport, flags, proto, action, tunnel, future_use2, future_use3, src_uuid, dst_uuid, rule_uuid, hs_stage_c2f, hs_stage_f2s, tls_version, tls_keyxchg, tls_enc, tls_auth, policy_name, ec_curve, err_index, root_status, chain_status, proxy_type, cert_serial, fingerprint, notbefore, notafter, cert_ver, cert_size, cn_len, issuer_len, rootcn_len, sni_len, cert_flags, cn, issuer_cn, root_cn, sni, error, container_id, pod_namespace, pod_name, src_edl, dst_edl, src_dag, dst_dag, high_res_timestamp, src_category, src_profile, src_model, src_vendor, src_osfamily, src_osversion, src_host, src_mac, dst_category, dst_profile, dst_model, dst_vendor, dst_osfamily, dst_osversion, dst_host, dst_mac, seqno, actionflags, dg_hier_level_1, dg_hier_level_2, dg_hier_level_3, dg_hier_level_4, vsys_name, device_name, vsys_id, subcategory_of_app, category_of_app, technology_of_app, risk_of_app, characteristic_of_app, container_of_app, is_saas_of_app, sanctioned_state_of_app" - -[[extraction]] -name = "Palo Alto globalprotect" -tag = "pan_globalprotect" -desc = "Palo Alto globalprotect log format" -module = "csv" -params = "future_use1, receive_time, serial, type, subtype, future_use2, time_generated, vsys, eventid, stage, auth_method, tunnel, srcuser, srcregion, machinename, public_ip, public_ipv6, private_ip, private_ipv6, hostid, user_serialnumber, client_ver, client_os, client_os_ver, repeatcnt, reason, error, description, status, location, login_duration, connect_method, error_code, portal, seqno, actionflags, high_res_timestamp, selection_type, response_time, priority, attempted_gateways, gateway, dg_hier_level_1, dg_hier_level_2, dg_hier_level_3, dg_hier_level_4, vsys_name, device_name, vsys_id" - -[[extraction]] -name = "Palo Alto gtp" -tag = "pan_gtp" -desc = "Palo Alto gtp log format" -module = "csv" -params = "future_use1, receive_time, serial, type, subtype, future_use2, time_generated, src, dst, future_use3, future_use4, rule, future_use5, future_use6, app, vsys, from, to, inbound_if, outbound_if, logset, future_use7, sessionid, future_use8, sport, dport, future_use9, future_use10, future_use11, proto, action, event_type, msisdn, apn, rat, msg_type, end_ip_addr, teid1, teid2, gtp_interface, cause_code, severity, mcc, mnc, area_code, cell_id, event_code, future_use12, future_use13, srcloc, dstloc, future_use14, future_use15, future_use16, future_use17, future_use18, future_use19, future_use20, tunnel_id, monitortag, future_use21, future_use22, future_use23, future_use24, future_use25, future_use26, future_use27, future_use28, future_use29, future_use30, future_use31, future_use32, future_use33, future_use34, future_use35, future_use36, start, elapsed, tunnel_insp_rule, remote_user_ip, remote_user_id, rule_uuid, pcap_id, high_res_timestamp, nsdsai_sst, nsdsai_sd, subcategory_of_app, category_of_app, technology_of_app, risk_of_app, characteristic_of_app, container_of_app, is_saas_of_app, sanctioned_state_of_app" - -[[extraction]] -name = "Palo Alto hipmatch" -tag = "pan_hipmatch" -desc = "Palo Alto hipmatch log format" -module = "csv" -params = "future_use1, receive_time, serial, type, subtype, future_use2, time_generated, srcuser, vsys, machinename, os, src, matchname, repeatcnt, matchtype, future_use3, future_use4, seqno, actionflags, dg_hier_level_1, dg_hier_level_2, dg_hier_level_3, dg_hier_level_4, vsys_name, device_name, vsys_id, srcipv6, hostid, user_serialnumber, mac, high_res_timestamp" - -[[extraction]] -name = "Palo Alto iptag" -tag = "pan_iptag" -desc = "Palo Alto iptag log format" -module = "csv" -params = "future_use1, receive_time, serial, type, subtype, future_use2, time_generated, vsys, src, tag_name, eventid, repeatcnt, timeout, datasourcename, datasource_type, datasource_subtype, seqno, actionflags, dg_hier_level_1, dg_hier_level_2, dg_hier_level_3, dg_hier_level_4, vsys_name, device_name, vsys_id, high_res_timestamp" - -[[extraction]] -name = "Palo Alto sctp" -tag = "pan_sctp" -desc = "Palo Alto sctp log format" -module = "csv" -params = "future_use1, receive_time, serial, type, future_use2, future_use3, time_generated, src, dst, future_use4, future_use5, rule, future_use6, future_use7, future_use8, vsys, from, to, inbound_if, outbound_if, logset, future_use9, sessionid, repeatcnt, sport, dport, future_use10, future_use11, future_use12, future_use13, proto, action, dg_hier_level_1, dg_hier_level_2, dg_hier_level_3, dg_hier_level_4, vsys_name, device_name, seqno, future_use14, assoc_id, ppid, severity, sctp_chunk_type, future_use15, verif_tag_1, verif_tag_2, sctp_cause_code, diam_app_id, diam_cmd_code, diam_avp_code, stream_id, assoc_end_reason, op_code, sccp_calling_ssn, sccp_calling_gt, sctp_filter, chunks, chunks_sent, chunks_received, packets, pkts_sent, pkts_received, rule_uuid, high_res_timestamp" - -[[extraction]] -name = "Palo Alto system" -tag = "pan_system" -desc = "Palo Alto system log format" -module = "csv" -params = "future_use1, receive_time, serial, type, subtype, future_use2, time_generated, vsys, eventid, object, future_use3, future_use4, module, severity, description, seqno, actionflags, dg_hier_level_1, dg_hier_level_2, dg_hier_level_3, dg_hier_level_4, vsys_name, device_name, future_use5, future_use6, high_res_timestamp" - -[[extraction]] -name = "Palo Alto threat" -tag = "pan_threat" -desc = "Palo Alto threat log format" -module = "csv" -params = "future_use1, receive_time, serial, type, subtype, future_use2, time_generated, src, dst, natsrc, natdst, rule, srcuser, dstuser, app, vsys, from, to, inbound_if, outbound_if, logset, future_use3, sessionid, repeatcnt, sport, dport, natsport, natdport, flags, proto, action, misc, threatid, category, severity, direction, seqno, actionflags, srcloc, dstloc, future_use4, contenttype, pcap_id, filedigest, cloud, url_idx, user_agent, filetype, xff, referer, sender, subject, recipient, reportid, dg_hier_level_1, dg_hier_level_2, dg_hier_level_3, dg_hier_level_4, vsys_name, device_name, future_use5, src_uuid, dst_uuid, http_method, tunnel_id, monitortag, parent_session_id, parent_start_time, tunnel, thr_category, contentver, future_use6, assoc_id, ppid, http_headers, url_category_list, rule_uuid, http2_connection, dynusergroup_name, xff_ip, src_category, src_profile, src_model, src_vendor, src_osfamily, src_osversion, src_host, src_mac, dst_category, dst_profile, dst_model, dst_vendor, dst_osfamily, dst_osversion, dst_host, dst_mac, container_id, pod_namespace, pod_name, src_edl, dst_edl, hostid, user_serialnumber, domain_edl, src_dag, dst_dag, partial_hash, high_res_timestamp, reason, justification, nsdsai_sst, subcategory_of_app, category_of_app, technology_of_app, risk_of_app, characteristic_of_app, container_of_app, is_saas_of_app, tunneled_app, sanctioned_state_of_app, cloud_reportid" - -[[extraction]] -name = "Palo Alto traffic" -tag = "pan_traffic" -desc = "Palo Alto traffic log format" -module = "csv" -params = "future_use1, receive_time, serial, type, subtype, future_use2, time_generated, src, dst, natsrc, natdst, rule, srcuser, dstuser, app, vsys, from, to, inbound_if, outbound_if, logset, future_use3, sessionid, repeatcnt, sport, dport, natsport, natdport, flags, proto, action, bytes, bytes_sent, bytes_received, packets, start, elapsed, category, future_use4, seqno, actionflags, srcloc, dstloc, future_use5, pkts_sent, pkts_received, session_end_reason, dg_hier_level_1, dg_hier_level_2, dg_hier_level_3, dg_hier_level_4, vsys_name, device_name, action_source, src_uuid, dst_uuid, tunnel_id, monitortag, parent_session_id, parent_start_time, tunnel, assoc_id, chunks, chunks_sent, chunks_received, rule_uuid, http2_connection, link_change_count, policy_id, link_switches, sdwan_cluster, sdwan_device_type, sdwan_cluster_type, sdwan_site, dynusergroup_name, xff_ip, src_category, src_profile, src_model, src_vendor, src_osfamily, src_osversion, src_host, src_mac, dst_category, dst_profile, dst_model, dst_vendor, dst_osfamily, dst_osversion, dst_host, dst_mac, container_id, pod_namespace, pod_name, src_edl, dst_edl, hostid, user_serialnumber, src_dag, dst_dag, session_owner, high_res_timestamp, nsdsai_sst, nsdsai_sd, subcategory_of_app, category_of_app, technology_of_app, risk_of_app, characteristic_of_app, container_of_app, tunneled_app, is_saas_of_app, sanctioned_state_of_app, offloaded" - -[[extraction]] -name = "Palo Alto tunnel" -tag = "pan_tunnel" -desc = "Palo Alto tunnel log format" -module = "csv" -params = "future_use1, receive_time, serial, type, subtype, future_use2, time_generated, src, dst, natsrc, natdst, rule, srcuser, dstuser, app, vsys, from, to, inbound_if, outbound_if, logset, future_use3, sessionid, repeatcnt, sport, dport, natsport, natdport, flags, proto, action, severity, seqno, actionflags, srcloc, dstloc, dg_hier_level_1, dg_hier_level_2, dg_hier_level_3, dg_hier_level_4, vsys_name, device_name, tunnel_id, monitortag, parent_session_id, parent_start_time, tunnel, bytes, bytes_sent, bytes_received, packets, pkts_sent, pkts_received, max_encap, unknown_proto, strict_check, tunnel_fragment, sessions_created, sessions_closed, session_end_reason, action_source, start, elapsed, tunnel_insp_rule, remote_user_ip, remote_user_id, rule_uuid, pcap_id, dynusergroup_name, src_edl, dst_edl, high_res_timestamp, nsdsai_sd, nsdsai_sst, pdu_session_id, subcategory_of_app, category_of_app, technology_of_app, risk_of_app, characteristic_of_app, container_of_app, is_saas_of_app, sanctioned_state_of_app" - -[[extraction]] -name = "Palo Alto userid" -tag = "pan_userid" -desc = "Palo Alto userid log format" -module = "csv" -params = "future_use1, receive_time, serial, type, subtype, future_use2, time_generated, vsys, src, user, datasourcename, eventid, repeatcnt, timeout, sport, dport, datasource, datasource_type, seqno, actionflags, dg_hier_level_1, dg_hier_level_2, dg_hier_level_3, dg_hier_level_4, vsys_name, device_name, vsys_id, factortype, factorcompletiontime, factorno, future_use3, future_use4, ugflags, userbysource, high_res_timestamp" - diff --git a/paloalto/AX-generation/sctp.txt b/paloalto/AX-generation/sctp.txt deleted file mode 100644 index bd014607..00000000 --- a/paloalto/AX-generation/sctp.txt +++ /dev/null @@ -1,65 +0,0 @@ -FUTURE_USE1 -Receive Time -Serial Number -Type -FUTURE_USE2 -FUTURE_USE3 -Generated Time -Source Address -Destination Address -FUTURE_USE4 -FUTURE_USE5 -Rule Name -FUTURE_USE6 -FUTURE_USE7 -FUTURE_USE8 -Virtual System -Source Zone -Destination Zone -Inbound Interface -Outbound Interface -Log Action -FUTURE_USE9 -Session ID -Repeat Count -Source Port -Destination Port -FUTURE_USE10 -FUTURE_USE11 -FUTURE_USE12 -FUTURE_USE13 -IP Protocol -Action -Device Group Hierarchy Level 1 -Device Group Hierarchy Level 2 -Device Group Hierarchy Level 3 -Device Group Hierarchy Level 4 -Virtual System Name -Device Name -Sequence Number -FUTURE_USE14 -SCTP Association ID -Payload Protocol ID -Severity -SCTP Chunk Type -FUTURE_USE15 -SCTP Verification Tag 1 -SCTP Verification Tag 2 -SCTP Cause Code -Diameter App ID -Diameter Command Code -Diameter AVP Code -SCTP Stream ID -SCTP Association End Reason -Op Code -SCCP Calling Party SSN -SCCP Calling Party Global Title -SCTP Filter -SCTP Chunks -SCTP Chunks Sent -SCTP Chunks Received -Packets -Packets Sent -Packets Received -UUID for rule -High Resolution Timestamp \ No newline at end of file diff --git a/paloalto/AX-generation/system.txt b/paloalto/AX-generation/system.txt deleted file mode 100644 index 4098993a..00000000 --- a/paloalto/AX-generation/system.txt +++ /dev/null @@ -1,26 +0,0 @@ -FUTURE_USE1 -Receive Time -Serial Number -Type -Content/Threat Type -FUTURE_USE2 -Generated Time -Virtual System -Event ID -Object -FUTURE_USE3 -FUTURE_USE4 -Module -Severity -Description -Sequence Number -Action Flags -Device Group Hierarchy Level 1 -Device Group Hierarchy Level 2 -Device Group Hierarchy Level 3 -Device Group Hierarchy Level 4 -Virtual System Name -Device Name -FUTURE_USE5 -FUTURE_USE6 -High Resolution Timestamp \ No newline at end of file diff --git a/paloalto/AX-generation/threat.txt b/paloalto/AX-generation/threat.txt deleted file mode 100644 index 60616233..00000000 --- a/paloalto/AX-generation/threat.txt +++ /dev/null @@ -1,121 +0,0 @@ -FUTURE_USE1 -Receive Time -Serial Number -Type -Threat/Content Type -FUTURE_USE2 -Generated Time -Source Address -Destination Address -NAT Source IP -NAT Destination IP -Rule Name -Source User -Destination User -Application -Virtual System -Source Zone -Destination Zone -Inbound Interface -Outbound Interface -Log Action -FUTURE_USE3 -Session ID -Repeat Count -Source Port -Destination Port -NAT Source Port -NAT Destination Port -Flags -IP Protocol -Action -URL/Filename -Threat ID -Category -Severity -Direction -Sequence Number -Action Flags -Source Location -Destination Location -FUTURE_USE4 -Content Type -PCAP_ID -File Digest -Cloud -URL Index -User Agent -File Type -X-Forwarded-For -Referer -Sender -Subject -Recipient -Report ID -Device Group Hierarchy Level 1 -Device Group Hierarchy Level 2 -Device Group Hierarchy Level 3 -Device Group Hierarchy Level 4 -Virtual System Name -Device Name -FUTURE_USE5 -Source VM UUID -Destination VM UUID -HTTP Method -Tunnel ID/IMSI -Monitor Tag/IMEI -Parent Session ID -Parent Start Time -Tunnel Type -Threat Category -Content Version -FUTURE_USE6 -SCTP Association ID -Payload Protocol ID -HTTP Headers -URL Category List -Rule UUID -HTTP/2 Connection -Dynamic User Group Name -XFF Address -Source Device Category -Source Device Profile -Source Device Model -Source Device Vendor -Source Device OS Family -Source Device OS Version -Source Hostname -Source MAC Address -Destination Device Category -Destination Device Profile -Destination Device Model -Destination Device Vendor -Destination Device OS Family -Destination Device OS Version -Destination Hostname -Destination MAC Address -Container ID -POD Namespace -POD Name -Source External Dynamic List -Destination External Dynamic List -Host ID -User Device Serial Number -Domain EDL -Source Dynamic Address Group -Destination Dynamic Address Group -Partial Hash -High Resolution Timestamp -Reason -Justification -A Slice Service Type -Application Subcategory -Application Category -Application Technology -Application Risk -Application Characteristic -Application Container -Application SaaS -Tunneled Application -Application Sanctioned State -Cloud Report ID diff --git a/paloalto/AX-generation/traffic.txt b/paloalto/AX-generation/traffic.txt deleted file mode 100644 index 60b0d21b..00000000 --- a/paloalto/AX-generation/traffic.txt +++ /dev/null @@ -1,115 +0,0 @@ -FUTURE_USE1 -Receive Time -Serial Number -Type -Threat/Content Type -FUTURE_USE2 -Generated Time -Source Address -Destination Address -NAT Source IP -NAT Destination IP -Rule Name -Source User -Destination User -Application -Virtual System -Source Zone -Destination Zone -Inbound Interface -Outbound Interface -Log Action -FUTURE_USE3 -Session ID -Repeat Count -Source Port -Destination Port -NAT Source Port -NAT Destination Port -Flags -Protocol -Action -Bytes -Bytes Sent -Bytes Received -Packets -Start Time -Elapsed Time -Category -FUTURE_USE4 -Sequence Number -Action Flags -Source Country -Destination Country -FUTURE_USE5 -Packets Sent -Packets Received -Session End Reason -Device Group Hierarchy Level 1 -Device Group Hierarchy Level 2 -Device Group Hierarchy Level 3 -Device Group Hierarchy Level 4 -Virtual System Name -Device Name -Action Source -Source VM UUID -Destination VM UUID -Tunnel ID/IMSI -Monitor Tag/IMEI -Parent Session ID -Parent Start Time -Tunnel Type -SCTP Association ID -SCTP Chunks -SCTP Chunks Sent -SCTP Chunks Received -Rule UUID -HTTP/2 Connection -App Flap Count -Policy ID -Link Switches -SD-WAN Cluster -SD-WAN Device Type -SD-WAN Cluster Type -SD-WAN Site -Dynamic User Group Name -XFF Address -Source Device Category -Source Device Profile -Source Device Model -Source Device Vendor -Source Device OS Family -Source Device OS Version -Source Hostname -Source Mac Address -Destination Device Category -Destination Device Profile -Destination Device Model -Destination Device Vendor -Destination Device OS Family -Destination Device OS Version -Destination Hostname -Destination Mac Address -Container ID -POD Namespace -POD Name -Source External Dynamic List -Destination External Dynamic List -Host ID -User Device Serial Number -Source Dynamic Address Group -Destination Dynamic Address Group -Session Owner -High Resolution Timestamp -A Slice Service Type -A Slice Differentiator -Application Subcategory -Application Category -Application Technology -Application Risk -Application Characteristic -Application Container -Tunneled Application -Application SaaS -Application Sanctioned State -Offloaded \ No newline at end of file diff --git a/paloalto/AX-generation/tunnel.txt b/paloalto/AX-generation/tunnel.txt deleted file mode 100644 index 88df7550..00000000 --- a/paloalto/AX-generation/tunnel.txt +++ /dev/null @@ -1,83 +0,0 @@ -FUTURE_USE1 -Receive Time -Serial Number -Type -Subtype -FUTURE_USE2 -Generated Time -Source Address -Destination Address -NAT Source IP -NAT Destination IP -Rule Name -Source User -Destination User -Application -Virtual System -Source Zone -Destination Zone -Inbound Interface -Outbound Interface -Log Action -FUTURE_USE3 -Session ID -Repeat Count -Source Port -Destination Port -NAT Source Port -NAT Destination Port -Flags -Protocol -Action -Severity -Sequence Number -Action Flags -Source Location -Destination Location -Device Group Hierarchy Level 1 -Device Group Hierarchy Level 2 -Device Group Hierarchy Level 3 -Device Group Hierarchy Level 4 -Virtual System Name -Device Name -Tunnel ID/IMSI -Monitor Tag/IMEI -Parent Session ID -Parent Start Time -Tunnel -Bytes -Bytes Sent -Bytes Received -Packets -Packets Sent -Packets Received -Maximum Encapsulation -Unknown Protocol -Strict Check -Tunnel Fragment -Sessions Created -Sessions Closed -Session End Reason -Action Source -Start Time -Elapsed Time -Tunnel Inspection Rule -Remote User IP -Remote User ID -Rule UUID -PCAP ID -Dynamic User Group -Source External Dynamic List -Destination External Dynamic List -High Resolution Timestamp -A Slice Differentiator -A Slice Service Type -PDU Session ID -Application Subcategory -Application Category -Application Technology -Application Risk -Application Characteristic -Application Container -Application SaaS -Application Sanctioned State \ No newline at end of file diff --git a/paloalto/AX-generation/userid.txt b/paloalto/AX-generation/userid.txt deleted file mode 100644 index bcf344db..00000000 --- a/paloalto/AX-generation/userid.txt +++ /dev/null @@ -1,35 +0,0 @@ -FUTURE_USE1 -Receive Time -Serial Number -Type -Threat/Content Type -FUTURE_USE2 -Generated Time -Virtual System -Source IP -User -Data Source Name -Event ID -Repeat Count -Time Out Threshold -Source Port -Destination Port -Data Source -Data Source Type -Sequence Number -Action Flags -Device Group Hierarchy Level 1 -Device Group Hierarchy Level 2 -Device Group Hierarchy Level 3 -Device Group Hierarchy Level 4 -Virtual System Name -Device Name -Virtual System ID -Factor Type -Factor Completion Time -Factor Number -FUTURE_USE3 -FUTURE_USE4 -User Group Flags -User by Source -High Resolution Timestamp \ No newline at end of file diff --git a/paloalto/BUILD b/paloalto/BUILD index 20568e8f..c347d650 100644 --- a/paloalto/BUILD +++ b/paloalto/BUILD @@ -13,7 +13,7 @@ # You can also just execute this file using bash # # -OUT="paloalto.kit" +OUT = "paloalto.kit" cmd=$(which kitctl) if [ "$?" != "0" ]; then @@ -23,5 +23,4 @@ fi set -e -$cmd pack $OUT - +$cmd pack $OUT \ No newline at end of file diff --git a/paloalto/LICENSE.md b/paloalto/LICENSE.md new file mode 100644 index 00000000..ce9c6b3c --- /dev/null +++ b/paloalto/LICENSE.md @@ -0,0 +1 @@ +Palo Alto images are wholly owned by Palo Alto and are **NOT** subject to any Gravwell licensing. \ No newline at end of file diff --git a/paloalto/MANIFEST b/paloalto/MANIFEST index 892fd793..88267f87 100644 --- a/paloalto/MANIFEST +++ b/paloalto/MANIFEST @@ -1,9 +1,9 @@ { "ID": "io.gravwell.paloalto", "Name": "Palo Alto", - "Desc": "Analyze Palo Alto logs.", - "Readme": "# Palo Alto Kit\n\nThis kit provides pre-built tools to help analyze logs from Palo Alto next-gen firewalls. It includes:\n\n* Autoextractor definitions for common Palo Alto log formats, to more easily extract fields from log entries.\n* Dashboards providing overviews \u0026 investigative options for different log types.\n* Instructions on how to get Palo Alto logs *into* Gravwell.", - "Version": 8, + "Desc": "The Palo Alto Kit provides a baseline set of tags, macros, saved queries, lookup resources, alerts, scheduled searches, flows, playbooks, actionables, dashboard searches, alert queries, and dashboards for your Palo Alto data.", + "Readme": "*** \n\nA toolkit for interacting with Palo Alto data in Gravwell. This kit includes queries, resources (lookups), templates, autoextractors, macros, dashboards, alerts, scheduled searches, and flows to help streamline Palo Alto analysis across Authentication, Config, Correlation, Decryption, GlobalProtect, GTP, HIP Match, IP Tag, Stream Control Transmission Protocol (SCTP), System, Threat, Traffic, Tunnel, and User ID log sources. \n\n*** \n\n## Table of Contents \n0. [Data Ingestion](#0-data-ingestion) \n 0.1. [Simple Relay Ingester](#0-1-simple-relay-ingester) \n 0.2. [Install \u0026 Configure IngesterType](#0-2-install--configure-simple-relay) \n 0.3. [HTTP Ingester](#0-3-http-ingester) \n 0.4. [Install \u0026 Configure HTTP Ingester](#0-4-install--configure-http-ingester) \n 0.5. [Data Tags](#0-5-data-tags) \n 0.6. [Working with the Data](#0-6-working-with-the-data) \n1. [Tags \u0026 Macros](#1-tags--macros) \n 1.1. [Tags](#1-1-tags) \n 1.2. [Autoextractors](#1-2-autoextractors) \n 1.3. [Macros](#1-3-macros) \n2. [Query Library](#2-query-library) \n3. [Naming Schema](#3-naming-schema) \n4. [Resources](#4-resources) \n 4.1. [Lookups](#4-1-lookups) \n5. [Alerts](#5-alerts) \n 5.1. [Dispatchers](#5-1-dispatchers) \n 5.2. [Consumers](#5-2-consumers) \n6. [Scheduled Searches](#6-scheduled-searches) \n 6.1. [Flows](#6-1-flows) \n7. [Playbooks](#7-playbooks) \n 7.1. [Files](#7-1-files) \n8. [Searches](#8-searches) \n 8.1. [Dashboard Searches](#8-1-dashboard-searches) \n 8.2. [Alert Queries](#8-2-alert-queries) \n9. [Templates](#9-templates) \n10. [Dashboards](#10-dashboards) \n 10.1. [Actionables](#10-1-actionables) \n11. [Useful Resources \u0026 References](#11-useful-resources--references) \n12. [Notes](#12-notes) \n13. [Image credits](#13-image-credits) \n\n*** \n\n## 0. [Data Ingestion](#0-data-ingestion)\n\nThis kit provides tools for working with logs from Palo Alto next-gen firewalls. Note that at this time, only PAN-OS 10.x is supported.\n\nBefore you can use the kit, you'll need to get logs flowing from your Palo Alto device into Gravwell. The recommended method is via *syslog forwarding*. Gravwell can receive syslog data using the [Simple Relay](https://docs.gravwell.io/ingesters/simple_relay.html) ingester. Configuration of Simple Relay is described below.\n\nYou can also send logs via the HTTP ingester; instructions for that are in the \"Install \u0026 Configure HTTP Ingester\" section below.\n\n#### 0.1 [Simple Relay Ingester](#0-1-simple-relay-ingester)\n\n- Simple Relay is the go-to ingester for text based data sources that can be delivered over plaintext TCP, encrypted TCP, or plaintext UDP network connections via either IPv4 or IPv6.\n - [Documentation](https://docs.gravwell.io/ingesters/simple_relay.html)\n\n#### 0.2 [Install \u0026 Configure Simple Relay](#0-2-install--configure-simple-relay)\n\n- Deploy the [Simple Relay](https://docs.gravwell.io/ingesters/simple_relay.html) ingester on a server which is both accessible from the Palo Alto device and which can route to the Gravwell indexer(s). Configure it with the appropriate Ingest-Secret value for your indexers and point either its Cleartext-Backend-Target or Encrypted-Backend-Target fields at the indexer addresses; refer to the [Ingesters documentation](https://docs.gravwell.io/ingesters/ingesters.html) for more information.\n- Drop the following config snippet into a new file named \u003ckbd\u003e/opt/gravwell/etc/simple\\_relay.conf.d/paloalto.conf\u003c/kbd\u003e on the ingester machine, then run \u003ckbd\u003esudo systemctl restart gravwell\\_simple\\_relay.service\u003c/kbd\u003e to restart the ingester. This will make it start listening for incoming syslog on port 6601, with special rules to route Palo Alto logs into the correct Gravwell tags.\n\n ```ini\n [Listener \"syslogtcp_paloalto\"]\n Bind-String=\"tcp://0.0.0.0:6601\"\n Reader-Type=line\n Tag-Name=pan_events\n Assume-Local-Timezone=true\n Preprocessor=\"PaloAlto Audit Router\"\n Preprocessor=\"PaloAlto Tunnel Inspection Router\"\n Preprocessor=\"PaloAlto PAN Type Router\"\n\n # Route Audit logs. Audit logs identify as AUDIT in the 3rd CSV field and\n # use a different CSV layout than standard SYSTEM logs.\n [preprocessor \"PaloAlto Audit Router\"]\n Type=regexrouter\n Drop-Misses=false\n Regex=`^(?:[^,]*,){2}(?P\u003csubtype\u003eAUDIT|audit),`\n Route-Extraction=subtype\n Route=AUDIT:pan_audit\n Route=audit:pan_audit\n\n # Route Tunnel Inspection logs. These logs use START/END in the 4th CSV field\n # instead of a family name such as TRAFFIC or THREAT.\n # The additional severity check helps distinguish this format from other PAN logs.\n [preprocessor \"PaloAlto Tunnel Inspection Router\"]\n Type=regexrouter\n Drop-Misses=false\n Regex=`^(?:[^,]*,){3}(?P\u003cevent\u003eSTART|END|start|end),(?:[^,]*,){27}(?:informational|low|medium|high|critical),`\n Route-Extraction=event\n Route=START:pan_tunnel\n Route=END:pan_tunnel\n Route=start:pan_tunnel\n Route=end:pan_tunnel\n\n # Route all remaining PAN log families by the 4th CSV field.\n [preprocessor \"PaloAlto PAN Type Router\"]\n Type=regexrouter\n Drop-Misses=false\n Regex=`^(?:[^,]*,){3}(?P\u003ctype\u003e[^,]+),`\n Route-Extraction=type\n Route=AUTHENTICATION:pan_auth\n Route=CONFIG:pan_config\n Route=CORRELATION:pan_correlation\n Route=DECRYPTION:pan_decryption\n Route=GLOBALPROTECT:pan_globalprotect\n Route=GTP:pan_gtp\n Route=HIP-MATCH:pan_hipmatch\n Route=HIPMATCH:pan_hipmatch\n Route=IPTAG:pan_iptag\n Route=SCTP:pan_sctp\n Route=SYSTEM:pan_system\n Route=THREAT:pan_threat\n Route=TRAFFIC:pan_traffic\n Route=USERID:pan_userid\n ```\n\n- Ensure that the server running Simple Relay allows incoming connections on port 6601, and that any firewalls between the Palo Alto device and the Simple Relay system allow port 6601 traffic.\n- Configure log forwarding as described in [the Palo Alto documentation](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/configure-syslog-monitoring), defining the syslog server profile to point at the Simple Relay server on port 6601 as seen below. When configuring forwarding, make sure you enable all desired log families, including System/Audit and Tunnel Inspection.\n\n\u003e ![Palo Alto Syslog Server Profile: Shows a configured syslog server within Palo Alto](/api/files/8c6e109a-e0e8-4347-9f9b-687ac9291e81?1773840659459 =663x345)\n\n- Once the changes have been committed, logs should begin flowing into Gravwell. You can check by running the following query:\n\n ```gravwell\n tag=$PAN_ALL limit 10\n ```\n\n- If any results appear, logs are coming in properly.\n\n#### 0.3 [HTTP Ingester](#0-3-http-ingester)\n\n- HTTP Ingester can be used when you want Palo Alto to deliver logs over HTTP instead of syslog.\n - [Documentation](https://docs.gravwell.io/ingesters/http.html)\n\n#### 0.4 [Install \u0026 Configure HTTP Ingester](#0-4-install--configure-http-ingester)\n\n- Deploy the [HTTP Ingester](https://docs.gravwell.io/ingesters/http.html) on a server which is both accessible from the Palo Alto device and which can route to the Gravwell indexer(s). Configure it with the appropriate Ingest-Secret value for your indexers and point either its Cleartext-Backend-Target or Encrypted-Backend-Target fields at the indexer addresses; refer to the [Ingesters documentation](https://docs.gravwell.io/ingesters/ingesters.html) for more information.\n- Drop the following config snippet into a new file named \u003ckbd\u003e/opt/gravwell/etc/gravwell\\_http\\_ingester.conf.d/paloalto.conf\u003c/kbd\u003e on the ingester machine, then run \u003ckbd\u003esudo systemctl restart gravwell\\_http\\_ingester.service\u003c/kbd\u003e to restart the ingester. By default, the HTTP ingester listens on port 8080; this config adds an HTTP endpoint at \u003ckbd\u003e/pan/logs\u003c/kbd\u003e, with HTTP basic authentication in place. It also defines preprocessors with special rules to route Palo Alto logs to the correct Gravwell tags.\n\n ```ini\n [Listener \"palo\"]\n AuthType=basic\n Username=paloalto\n Password=paloaltopassword\n URL=\"/pan/logs\"\n Tag-Name=pan_events\n Assume-Local-Timezone=true\n Preprocessor=\"PaloAlto Audit Router\"\n Preprocessor=\"PaloAlto Tunnel Inspection Router\"\n Preprocessor=\"PaloAlto PAN Type Router\"\n\n [preprocessor \"PaloAlto Audit Router\"]\n Type=regexrouter\n Drop-Misses=false\n Regex=`^(?:[^,]*,){2}(?P\u003csubtype\u003eAUDIT|audit),`\n Route-Extraction=subtype\n Route=AUDIT:pan_audit\n Route=audit:pan_audit\n\n [preprocessor \"PaloAlto Tunnel Inspection Router\"]\n Type=regexrouter\n Drop-Misses=false\n Regex=`^(?:[^,]*,){3}(?P\u003cevent\u003eSTART|END|start|end),(?:[^,]*,){27}(?:informational|low|medium|high|critical),`\n Route-Extraction=event\n Route=START:pan_tunnel\n Route=END:pan_tunnel\n Route=start:pan_tunnel\n Route=end:pan_tunnel\n\n [preprocessor \"PaloAlto PAN Type Router\"]\n Type=regexrouter\n Drop-Misses=false\n Regex=`^(?:[^,]*,){3}(?P\u003ctype\u003e[^,]+),`\n Route-Extraction=type\n Route=AUTHENTICATION:pan_auth\n Route=CONFIG:pan_config\n Route=CORRELATION:pan_correlation\n Route=DECRYPTION:pan_decryption\n Route=GLOBALPROTECT:pan_globalprotect\n Route=GTP:pan_gtp\n Route=HIP-MATCH:pan_hipmatch\n Route=HIPMATCH:pan_hipmatch\n Route=IPTAG:pan_iptag\n Route=SCTP:pan_sctp\n Route=SYSTEM:pan_system\n Route=THREAT:pan_threat\n Route=TRAFFIC:pan_traffic\n Route=USERID:pan_userid\n ```\n\n- Ensure that the server running the HTTP Ingester allows incoming connections on port 8080, and that any firewalls between the Palo Alto device and the ingester system allow port 8080 traffic.\n- Once the ingester is configured, set up log forwarding on the Palo Alto device as described in [the Palo Alto documentation](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/forward-logs-to-an-https-destination). You will need to set up the following:\n - An HTTP Server Profile. The \"Address\" field corresponds to the HTTP Ingester's address, \"Port\" should be 8080, \"HTTP Method\" is POST, and you should populate the Username and Password fields to match your configuration above. In the \"Payload Format\" tab, ensure each log type sends the raw CSV field order expected by the preprocessors above, as shown in the image below:\n\u003e\n \u003e ![Palo Alto Payload Format: Shows the payload format of the logs](/api/files/50cb5863-6867-47da-bc49-7bef73317ddc?1773841161343 =705x467)\n\u003e\n- A Log Forwarding Profile which sends all desired log types to the HTTP Server Profile created above. Note that it is possible to use one Log Forwarding Profile to send logs to both syslog and HTTP ingesters at the same time, if desired, as seen below:\n\u003e\n\u003e ![Palo Alto Log Forwarding Profile: Shows a Palo Alto Log Forwarding Profile](/api/files/16b991a1-86c7-4f08-b408-c5faa8afeef3?1773841216952 =792x384)\n\u003e\n- Once the changes have been committed, logs should begin flowing into Gravwell. You can check by running the following query:\n\n```gravwell\n tag=$PAN_ALL limit 10\n```\n\n- If any results appear, logs are coming in properly.\n- Warning: We strongly recommend changing the \"Username\" and \"Password\" fields before deploying. We also recommend setting up a TLS frontend for better security. Palo Alto also notes that HTTP/S forwarding is intended for lower-volume deployments and can lose logs at higher forwarding rates, so syslog via Simple Relay remains the recommended option for primary ingestion.\n\n#### 0.5 [Data Tags](#0-5-data-tags)\n\n- Palo Alto logs are sorted into tags on Gravwell based on the log family or format, using the mappings defined in the preprocessor configuration above. The tags are:\n - \u003ckbd\u003epan_traffic\u003c/kbd\u003e: [Traffic logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields)\n - \u003ckbd\u003epan_threat\u003c/kbd\u003e: [Threat logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields), including [URL Filtering](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/url-filtering-log-fields), [Data Filtering](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/data-filtering-log-fields), and WildFire Submission / other THREAT-family subtypes\n - \u003ckbd\u003epan_hipmatch\u003c/kbd\u003e: [HIP Match logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/hip-match-log-fields)\n - \u003ckbd\u003epan_globalprotect\u003c/kbd\u003e: [GlobalProtect logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/globalprotect-log-fields)\n - \u003ckbd\u003epan_iptag\u003c/kbd\u003e: [IP-Tag logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/ip-tag-log-fields)\n - \u003ckbd\u003epan_userid\u003c/kbd\u003e: [User-ID logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/user-id-log-fields)\n - \u003ckbd\u003epan_decryption\u003c/kbd\u003e: [Decryption logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/decryption-log-fields)\n - \u003ckbd\u003epan_tunnel\u003c/kbd\u003e: [Tunnel Inspection logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/tunnel-inspection-log-fields)\n - \u003ckbd\u003epan_sctp\u003c/kbd\u003e: [SCTP logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/sctp-log-fields)\n - \u003ckbd\u003epan_auth\u003c/kbd\u003e: [Authentication logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/authentication-log-fields)\n - \u003ckbd\u003epan_config\u003c/kbd\u003e: [Config logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/config-log-fields)\n - \u003ckbd\u003epan_system\u003c/kbd\u003e: [System logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/system-log-fields)\n - \u003ckbd\u003epan_correlation\u003c/kbd\u003e: [Correlated Events logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/correlated-events-log-fields)\n - \u003ckbd\u003epan_gtp\u003c/kbd\u003e: [GTP logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/gtp-log-fields)\n - \u003ckbd\u003epan_audit\u003c/kbd\u003e: [Audit logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/audit-log-fields)\n - \u003ckbd\u003epan_events\u003c/kbd\u003e: Catch-all for unmatched, unknown, or newly introduced PAN log formats that arrive on the dedicated Palo Alto listener or HTTP endpoint\n\n- The links in the list above will take you to the official Palo Alto documentation for each log type. These are the best places to find out what any given field *means*. For instance, the traffic log page includes the following definitions: \n - Source Address (src): Original session source IP address. \n - Destination Address (dst): Original session destination IP address. \n- The names in parentheses are the names of the fields used in Gravwell; thus to extract the source and destination IP addresses of a session, one would type \u003ckbd\u003eax src dst\u003c/kbd\u003e. See the next section for more information on extracting data fields. \n- If your kit defines a \u003ckbd\u003ePAN_ALL\u003c/kbd\u003e macro, update it to include \u003ckbd\u003epan_audit\u003c/kbd\u003e, \u003ckbd\u003epan_tunnel\u003c/kbd\u003e, and \u003ckbd\u003epan_events\u003c/kbd\u003e in addition to the existing PAN tags. \n\n#### 0.6 [Working with the Data](#0-6-working-with-the-data)\n\n- One key component of this kit is the pre-configured *auto extractors* which apply structure to the CSV-formatted logs in the system. Each log type contains *many* fields, so we recommend using a particular trick when exploring the extracted fields of a given data type. First, run a query on the tag using the ax module with no arguments, sent to the text renderer:\n\n ```gravwell\n tag=$PAN_TRAFFIC ax \n | text\n ```\n\n- Then, in the results, click the \"Show details\" floating button for any one of the results. This will expand the entry to show the extracted enumerated values. This lets you rapidly scroll through the raw results until you find one that looks interesting, then expand it to see which enumerated values are available:\n\n\u003e ![Palo Alto Enumerated Values: Shows EVs expanded in text results for Palo Alto logs](/api/files/f99bf07b-e093-4631-85d4-687b039ecda2?1773841268896 =1870x710)\n\n- In the image above, a single enumerated value pair is highlighted; from this, we might modify the query to filter down to only traffic destined for Switzerland for further examination:\n\n ```gravwell\n tag=$PAN_TRAFFIC ax dstloc==\"Switzerland\" \n | text\n ```\n\n- Audit and Tunnel Inspection logs use their own tags because their CSV layouts differ from standard System and Traffic logs. Explore those tags directly when validating ingestion:\n\n ```gravwell\n tag=pan_config limit 10\n ```\n\n*** \n\n## 1. [Tags \u0026 Macros](#1-tags--macros) \n\n#### 1.1. [Tags](#1-1-tags) \n\n- Purpose: Tags are an essential Gravwell concept. Every entry has a single tag associated with it; these tags allow us to separate and categorize data at a basic level. \n- [Documentation](\u003chttps://docs.gravwell.io/ingesters/ingesters.html#tags\u003e) \n- The Palo Alto Kit for Gravwell makes use of the following tags: \n- Total: ***14*** \n - pan\\_auth: Tag used for all Palo Alto Authentication data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - Usage: ``tag=pan_auth`` \n - pan\\_config: Tag used for all Palo Alto Config data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - Usage: ``tag=pan_config`` \n - pan\\_correlation: Tag used for all Palo Alto Correlation data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - Usage: ``tag=pan_correlation`` \n - pan\\_decryption: Tag used for all Palo Alto Decryption data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - Usage: ``tag=pan_decryption`` \n - pan\\_globalprotect: Tag used for all Palo Alto GlobalProtect data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - Usage: ``tag=pan_globalprotect`` \n - pan\\_gtp: Tag used for all Palo Alto data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - Usage: ``tag=pan_gtp`` \n - pan\\_hipmatch: Tag used for all Palo Alto HIP Match data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - Usage: ``tag=pan_hipmatch`` \n - pan\\_iptag: Tag used for all Palo Alto IP Tag data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - Usage: ``tag=pan_iptag`` \n - pan\\_sctp: Tag used for all Palo Alto Stream Control Transmission Protocol (SCTP) data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - Usage: ``tag=pan_sctp`` \n - pan\\_system: Tag used for all Palo Alto System data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - Usage: ``tag=pan_system`` \n - pan\\_threat: Tag used for all Palo Alto Threat data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - Usage: ``tag=pan_threat`` \n - pan\\_traffic: Tag used for all Palo Alto Traffic data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - Usage: ``tag=pan_traffic`` \n - pan\\_tunnel: Tag used for all Palo Alto Tunnel data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - Usage: ``tag=pan_tunnel`` \n - pan\\_userid: Tag used for all Palo Alto User ID data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - Usage: ``tag=pan_userid`` \n\n#### 1.2. [Autoextractors](#1-2-autoextractors) \n\n- Purpose: Autoextractors are simply definitions that can be applied to tags and describe how to correctly extract fields from the data in a given tag. The *ax* module then automatically invokes the appropriate functionality of other modules. \n- [Documentation](\u003chttps://docs.gravwell.io/configuration/autoextractors.html\u003e) \n- The Palo Alto Kit for Gravwell makes use of the following autoextractors: \n- Total: ***14*** \n - Palo Alto Authentication Logs: Gravwell generated CSV extraction for Palo Alto Authentication Logs \n - Palo Alto Config Logs: Gravwell generated CSV extraction for Palo Alto Config Logs \n - Palo Alto Correlation Logs: Gravwell generated CSV extraction for Palo Alto Correlation Logs \n - Palo Alto Decryption Logs: Gravwell generated CSV extraction for Palo Alto Decryption Logs \n - Palo Alto GPRS Tunning Protocol (GTP) Logs: Gravwell generated CSV extraction for Palo Alto GPRS Tunning Protocol (GTP) Logs \n - Palo Alto GlobalProtect Logs: Gravwell generated CSV extraction for Palo Alto GlobalProtect logs \n - Palo Alto HIP Match Logs: Gravwell generated CSV extraction for Palo Alto HIP Match Logs \n - Palo Alto IP-Tag Logs: Gravwell generated CSV extraction for Palo Alto IP-Tag Logs \n - Palo Alto Stream Control Transmission Protocol (SCTP) Logs: Gravwell generated CSV extraction for Palo Alto (Stream Control Transmission Protocol) SCTP Logs \n - Palo Alto System Logs: Gravwell generated CSV extraction for Palo Alto System Logs \n - Palo Alto Threat Logs: Gravwell generated CSV extraction for Palo Alto Threat Logs \n - Palo Alto Traffic Logs: Gravwell generated CSV extraction for Palo Alto Traffic Logs \n - Palo Alto Tunnel Logs: Gravwell generated CSV extraction for Palo Alto Tunnel Logs \n - Palo Alto User ID Logs: Gravwell generated CSV extraction for Palo Alto User ID Logs \n\n#### 1.3. [Macros](#1-3-macros) \n\n- Purpose: Search macros are a powerful feature that can help you use Gravwell more effectively. Macros can turn long, repetitive search queries into easily-remembered shortcuts. \n- [Documentation](\u003chttps://docs.gravwell.io/search/macros.html\u003e) \n- The Palo Alto Kit for Gravwell makes use of the following macros: \n- Total: ***16*** \n - $PAN\\_ALL: Configuration Macro; Tag used for all Palo Alto data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - $PAN\\_AUTH: Configuration Macro; Tag used for all Palo Alto Authentication data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - $PAN\\_CONFIG: Configuration Macro; Tag used for all Palo Alto Config data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - $PAN\\_CORRELATION: Configuration Macro; Tag used for all Palo Alto Correlation data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - $PAN\\_DECRYPTION: Configuration Macro; Tag used for all Palo Alto Decryption data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - $PAN\\_GLOBALPROTECT: Configuration Macro; Tag used for all Palo Alto GlobalProtect data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - $PAN\\_GTP: Configuration Macro; Tag used for all Palo Alto data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - $PAN\\_HIPMATCH: Configuration Macro; Tag used for all Palo Alto HIP Match data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - $PAN\\_IPTAG: Configuration Macro; Tag used for all Palo Alto IP Tag data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - $PAN\\_SCTP: Configuration Macro; Tag used for all Palo Alto Stream Control Transmission Protocol (SCTP) data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - $PAN\\_SYSTEM: Configuration Macro; Tag used for all Palo Alto System data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - $PAN\\_THREAT: Configuration Macro; Tag used for all Palo Alto Threat data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - $PAN\\_THREAT\\_TRAFFIC: Configuration Macro; Tag used for all Palo Alto Threat \u0026 Traffic data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - $PAN\\_TRAFFIC: Configuration Macro; Tag used for all Palo Alto Traffic data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - $PAN\\_TUNNEL: Configuration Macro; Tag used for all Palo Alto Tunnel data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n - $PAN\\_USERID: Configuration Macro; Tag used for all Palo Alto User ID data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. \n\n*** \n\n## 2. [Query Library](#2-query-library) \n\n- Purpose: Queries within the Query Library drive [dashboards](#10-dashboards) via [searches](#8-searches), [scheduled searches](#6-scheduled-searches) via [alert queries](#8-2-alert-queries), and [playbooks](#7-playbooks). \n- [Documentation](\u003chttps://docs.gravwell.io/gui/querylibrary/querylibrary.html\u003e) \n - Updating a query in the library updates dependent dashboards and scheduled searches automatically. \n - Total queries: ***45*** \n - [8.1 Dashboard Searches](#8-1-dashboard-searches): ***45*** \n - [8.2 Alert Queries](#8-2-alert-queries): ***0*** \n\n*** \n\n## 3. [Naming Schema](#3-naming-schema) \n\n- Purpose: The use of a standard naming convention enables users to quickly understand the function, severity, and context of a query or component. This approach facilitates efficient identification, reuse, and troubleshooting without ambiguity. \n- *QueryType - Palo Alto - NGFW - Category/Logtype - Subcategory/Log Subtype - Severity/Priority - Name [Visualization - if any]* \n- Examples: \n - Templates: *Template - Palo Alto - NGFW - GlobalProtect - Events - All VPN Events for User \u0026 IP [table]* \n - Searches: *Search - Palo Alto - NGFW - Config - Events - Count by Administrators [chart]* \n - Alert Queries: *AlertQuery - Palo Alto - NGFW - Category/Logtype - Subcategory/Log Subtype - Severity/Priority - SearchName [Visualization - if any]* \n\n*** \n\n## 4. [Resources](#4-resources) \n\n- Purpose: Resources allow users to store persistent data for use in searches. \n- [Documentation](\u003chttps://docs.gravwell.io/resources/resources.html\u003e) \n- Total: ***1*** \n\n#### 4.1. [Lookups](#4-1-lookups) \n\n- Purpose: Lookup Resources are used by the *lookup* module to perform data enrichment and translation off of a static lookup table stored in a resource. \n- [Documentation](\u003chttps://docs.gravwell.io/search/lookup/lookup.html\u003e) \n- Total: ***1*** \n - excluded\\_url\\_categories: Palo Alto URL categories to be excluded. \n\n*** \n\n## 5. [Alerts](#5-alerts) \n\n- Purpose: Alerts notify you of potential nefarious actions that took place within and/or against your environment by tying dispatchers and consumers together. \n- [Documentation](\u003chttps://docs.gravwell.io/alerts/alerts.html#alerts\u003e) \n- Total: ***0*** \n\n#### 5.1. [Dispatchers](#5-1-dispatchers) \n\n- Purpose: Dispatchers generate events. A typical dispatcher would be a scheduled search that runs on an interval; every result returned by a scheduled search is considered an event. \n - Dispatchers = [Scheduled Searches](#6-scheduled-searches) \n- [Documentation](\u003chttps://docs.gravwell.io/alerts/alerts.html#adding-dispatchers\u003e) \n- Total: ***0*** \n\n#### 5.2. [Consumers](#5-2-consumers) \n\n- Purpose: Consumers process and respond to events. A typical consumer would be a flow that sends an email to an administrator, or opens a ticket in the ticketing system. Each consumer runs once per event. \n - Consumers = [Flows](#6-1-flows) \n- [Documentation](\u003chttps://docs.gravwell.io/alerts/alerts.html#defining-a-consumer\u003e) \n- Total: ***0*** \n\n*** \n\n## 6. [Scheduled Searches](#6-scheduled-searches) \n\n- Purpose: Scheduled Searches are typically dependent on *AlertQuery - Palo Alto - ...* queries within the [Query Library](#2-query-library). \n- [Documentation](\u003chttps://docs.gravwell.io/scripting/scheduledsearch.html\u003e) \n- Total: ***0*** \n\n#### 6.1. [Flows](#6-1-flows) \n\n- Purpose: Flows provide a no-code method for developing advanced automations in Gravwell. \n- [Documentation](\u003chttps://docs.gravwell.io/flows/flows.html\u003e) \n- Total: ***0*** \n\n*** \n\n## 7. [Playbooks](#7-playbooks) \n\n- Purpose: Playbooks are hypertext documents within Gravwell which help guide users through common tasks, describe functionality, and record information about data in the system. \n- [Documentation](\u003chttps://docs.gravwell.io/gui/playbooks/playbooks.html\u003e) \n- Total: ***9*** \n - Palo Alto Kit - Integration Guide: An Integration Guide for onboarding your Palo Alto logs into Gravwell. \n - Palo Alto Kit - README: A toolkit for interacting with Palo Alto data in Gravwell. This kit includes queries, resources (lookups), templates, autoextractors, macros, and dashboards to help streamline Palo Alto analysis across various log sources. \n - Palo Alto Banner: banner file for kit build \"Palo Alto v1\" \n - Palo Alto Cover: cover file for kit build \"Palo Alto v1\" \n - Palo Alto Icon: icon file for kit build \"Palo Alto v1\" \n - Palo Alto Log Forwarding Profile: Shows a Palo Alto Log Forwarding Profile \n - Palo Alto Enumerated Values: Shows EVs expanded in text results for Palo Alto logs \n - Palo Alto Payload Format: Shows the payload format of the logs \n - Palo Alto Syslog Server Profile: Shows a configured syslog server within Palo Alto \n\n#### 7.1. [Files](#7-1-files) \n\n- Purpose: Gravwell users can upload small files for use in playbooks, as cover images for kits, etc. Typically, these files are created or selected at the point of use: via a picker in the playbook editor, in the kit builder, etc. \n- [Documentation](\u003chttps://docs.gravwell.io/gui/files/files.html\u003e) \n- Total: ***0*** \n\n*** \n\n## 8. [Searches](#8-searches) \n\n- Purpose: These queries within the Query Library drive [dashboards](#10-dashboards) to quickly view Palo Alto data in an easily digestible format or [scheduled searches](#6-scheduled-searches) to ultimately feed [alerts](#5-alerts). \n- [Documentation](\u003chttps://docs.gravwell.io/gui/querylibrary/querylibrary.html\u003e) \n- Total: ***45*** \n - Dashboard Search Total: ***45*** \n - Alert Query Total: ***0*** \n\n#### 8.1. [Dashboard Searches](#8-1-dashboard-searches) \n\n- Purpose: These queries within the Query Library drive [dashboards](#10-dashboards) to quickly view vendor data in an easily digestible format. \n- Total: ***45*** \n - Search - Palo Alto - NGFW - Config - Events - Count by Administrators [chart]: Displays a chart of configuration event counts by administrator. \n - Search - Palo Alto - NGFW - Config - Events - Count by Client [chart]: Displays a chart of configuration event counts by client used to perform the action. \n - Search - Palo Alto - NGFW - Config - Events - Count by Command [chart]: Displays a chart of configuration event counts by command executed. \n - Search - Palo Alto - NGFW - Config - Events - Count by Command [numbercard]: Displays a numbercard of configuration event counts by command executed. \n - Search - Palo Alto - NGFW - Config - Events - Count by Results [chart]: Displays a chart of configuration event counts by command result. \n - Search - Palo Alto - NGFW - Config - Events - Latest Events [table]: Displays a chart of configuration event counts by administrator. \n - Search - Palo Alto - NGFW - Event Types - Count by Tag [chart]: Displays a chart of event counts by TAG. \n - Search - Palo Alto - NGFW - Event Types - Count by Tag [numbercard]: Displays a numbercard of event counts by TAG. \n - Search - Palo Alto - NGFW - GlobalProtect - Authentication - Count by Status [chart]: Displays a chart of GlobalProtect login attempt counts by status. \n - Search - Palo Alto - NGFW - GlobalProtect - Authentication - Count by Status [numbercard]: Displays a numbercard of GlobalProtect login attempt counts by status. \n - Search - Palo Alto - NGFW - GlobalProtect - Authentication - Failed Logins [table]: Displays a table of failed GlobalProtect login attempts by user, region, and source IP. \n - Search - Palo Alto - NGFW - GlobalProtect - Diagnostics - Average Latency [chart]: Displays a chart of average pre-tunnel and post-tunnel latency for GlobalProtect gateway connections. \n - Search - Palo Alto - NGFW - GlobalProtect - Events - Count by Subtype [numbercard]: Displays a numbercard of GlobalProtect event counts by subtype. \n - Search - Palo Alto - NGFW - GlobalProtect - Session - GlobalProtect Users [table]: Displays a table of GlobalProtect users with associated client system and operating system information. \n - Search - Palo Alto - NGFW - Threat - Events - Count by Scan Source Location [chart]: Displays a chart of scan event counts by source location. \n - Search - Palo Alto - NGFW - Threat - Events - Count by Scan Types [chart]: Displays a chart of scan event counts by threat ID. \n - Search - Palo Alto - NGFW - Threat - Events - Count by Subtype [numbercard]: Displays a numbercard of threat event counts by subtype. \n - Search - Palo Alto - NGFW - Threat - Events - Count by Threat Destination Location [chart]: Displays a chart of threat event counts by destination location. \n - Search - Palo Alto - NGFW - Threat - Events - Count by Threat Source Location [chart]: Displays a chart of threat event counts by source location. \n - Search - Palo Alto - NGFW - Threat - Events - Most Frequent Threat IDs [table]: Displays a table of the most frequently observed threat IDs in threat events. \n - Search - Palo Alto - NGFW - Threat - Events - Scan Source Locations [heatmap]: Displays a heatmap of scan event source IP locations. \n - Search - Palo Alto - NGFW - Threat - Events - Scans Detected [table]: Displays a table of detected scan events grouped by source and threat ID. \n - Search - Palo Alto - NGFW - Threat - Events - Threat Source Locations [heatmap]: Displays a heatmap of threat event source IP locations. \n - Search - Palo Alto - NGFW - Threat - URL - Count by Top Hostnames [table]: Displays a table of hostname counts extracted from URL threat events. \n - Search - Palo Alto - NGFW - Threat - URL - Top Web Categories [chart]: Displays a numbercard of SaaS event counts by type. \n - Search - Palo Alto - NGFW - Threat - WildFire - Count by Application [chart]: Displays a chart of WildFire submission counts by application. \n - Search - Palo Alto - NGFW - Threat - WildFire - Count by Category [chart]: Displays a chart of WildFire verdict counts by category. \n - Search - Palo Alto - NGFW - Threat - WildFire - Count by Category [numbercard]: Displays a numbercard of WildFire verdict counts by category. \n - Search - Palo Alto - NGFW - Threat - WildFire - Count by File Type [chart]: Displays a chart of WildFire submission counts by file type. \n - Search - Palo Alto - NGFW - Threat - WildFire - Recent Wildfire Submissions [table]: Displays a table of recent non-benign WildFire file submissions including source, destination, and file details. \n - Search - Palo Alto - NGFW - Threat/Traffic - Event Type - Count by Type [numbercard]: Displays a numbercard of event counts by type. \n - Search - Palo Alto - NGFW - Traffic - Application - Rare Applications [table]: Displays a table of the least frequently observed applications in traffic logs. \n - Search - Palo Alto - NGFW - Traffic - Application - Top Applications [chart]: Displays a chart of the most frequently observed applications in traffic logs. \n - Search - Palo Alto - NGFW - Traffic - Bytes - Total Traffic Volume [chart]: Displays a chart of total traffic volume in megabytes based on summed byte counts from traffic logs. \n - Search - Palo Alto - NGFW - Traffic - Events - Count by Subtype [numbercard]: Displays a numbercard of threat event counts by subtype. \n - Search - Palo Alto - NGFW - Traffic - SaaS - Application Distribution [table]: Displays a table of SaaS applications with session counts and total traffic volume by category and subcategory. \n - Search - Palo Alto - NGFW - Traffic - SaaS - Count by Action [chart]: Displays a chart of SaaS traffic event counts by action. \n - Search - Palo Alto - NGFW - Traffic - SaaS - Count by Application [chart]: Displays a chart of SaaS traffic session counts by application. \n - Search - Palo Alto - NGFW - Traffic - SaaS - Count by Sanctioned Category [chart]: Displays a chart of the most frequently observed sanctioned SaaS application categories. \n - Search - Palo Alto - NGFW - Traffic - SaaS - Count by Unsanctioned Category [chart]: Displays a chart of the least frequently observed sanctioned SaaS application categories. \n - Search - Palo Alto - NGFW - Traffic - SaaS - SaaS Event Count [numbercard]: Displays a numbercard of SaaS event counts by type. \n - Search - Palo Alto - NGFW - Traffic - SaaS - Sanctioned Application Percentages [chart]: Displays a chart of SaaS traffic counts comparing sanctioned and non-sanctioned applications. \n - Search - Palo Alto - NGFW - Traffic - SaaS - Sanctioned Applications [table]: Displays a table of sanctioned SaaS applications with session counts and total traffic volume. \n - Search - Palo Alto - NGFW - Traffic - SaaS - Total Bytes Transferred [numbercard]: Displays a numbercard of total bytes transferred for SaaS traffic sessions. \n - Search - Palo Alto - NGFW - Traffic - SaaS - Unsanctioned Applications [table]: Displays a table of unsanctioned SaaS applications with session counts and total traffic volume. \n- Naming Schema: *Search - Palo Alto - NGFW - Category/Logtype - Subcategory/Log Subtype - Severity/Priority - SearchName [Visualization - if any]* \n\n#### 8.2. [Alert Queries](#8-2-alert-queries) \n\n- Purpose: These queries within the Query Library drive [scheduled searches](#6-scheduled-searches) which ultimately feed [alerts](#5-alerts). \n- IMPORTANT: If you need to update or tune, this is where you perform that action. \n- Total: ***0*** \n- Naming Schema: *AlertQuery - Palo Alto - NGFW - Category/Logtype - Subcategory/Log Subtype - Severity/Priority - SearchName [Visualization - if any]* \n\n*** \n\n## 9. [Templates](#9-templates) \n\n- Purpose: Templates are special objects which define a Gravwell query containing variables. \n- [Documentation](\u003chttps://docs.gravwell.io/gui/templates/templates.html\u003e) \n- Total: ***5*** \n - Template - Palo Alto - NGFW - GlobalProtect - Events - All VPN Events for User \u0026 IP [table]: Displays a table of GlobalProtect sessions associated with the specified IP address including user and machine information. \n - Template - Palo Alto - NGFW - Threat - Events - All Threat Events for User \u0026 IP [table]: Displays a table of threat events associated with the specified IP address including source, destination, and threat ID. \n - Template - Palo Alto - NGFW - Threat - Subtype - Count by Subtypes for User \u0026 IP [numbercard]: Displays a numbercard of threat event counts by subtype for the specified IP address. \n - Template - Palo Alto - NGFW - Threat - WildFire - All Submissions for User \u0026 IP [table]: Displays a table of WildFire file submissions associated with the specified IP address. \n - Template - Palo Alto - NGFW - Traffic - Category - Count by Category [chart]: Displays a chart of traffic event counts by application category for the specified IP address. \n\n*** \n\n## 10. [Dashboards](#10-dashboards) \n\n- Purpose: Dashboards are Gravwell’s way of showing the results from multiple searches at the same time. \n- [Documentation](\u003chttps://docs.gravwell.io/gui/dashboards/dashboards.html\u003e) \n- Total: ***8*** \n - Palo Alto Config Overview: This dashboard is a general overview of your Palo Alto Device Configuration data. \n - Palo Alto General Overview: This Dashboard is a general overview of your Palo Alto data. \n - Palo Alto GlobalProtect Overview: This dashboard is a general overview of your Palo Alto GlobalProtect VPN and client(s) data. \n - Palo Alto Investigations: This Dashboard is intended to be used for Palo Alto investigations. \n - Palo Alto SaaS Overview: This dashboard is a general overview into your Palo Alto SaaS data. \n - Palo Alto Threat Overview: This Dashboard is a general overview of your Palo Alto Threat data. \n - Palo Alto User Behavior Overview: This dashboard is a general overview of User Behavior in your Palo Alto data. \n - Palo Alto Wildfire Overview: This dashboard is a general overview of your Palo Alto Wildfire analysis submissions \u0026 verdicts. \n\n#### 10.1. [Actionables](#10-1-actionables) \n\n- Purpose: Actionables provide a way to create custom menus that key on any text rendered in a query; users can take different actions on that text by selecting options in the menus. \n- [Documentation](\u003chttps://docs.gravwell.io/gui/actionables/actionables.html\u003e) \n- Total: ***2*** \n - Palo Alto IP: Palo Alto actions on IP Address \n - Palo Alto User: Palo Alto actions on src/dst user \n\n*** \n\n## 11. [Useful Resources \u0026 References](#11-useful-resources--references) \n\n- Gravwell \n - [Actionables](\u003chttps://docs.gravwell.io/gui/actionables/actionables.html\u003e) \n - [Alerts](\u003chttps://docs.gravwell.io/alerts/alerts.html#alerts\u003e) \n - [Autoextractors](\u003chttps://docs.gravwell.io/configuration/autoextractors.html\u003e) \n - [Consumers](\u003chttps://docs.gravwell.io/alerts/alerts.html#defining-a-consumer\u003e) \n - [Dashboards](\u003chttps://docs.gravwell.io/gui/dashboards/dashboards.html\u003e) \n - [Dispatchers](\u003chttps://docs.gravwell.io/alerts/alerts.html#adding-dispatchers\u003e) \n - [Files](\u003chttps://docs.gravwell.io/gui/files/files.html\u003e) \n - [Flows](\u003chttps://docs.gravwell.io/flows/flows.html\u003e) \n - [Lookup Module](\u003chttps://docs.gravwell.io/search/lookup/lookup.html\u003e) \n - [Macros](\u003chttps://docs.gravwell.io/search/macros.html\u003e) \n - [Playbooks](\u003chttps://docs.gravwell.io/gui/playbooks/playbooks.html\u003e) \n - [Query Library](\u003chttps://docs.gravwell.io/gui/querylibrary/querylibrary.html\u003e) \n - [regexrouter Preprocessor](\u003chttps://docs.gravwell.io/ingesters/preprocessors/regexrouter.html\u003e) \n - [Resources](\u003chttps://docs.gravwell.io/resources/resources.html\u003e) \n - [Scheduled Searches](\u003chttps://docs.gravwell.io/scripting/scheduledsearch.html\u003e) \n - [Simple Relay](\u003chttps://docs.gravwell.io/ingesters/simple_relay.html\u003e) \n - [Tags](\u003chttps://docs.gravwell.io/ingesters/ingesters.html#tags\u003e) \n - [Templates](\u003chttps://docs.gravwell.io/gui/templates/templates.html\u003e) \n- Palo Alto \n - [Palo Alto Traffic Log Fields](\u003chttps://docs.paloaltonetworks.com/content/techdocs/en_US/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields.html\u003e) \n - [Palo Alto Threat Log Fields](\u003chttps://docs.paloaltonetworks.com/content/techdocs/en_US/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields.html\u003e) \n - [Palo Alto URL Filtering Log Fields](\u003chttps://docs.paloaltonetworks.com/content/techdocs/en_US/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/url-filtering-log-fields.html\u003e) \n - [Palo Alto Data Filtering Log Fields](\u003chttps://docs.paloaltonetworks.com/content/techdocs/en_US/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/data-filtering-log-fields.html\u003e) \n - [Palo Alto HIP Match Log Fields](\u003chttps://docs.paloaltonetworks.com/content/techdocs/en_US/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/hip-match-log-fields.html\u003e) \n - [Palo Alto GlobalProtect Log Fields](\u003chttps://docs.paloaltonetworks.com/content/techdocs/en_US/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/globalprotect-log-fields.html\u003e) \n - [Palo Alto IP-Tag Log Fields](\u003chttps://docs.paloaltonetworks.com/content/techdocs/en_US/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/ip-tag-log-fields.html\u003e) \n - [Palo Alto User-ID Log Fields](\u003chttps://docs.paloaltonetworks.com/content/techdocs/en_US/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/user-id-log-fields.html\u003e) \n - [Palo Alto Decryption Log Fields](\u003chttps://docs.paloaltonetworks.com/content/techdocs/en_US/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/decryption-log-fields.html\u003e) \n - [Palo Alto Tunnel Inspection Log Fields](\u003chttps://docs.paloaltonetworks.com/content/techdocs/en_US/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/tunnel-inspection-log-fields.html\u003e) \n - [Palo Alto SCTP Log Fields](\u003chttps://docs.paloaltonetworks.com/content/techdocs/en_US/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/sctp-log-fields.html\u003e) \n - [Palo Alto Authentication Log Fields](\u003chttps://docs.paloaltonetworks.com/content/techdocs/en_US/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/authentication-log-fields.html\u003e) \n - [Palo Alto Config Log Fields](\u003chttps://docs.paloaltonetworks.com/content/techdocs/en_US/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/config-log-fields.html\u003e) \n - [Palo Alto System Log Fields](\u003chttps://docs.paloaltonetworks.com/content/techdocs/en_US/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/system-log-fields.html\u003e) \n - [Palo Alto Correlated Events Log Fields](\u003chttps://docs.paloaltonetworks.com/content/techdocs/en_US/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/correlated-events-log-fields.html\u003e) \n - [Palo Alto GTP Log Fields](\u003chttps://docs.paloaltonetworks.com/content/techdocs/en_US/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/gtp-log-fields.html\u003e) \n - [Palo Alto Audit Log Fields](\u003chttps://docs.paloaltonetworks.com/content/techdocs/en_US/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/audit-log-fields.html\u003e) \n - [Palo Alto Syslog Severity](\u003chttps://docs.paloaltonetworks.com/content/techdocs/en_US/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/syslog-severity.html\u003e) \n\n*** \n\n## 12. [Notes](#12-notes) \n\n- Default log source mapping for Palo Alto Kit: \n - pan\\_auth = Authentication \n - pan\\_config = Config \n - pan\\_correlation = Correlation \n - pan\\_decryption = Decryption \n - pan\\_globalprotect = GlobalProtect \n - pan\\_gtp = GTP \n - pan\\_hipmatch = HIP Match \n - pan\\_iptag = IP Tag \n - pan\\_sctp = Stream Control Transmission Protocol (SCTP) \n - pan\\_system = System \n - pan\\_threat = Threat \n - pan\\_traffic = Traffic \n - pan\\_tunnel = Tunnel \n - pan\\_userid = User ID \n\n*** \n\n## 13. [Image credits](#13-image-credits) \n\n- Icon: Palo Alto Icon \n- Banner: Palo Alto Banner \n- Cover: Palo Alto Cover \n\n***", + "Version": 9, "MinVersion": { "Major": 5, "Minor": 4, @@ -12,19 +12,109 @@ "MaxVersion": { "Major": 5, "Minor": 99, - "Point": 99 + "Point": 0 }, "Icon": "c69dee69-d682-4d6c-951b-a66924098495", "Banner": "ac8d907f-c540-4237-8327-1ad55c173b6e", "Cover": "1f8f6d4b-0ff4-4764-a053-50cf8c876cc7", "Items": [ + { + "Name": "Apache 2.0 License", + "Type": 10, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, { "Name": "excluded_url_categories", "Type": 1, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "c30772c4-22a9-4495-8fbf-f62a69bc9640", + "Name": "PAN_CONFIG", + "Type": 8, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "PAN_TRAFFIC", + "Type": 8, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "PAN_SYSTEM", + "Type": 8, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "PAN_GTP", + "Type": 8, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "PAN_TUNNEL", + "Type": 8, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "PAN_CORRELATION", + "Type": 8, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "PAN_THREAT", + "Type": 8, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "PAN_USERID", + "Type": 8, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "PAN_DECRYPTION", + "Type": 8, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "PAN_IPTAG", + "Type": 8, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "PAN_ALL", + "Type": 8, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "PAN_HIPMATCH", + "Type": 8, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "PAN_GLOBALPROTECT", + "Type": 8, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "PAN_SCTP", + "Type": 8, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "PAN_THREAT_TRAFFIC", + "Type": 8, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "PAN_AUTH", + "Type": 8, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "76cb01f8-2601-4d41-a418-4f3ab0666507", + "Type": 3, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "f91107ca-9fb8-4315-b0c8-f98173fb54d3", "Type": 3, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, @@ -33,6 +123,11 @@ "Type": 3, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, + { + "Name": "c30772c4-22a9-4495-8fbf-f62a69bc9640", + "Type": 3, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, { "Name": "6ce64d08-9962-4e1b-9654-78c0e2ac3a09", "Type": 3, @@ -54,33 +149,33 @@ "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "1bc04ece-9e58-496b-8297-7c8d1f9ba46f", - "Type": 3, + "Name": "10e2589a-08f8-4665-857d-3e6092c9500a", + "Type": 6, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "21c85c02-8c7a-42fd-9cba-005d36c2cce1", + "Name": "c9e19be7-3673-4d7e-8303-352a1a3ce0bc", "Type": 6, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "f451f8b7-cf3d-423b-95c6-3738852bd9ea", + "Name": "15e8e4fd-763e-4043-97f0-162778ec859c", "Type": 6, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "182e5db7-4513-4056-a8a8-987fbf570599", + "Name": "278a59ad-0113-42d1-8cf5-3c8bd2bc921c", "Type": 6, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "e06715fe-29f6-4d29-bdf2-df6ef933fc72", + "Name": "ecd856f4-ee40-4cc9-a327-5f85ed518a13", "Type": 6, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "8ff368b5-1d29-422a-89a7-7eb20c50d224", - "Type": 6, + "Name": "dbf5d89f-f36d-4382-92d1-8c1e335562f6", + "Type": 5, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { @@ -89,22 +184,242 @@ "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "f99bf07b-e093-4631-85d4-687b039ecda2", - "Type": 7, + "Name": "80c5d3bb-81fb-475a-b922-f5387e023102", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "17da5912-7283-4c8a-97a1-fb532c072fe8", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "8fbf3919-9199-41a0-b72e-07a4aed91ab7", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "2e2a52c3-01c9-411e-9254-e205ac7b13fa", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "ce08d927-0617-41e5-9b44-22f8568c5ff0", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "3233c046-6e37-4318-8b78-b5a4cb25f12a", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "9b25ad03-4189-445f-b27c-48ec3af4b0e7", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "2d5b39c9-8589-442f-b1dd-715ee4c6c677", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "4898082c-5181-43a9-86f9-00b86bead404", + "Type": 9, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "3392b289-f7e5-4f0a-802e-075cd62b45a5", + "Name": "ed30530c-b91b-4e37-aa5a-c9c3c889832c", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "3fd985ab-3814-433a-920c-42586088ca44", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "8b60b817-ad70-4c99-95ec-c82c43e61d64", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "2332615f-d68f-4635-98e2-f931ae86713c", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "73263790-9a8a-43e1-b231-be2b784de192", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "9ed28079-5408-43b7-8d44-c1b9c9dfbfed", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "847bc392-e6f0-4aa3-ba1f-db7b9608c672", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "dfec2b9b-5466-4ec5-9ce6-5a23b42488f7", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "45a0354b-4971-4917-a273-a16dd78b5ee3", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "1ef98531-447b-4dc0-8df2-3ad2e4815902", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "fd4e2509-d685-49d4-b9c8-cdb8d1c0d153", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "029d59e0-bf7b-4fb0-a783-df0a644ca5b9", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "165321ca-629d-4560-afbb-2ac6cc3ecc56", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "741a45c8-9248-4922-97c2-a6b9b525e6d4", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "32e6de72-2601-41be-b6ed-dc4acb4e834e", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "eb5f3a03-f3fc-479e-a4fb-babff92baf97", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "fe4898de-8dd2-46dc-a3bc-3263bdaae33a", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "61fde793-b8b0-47ab-8c6b-7a4fa7a90dd4", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "80ade539-a898-480c-b9da-c284f3da09dc", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "bc005eda-32cf-4a11-accf-6684a2fb9af2", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "4890dfae-9bc6-4428-8f02-c32b98a7ddab", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "308a0350-9e34-4e97-91e2-16d27ff0a350", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "47076a81-7c11-474f-86a1-4d1c3d53a8d8", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "5a11f630-f7f2-4c98-9500-688928974ac3", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "9a538ea3-3656-4d12-a252-9b4c88487299", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "3afdb278-a9cb-4d28-afa9-1e06707ddb46", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "03e0c1e3-b239-433a-855d-cca56e0867f9", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "a787167f-da7d-4c92-b2fd-09698f21e49b", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "0102c2d0-b817-413f-affc-92d00b4fd452", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "1812fddf-4109-4d57-b274-1da9981b426f", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "38108c90-9965-4eaa-8c00-13baef49fcb5", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "d625b9af-4e63-40df-9392-62cbd04c8213", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "2a0213fe-5013-4649-a859-4e1ed8299c99", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "f04b1ebf-96d1-4220-97da-291ab125f4d4", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "e442e808-5c6e-4509-a66b-cb744a26aff6", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "52cd3303-4013-47e5-bc75-fa8f999222aa", + "Type": 9, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "ac8d907f-c540-4237-8327-1ad55c173b6e", "Type": 7, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "7d17282a-b57b-41d7-aa76-ebae78021abc", + "Name": "1f8f6d4b-0ff4-4764-a053-50cf8c876cc7", "Type": 7, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "3bfcce25-dc9f-40dd-a838-fddd02e1cbdf", + "Name": "16b991a1-86c7-4f08-b408-c5faa8afeef3", "Type": 7, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, @@ -114,12 +429,17 @@ "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "1f8f6d4b-0ff4-4764-a053-50cf8c876cc7", + "Name": "f99bf07b-e093-4631-85d4-687b039ecda2", "Type": 7, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "ac8d907f-c540-4237-8327-1ad55c173b6e", + "Name": "50cb5863-6867-47da-bc49-7bef73317ddc", + "Type": 7, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "8c6e109a-e0e8-4347-9f9b-687ac9291e81", "Type": 7, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, @@ -129,17 +449,22 @@ "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "pan_globalprotect", + "Name": "10f92652-bef8-43ec-8fc1-8acf5f465093", + "Type": 11, + "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + }, + { + "Name": "pan_correlation", "Type": 4, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "pan_sctp", + "Name": "pan_threat", "Type": 4, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "pan_gtp", + "Name": "pan_globalprotect", "Type": 4, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, @@ -149,27 +474,27 @@ "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "pan_userid", + "Name": "pan_decryption", "Type": 4, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "pan_traffic", + "Name": "pan_config", "Type": 4, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "pan_decryption", + "Name": "pan_tunnel", "Type": 4, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "pan_threat", + "Name": "pan_traffic", "Type": 4, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "pan_hipmatch", + "Name": "pan_gtp", "Type": 4, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, @@ -179,112 +504,147 @@ "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "pan_tunnel", + "Name": "pan_auth", "Type": 4, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "pan_correlation", + "Name": "pan_userid", "Type": 4, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "pan_config", + "Name": "pan_hipmatch", "Type": 4, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" }, { - "Name": "pan_auth", + "Name": "pan_sctp", "Type": 4, "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + } + ], + "Dependencies": null, + "ConfigMacros": [ + { + "MacroName": "PAN_ALL", + "Description": "Configuration Macro; Tag used for all Palo Alto data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "DefaultValue": "pan_*", + "Value": "", + "Type": "TAG", + "InstalledByID": "" }, { - "Name": "16b991a1-86c7-4f08-b408-c5faa8afeef3", - "Type": 7, - "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + "MacroName": "PAN_AUTH", + "Description": "Configuration Macro; Tag used for all Palo Alto Authentication data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "DefaultValue": "pan_auth", + "Value": "", + "Type": "TAG", + "InstalledByID": "" }, { - "Name": "50cb5863-6867-47da-bc49-7bef73317ddc", - "Type": 7, - "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + "MacroName": "PAN_CONFIG", + "Description": "Configuration Macro; Tag used for all Palo Alto Config data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "DefaultValue": "pan_config", + "Value": "", + "Type": "TAG", + "InstalledByID": "" }, { - "Name": "PAN_ALL", - "Type": 8, - "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + "MacroName": "PAN_CORRELATION", + "Description": "Configuration Macro; Tag used for all Palo Alto Correlation data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "DefaultValue": "pan_correlation", + "Value": "", + "Type": "TAG", + "InstalledByID": "" }, { - "Name": "PAN_CONFIG", - "Type": 8, - "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + "MacroName": "PAN_DECRYPTION", + "Description": "Configuration Macro; Tag used for all Palo Alto Decryption data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "DefaultValue": "pan_decryption", + "Value": "", + "Type": "TAG", + "InstalledByID": "" }, { - "Name": "PAN_GLOBALPROTECT", - "Type": 8, - "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + "MacroName": "PAN_GLOBALPROTECT", + "Description": "Configuration Macro; Tag used for all Palo Alto GlobalProtect data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "DefaultValue": "pan_globalprotect", + "Value": "", + "Type": "TAG", + "InstalledByID": "" }, { - "Name": "PAN_THREAT", - "Type": 8, - "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + "MacroName": "PAN_GTP", + "Description": "Configuration Macro; Tag used for all Palo Alto data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "DefaultValue": "pan_gtp", + "Value": "", + "Type": "TAG", + "InstalledByID": "" }, { - "Name": "PAN_TRAFFIC", - "Type": 8, - "Hash": "0000000000000000000000000000000000000000000000000000000000000000" + "MacroName": "PAN_HIPMATCH", + "Description": "Configuration Macro; Tag used for all Palo Alto HIP Match data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "DefaultValue": "pan_hipmatch", + "Value": "", + "Type": "TAG", + "InstalledByID": "" }, { - "Name": "PAN_THREAT_TRAFFIC", - "Type": 8, - "Hash": "0000000000000000000000000000000000000000000000000000000000000000" - } - ], - "Dependencies": [ + "MacroName": "PAN_IPTAG", + "Description": "Configuration Macro; Tag used for all Palo Alto IP Tag data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "DefaultValue": "pan_iptag", + "Value": "", + "Type": "TAG", + "InstalledByID": "" + }, { - "ID": "io.gravwell.networkenrichment", - "MinVersion": 13 - } - ], - "ConfigMacros": [ + "MacroName": "PAN_SCTP", + "Description": "Configuration Macro; Tag used for all Palo Alto Stream Control Transmission Protocol (SCTP) data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "DefaultValue": "pan_sctp", + "Value": "", + "Type": "TAG", + "InstalledByID": "" + }, { - "MacroName": "PAN_ALL", - "Description": "Palo Alto tag containing type=* events", - "DefaultValue": "pan_*", - "Value": "", - "Type": "TAG", - "InstalledByID": "" - }, - { - "MacroName": "PAN_CONFIG", - "Description": "Palo Alto tag containing type=config events", - "DefaultValue": "pan_config", - "Value": "", - "Type": "TAG", - "InstalledByID": "" - }, - { - "MacroName": "PAN_GLOBALPROTECT", - "Description": "Palo Alto tag containing type=globalprotect events", - "DefaultValue": "pan_globalprotect", - "Value": "", - "Type": "TAG", - "InstalledByID": "" - }, - { - "MacroName": "PAN_THREAT", - "Description": "Palo Alto tag containing type=threat events", - "DefaultValue": "pan_threat", - "Value": "", - "Type": "TAG", - "InstalledByID": "" - }, - { - "MacroName": "PAN_TRAFFIC", - "Description": "Palo Alto tag containing type=traffic events", - "DefaultValue": "pan_traffic", - "Value": "", - "Type": "TAG", - "InstalledByID": "" - } + "MacroName": "PAN_SYSTEM", + "Description": "Configuration Macro; Tag used for all Palo Alto System data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "DefaultValue": "pan_system", + "Value": "", + "Type": "TAG", + "InstalledByID": "" + }, + { + "MacroName": "PAN_THREAT", + "Description": "Configuration Macro; Tag used for all Palo Alto Threat data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "DefaultValue": "pan_threat", + "Value": "", + "Type": "TAG", + "InstalledByID": "" + }, + { + "MacroName": "PAN_TRAFFIC", + "Description": "Configuration Macro; Tag used for all Palo Alto Traffic data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "DefaultValue": "pan_traffic", + "Value": "", + "Type": "TAG", + "InstalledByID": "" + }, + { + "MacroName": "PAN_TUNNEL", + "Description": "Configuration Macro; Tag used for all Palo Alto Tunnel data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "DefaultValue": "pan_tunnel", + "Value": "", + "Type": "TAG", + "InstalledByID": "" + }, + { + "MacroName": "PAN_USERID", + "Description": "Configuration Macro; Tag used for all Palo Alto User ID data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "DefaultValue": "pan_userid", + "Value": "", + "Type": "TAG", + "InstalledByID": "" + } ] -} +} \ No newline at end of file diff --git a/paloalto/README.md b/paloalto/README.md index 95caa3e8..5f74ab55 100644 --- a/paloalto/README.md +++ b/paloalto/README.md @@ -1,7 +1,29 @@ -# Palo Alto Next-Gen Firewall Kit +# Palo Alto Kit -This kit provides pre-built tools to help analyze logs from Palo Alto next-gen firewalls. It includes: +The Palo Alto Kit provides a baseline set of tags, macros, saved queries, lookup resources, playbooks, actionables, dashboard searches, alert queries, and dashboards for your Palo Alto data. -* Autoextractor definitions for common Palo Alto log formats, to more easily extract fields from log entries. -* Dashboards providing overviews and investigative options for different log types. -* Instructions on how to get Palo Alto logs *into* Gravwell. +The Palo Alto Kit is licensed under the Apache 2.0 license and the contents are available on [Palo Alto](https://github.com/gravwell/kits/tree/main/paloalto). + +Palo Alto images are wholly owned by Palo Alto and are **NOT** subject to any Gravwell licensing. + +## Dependencies +- Gravwell Network Enrichment Kit (v19) + +## Changelog +- 9.0: Kit Refactor + - actionables 02 + - alert 00 + - autoextractor 14 + - dashboard 08 + - file 07 + - license 01 + - macro 16 + - playbook 02 + - resource 01 + - scheduled 00 + - scheduled searches 00 + - flows 00 + - searchlibrary 45 + - alert queries 00 + - dashboard searches 45 + - template 05 \ No newline at end of file diff --git a/paloalto/autoextractor/pan_auth.meta b/paloalto/autoextractor/pan_auth.meta index 8daff4b2..06ca9115 100644 --- a/paloalto/autoextractor/pan_auth.meta +++ b/paloalto/autoextractor/pan_auth.meta @@ -1,12 +1,17 @@ { - "Name": "Palo Alto auth", - "Desc": "Palo Alto auth log format", + "Name": "Palo Alto Authentication Logs", + "Desc": "Gravwell generated CSV extraction for Palo Alto Authentication Logs", "Module": "csv", - "Tag": "pan_auth", - "Labels": null, - "UID": 2, + "Tag": "", + "Tags": [ + "pan_auth" + ], + "Labels": [ + "palo" + ], + "UID": 1, "GIDs": null, - "Global": false, - "UUID": "f3a7b338-30da-4523-a94c-df4f5ce4143a", - "LastUpdated": "2022-03-31T16:30:55.432053695Z" + "Global": true, + "UUID": "be30691d-5ea3-46e9-8dcb-2d6e22708524", + "LastUpdated": "2026-03-18T14:34:20.154664008Z" } \ No newline at end of file diff --git a/paloalto/autoextractor/pan_config.meta b/paloalto/autoextractor/pan_config.meta index 943da181..9c42ad7e 100644 --- a/paloalto/autoextractor/pan_config.meta +++ b/paloalto/autoextractor/pan_config.meta @@ -1,12 +1,17 @@ { - "Name": "Palo Alto config", - "Desc": "Palo Alto config log format", + "Name": "Palo Alto Config Logs", + "Desc": "Gravwell generated CSV extraction for Palo Alto Config Logs", "Module": "csv", - "Tag": "pan_config", - "Labels": null, - "UID": 2, + "Tag": "", + "Tags": [ + "pan_config" + ], + "Labels": [ + "palo" + ], + "UID": 1, "GIDs": null, - "Global": false, - "UUID": "ef46ce1b-dc02-4879-92fb-4b2c3d9d9f31", - "LastUpdated": "2022-03-31T16:30:55.431183147Z" + "Global": true, + "UUID": "6f7f76a9-2a3c-411e-ab06-0bfda7f6a76d", + "LastUpdated": "2026-03-18T14:35:07.77571496Z" } \ No newline at end of file diff --git a/paloalto/autoextractor/pan_correlation.meta b/paloalto/autoextractor/pan_correlation.meta index e13a4eab..5effb4d9 100644 --- a/paloalto/autoextractor/pan_correlation.meta +++ b/paloalto/autoextractor/pan_correlation.meta @@ -1,12 +1,17 @@ { - "Name": "Palo Alto correlation", - "Desc": "Palo Alto correlation log format", + "Name": "Palo Alto Correlation Logs", + "Desc": "Gravwell generated CSV extraction for Palo Alto Correlation Logs", "Module": "csv", - "Tag": "pan_correlation", - "Labels": null, - "UID": 2, + "Tag": "", + "Tags": [ + "pan_correlation" + ], + "Labels": [ + "palo" + ], + "UID": 1, "GIDs": null, - "Global": false, - "UUID": "c9d633ec-c514-482c-a799-10a88a7302d6", - "LastUpdated": "2022-03-31T16:30:55.430145847Z" + "Global": true, + "UUID": "0bdc6bf4-2263-4863-b5a8-3306bb9d2e4a", + "LastUpdated": "2026-03-18T14:35:17.188604839Z" } \ No newline at end of file diff --git a/paloalto/autoextractor/pan_decryption.meta b/paloalto/autoextractor/pan_decryption.meta index e71336c2..efe83908 100644 --- a/paloalto/autoextractor/pan_decryption.meta +++ b/paloalto/autoextractor/pan_decryption.meta @@ -1,12 +1,17 @@ { - "Name": "Palo Alto decryption", - "Desc": "Palo Alto decryption log format", + "Name": "Palo Alto Decryption Logs", + "Desc": "Gravwell generated CSV extraction for Palo Alto Decryption Logs", "Module": "csv", - "Tag": "pan_decryption", - "Labels": null, - "UID": 2, + "Tag": "", + "Tags": [ + "pan_decryption" + ], + "Labels": [ + "palo" + ], + "UID": 1, "GIDs": null, - "Global": false, - "UUID": "8fe5f222-079a-4602-b649-9d4dda1415df", - "LastUpdated": "2022-03-31T16:30:55.427325771Z" + "Global": true, + "UUID": "5d3e6e7a-09c8-4fe4-95ed-8816282f3cd6", + "LastUpdated": "2026-03-18T14:35:25.715208219Z" } \ No newline at end of file diff --git a/paloalto/autoextractor/pan_globalprotect.meta b/paloalto/autoextractor/pan_globalprotect.meta index 7073d1dd..522a4731 100644 --- a/paloalto/autoextractor/pan_globalprotect.meta +++ b/paloalto/autoextractor/pan_globalprotect.meta @@ -1,12 +1,17 @@ { - "Name": "Palo Alto globalprotect", - "Desc": "Palo Alto globalprotect log format", + "Name": "Palo Alto GlobalProtect Logs", + "Desc": "Gravwell generated CSV extraction for Palo Alto GlobalProtect logs", "Module": "csv", - "Tag": "pan_globalprotect", - "Labels": null, - "UID": 2, + "Tag": "", + "Tags": [ + "pan_globalprotect" + ], + "Labels": [ + "palo" + ], + "UID": 1, "GIDs": null, - "Global": false, - "UUID": "19fdf36e-1421-41e0-8740-897049f9b885", - "LastUpdated": "2022-03-31T16:30:55.414316971Z" + "Global": true, + "UUID": "15196623-4279-4996-ac1d-b4d913d18a71", + "LastUpdated": "2026-03-18T14:35:35.356568876Z" } \ No newline at end of file diff --git a/paloalto/autoextractor/pan_gtp.meta b/paloalto/autoextractor/pan_gtp.meta index d37ba517..a9d484e6 100644 --- a/paloalto/autoextractor/pan_gtp.meta +++ b/paloalto/autoextractor/pan_gtp.meta @@ -1,12 +1,17 @@ { - "Name": "Palo Alto gtp", - "Desc": "Palo Alto gtp log format", + "Name": "Palo Alto GPRS Tunning Protocol (GTP) Logs", + "Desc": "Gravwell generated CSV extraction for Palo Alto GPRS Tunning Protocol (GTP) Logs", "Module": "csv", - "Tag": "pan_gtp", - "Labels": null, - "UID": 2, + "Tag": "", + "Tags": [ + "pan_gtp" + ], + "Labels": [ + "palo" + ], + "UID": 1, "GIDs": null, - "Global": false, - "UUID": "3be16e39-7747-448c-a9a5-a5312be98571", - "LastUpdated": "2022-03-31T16:30:55.424612296Z" + "Global": true, + "UUID": "90fe2779-2650-4cc1-9001-0f5b85d1a325", + "LastUpdated": "2026-03-18T14:35:48.57589384Z" } \ No newline at end of file diff --git a/paloalto/autoextractor/pan_hipmatch.meta b/paloalto/autoextractor/pan_hipmatch.meta index de0b51b0..2224333a 100644 --- a/paloalto/autoextractor/pan_hipmatch.meta +++ b/paloalto/autoextractor/pan_hipmatch.meta @@ -1,12 +1,17 @@ { - "Name": "Palo Alto hipmatch", - "Desc": "Palo Alto hipmatch log format", + "Name": "Palo Alto HIP Match Logs", + "Desc": "Gravwell generated CSV extraction for Palo Alto HIP Match Logs", "Module": "csv", - "Tag": "pan_hipmatch", - "Labels": null, - "UID": 2, + "Tag": "", + "Tags": [ + "pan_hipmatch" + ], + "Labels": [ + "palo" + ], + "UID": 1, "GIDs": null, - "Global": false, - "UUID": "91b614f3-ffe7-4bd5-84f8-b1b66cca859c", - "LastUpdated": "2022-03-31T16:30:55.428733784Z" + "Global": true, + "UUID": "f3025abb-27c1-4f09-855a-4c6afed9aeeb", + "LastUpdated": "2026-03-18T14:35:56.440718427Z" } \ No newline at end of file diff --git a/paloalto/autoextractor/pan_iptag.meta b/paloalto/autoextractor/pan_iptag.meta index fc5275da..ae6c1a8e 100644 --- a/paloalto/autoextractor/pan_iptag.meta +++ b/paloalto/autoextractor/pan_iptag.meta @@ -1,12 +1,17 @@ { - "Name": "Palo Alto iptag", - "Desc": "Palo Alto iptag log format", + "Name": "Palo Alto IP-Tag Logs", + "Desc": "Gravwell generated CSV extraction for Palo Alto IP-Tag Logs", "Module": "csv", - "Tag": "pan_iptag", - "Labels": null, - "UID": 2, + "Tag": "", + "Tags": [ + "pan_iptag" + ], + "Labels": [ + "palo" + ], + "UID": 1, "GIDs": null, - "Global": false, - "UUID": "445ed9e9-f7b9-4d65-8163-5167f96fa9dd", - "LastUpdated": "2022-03-31T16:30:55.425575565Z" + "Global": true, + "UUID": "33f12004-6235-4f49-b79f-7c802bded3df", + "LastUpdated": "2026-03-18T14:36:04.473947458Z" } \ No newline at end of file diff --git a/paloalto/autoextractor/pan_sctp.meta b/paloalto/autoextractor/pan_sctp.meta index 1683c4aa..ef0d62ed 100644 --- a/paloalto/autoextractor/pan_sctp.meta +++ b/paloalto/autoextractor/pan_sctp.meta @@ -1,12 +1,17 @@ { - "Name": "Palo Alto sctp", - "Desc": "Palo Alto sctp log format", + "Name": "Palo Alto (Stream Control Transmission Protocol) SCTP Logs", + "Desc": "Gravwell generated CSV extraction for Palo Alto (Stream Control Transmission Protocol) SCTP Logs", "Module": "csv", - "Tag": "pan_sctp", - "Labels": null, - "UID": 2, + "Tag": "", + "Tags": [ + "pan_sctp" + ], + "Labels": [ + "palo" + ], + "UID": 1, "GIDs": null, - "Global": false, - "UUID": "22e5103f-9656-47fa-bd83-87792d7f74a4", - "LastUpdated": "2022-03-31T16:30:55.415392221Z" + "Global": true, + "UUID": "fed9ece0-043f-4696-9694-1c2623f85040", + "LastUpdated": "2026-03-18T14:36:29.989586971Z" } \ No newline at end of file diff --git a/paloalto/autoextractor/pan_system.meta b/paloalto/autoextractor/pan_system.meta index 317402aa..6cd4efdc 100644 --- a/paloalto/autoextractor/pan_system.meta +++ b/paloalto/autoextractor/pan_system.meta @@ -1,12 +1,17 @@ { - "Name": "Palo Alto system", - "Desc": "Palo Alto system log format", + "Name": "Palo Alto System Logs", + "Desc": "Gravwell generated CSV extraction for Palo Alto System Logs", "Module": "csv", - "Tag": "pan_system", - "Labels": null, - "UID": 2, + "Tag": "", + "Tags": [ + "pan_system" + ], + "Labels": [ + "palo" + ], + "UID": 1, "GIDs": null, - "Global": false, - "UUID": "ae4bfd86-e15f-4133-be3c-3fbd5fbbc3d7", - "LastUpdated": "2022-03-31T16:30:55.429085298Z" + "Global": true, + "UUID": "b919d2a4-a42d-4398-97e7-bb5527de5d04", + "LastUpdated": "2026-03-18T14:36:37.687377627Z" } \ No newline at end of file diff --git a/paloalto/autoextractor/pan_threat.meta b/paloalto/autoextractor/pan_threat.meta index 127885b8..c0bd3a4c 100644 --- a/paloalto/autoextractor/pan_threat.meta +++ b/paloalto/autoextractor/pan_threat.meta @@ -1,12 +1,17 @@ { - "Name": "Palo Alto threat", - "Desc": "Palo Alto threat log format", + "Name": "Palo Alto Threat Logs", + "Desc": "Gravwell generated CSV extraction for Palo Alto Threat Logs", "Module": "csv", - "Tag": "pan_threat", - "Labels": null, - "UID": 2, + "Tag": "", + "Tags": [ + "pan_threat" + ], + "Labels": [ + "palo" + ], + "UID": 1, "GIDs": null, - "Global": false, - "UUID": "90cfcba8-890c-4f8b-81fa-d0dadbbd231a", - "LastUpdated": "2022-03-31T16:30:55.427771125Z" + "Global": true, + "UUID": "0f763612-0938-4640-8aff-795bd5075319", + "LastUpdated": "2026-03-18T14:36:44.754913255Z" } \ No newline at end of file diff --git a/paloalto/autoextractor/pan_traffic.meta b/paloalto/autoextractor/pan_traffic.meta index 20c015d1..e0e91fd5 100644 --- a/paloalto/autoextractor/pan_traffic.meta +++ b/paloalto/autoextractor/pan_traffic.meta @@ -1,12 +1,17 @@ { - "Name": "Palo Alto traffic", - "Desc": "Palo Alto traffic log format", + "Name": "Palo Alto Traffic Logs", + "Desc": "Gravwell generated CSV extraction for Palo Alto Traffic Logs", "Module": "csv", - "Tag": "pan_traffic", - "Labels": null, - "UID": 2, + "Tag": "", + "Tags": [ + "pan_traffic" + ], + "Labels": [ + "palo" + ], + "UID": 1, "GIDs": null, - "Global": false, - "UUID": "6c2e0504-7092-48f6-a320-87f789d86f53", - "LastUpdated": "2022-03-31T16:30:55.427033729Z" + "Global": true, + "UUID": "81e259d5-e7b1-4aeb-91a4-10efe8302ae5", + "LastUpdated": "2026-03-18T14:36:53.277523342Z" } \ No newline at end of file diff --git a/paloalto/autoextractor/pan_tunnel.meta b/paloalto/autoextractor/pan_tunnel.meta index 0de2600a..a70bfc2b 100644 --- a/paloalto/autoextractor/pan_tunnel.meta +++ b/paloalto/autoextractor/pan_tunnel.meta @@ -1,12 +1,17 @@ { - "Name": "Palo Alto tunnel", - "Desc": "Palo Alto tunnel log format", + "Name": "Palo Alto Tunnel Logs", + "Desc": "Gravwell generated CSV extraction for Palo Alto Tunnel Logs", "Module": "csv", - "Tag": "pan_tunnel", - "Labels": null, - "UID": 2, + "Tag": "", + "Tags": [ + "pan_tunnel" + ], + "Labels": [ + "palo" + ], + "UID": 1, "GIDs": null, - "Global": false, - "UUID": "c39a74a5-998c-48a0-a8a3-cefe431df782", - "LastUpdated": "2022-03-31T16:30:55.429742494Z" + "Global": true, + "UUID": "7035c824-b462-4e4c-8806-20e028af9e67", + "LastUpdated": "2026-03-18T14:37:01.091509554Z" } \ No newline at end of file diff --git a/paloalto/autoextractor/pan_userid.meta b/paloalto/autoextractor/pan_userid.meta index 478a593d..557fad3b 100644 --- a/paloalto/autoextractor/pan_userid.meta +++ b/paloalto/autoextractor/pan_userid.meta @@ -1,12 +1,17 @@ { - "Name": "Palo Alto userid", - "Desc": "Palo Alto userid log format", + "Name": "Palo Alto User ID Logs", + "Desc": "Gravwell generated CSV extraction for Palo Alto User ID Logs", "Module": "csv", - "Tag": "pan_userid", - "Labels": null, - "UID": 2, + "Tag": "", + "Tags": [ + "pan_userid" + ], + "Labels": [ + "palo" + ], + "UID": 1, "GIDs": null, - "Global": false, - "UUID": "626adfdc-4a6f-4c6f-b573-e069db2c888a", - "LastUpdated": "2022-03-31T16:30:55.425802727Z" + "Global": true, + "UUID": "bff71940-e4e0-44db-be61-c648023ddc4d", + "LastUpdated": "2026-03-18T14:37:09.439407544Z" } \ No newline at end of file diff --git a/paloalto/dashboard/1bc04ece-9e58-496b-8297-7c8d1f9ba46f.meta b/paloalto/dashboard/1bc04ece-9e58-496b-8297-7c8d1f9ba46f.meta deleted file mode 100644 index 84a25d30..00000000 --- a/paloalto/dashboard/1bc04ece-9e58-496b-8297-7c8d1f9ba46f.meta +++ /dev/null @@ -1,193 +0,0 @@ -{ - "UUID": "1bc04ece-9e58-496b-8297-7c8d1f9ba46f", - "Name": "Palo Alto User Behavior", - "Description": "General overview of user behavior from Palo Alto logs", - "Data": { - "searches": [ - { - "timeframe": null, - "query": "tag=$PAN_THREAT_TRAFFIC ax subtype\n| tag=$PAN_TRAFFIC eval if (subtype == \"end\") {\n $(type) = \"Traffic Events\";\n}\n| tag=$PAN_THREAT eval if (subtype == \"url\") {\n $(type) = \"URL Events\";\n} else if (subtype == \"data\") {\n $(type) = \"Data Events\";\n} else if (subtype == \"file\") {\n $(type) = \"File Events\";\n} else if (subtype == \"vulnerability\") {\n $(type) = \"Vulnerability Events\";\n}\n| stats count by type\n| numbercard (count \"\")", - "alias": "Event Counts" - }, - { - "timeframe": null, - "query": "tag=$PAN_TRAFFIC ax is_saas_of_app==\"yes\"\n| stats count\n| numbercard (count \"SaaS Events\")", - "alias": "SaaS Events", - "searchID": 3702196221 - }, - { - "timeframe": null, - "query": "tag=$PAN_THREAT ax subtype==\"url\" misc | regex -e misc \"(?P\u003chostname\u003e[^/]+)/\" | stats count by hostname | table hostname count", - "alias": "Top Hostnames", - "searchID": 7700647801 - }, - { - "timeframe": null, - "query": "tag=$PAN_THREAT ax url_category_list \n| split -clean -d \",\" url_category_list | alias url_category_list url_category \n| lookup -v -s -r excluded_url_categories url_category category reason \n| stats count by url_category\n| chart count by url_category limit 16", - "alias": "Top Web Categories", - "color": null, - "searchID": 81925551478 - }, - { - "timeframe": null, - "query": "tag=$PAN_TRAFFIC ax app!=\"incomplete\" | alias app Application | stats count by Application | chart count by Application limit 16", - "alias": "Top Applications", - "searchID": 83108512032 - }, - { - "timeframe": null, - "query": "tag=$PAN_TRAFFIC ax subtype==\"end\" app | stats count by app | sort by count asc | limit 10 | table app count", - "alias": "Rare Applications" - }, - { - "timeframe": null, - "query": "tag=$PAN_TRAFFIC ax bytes | stats sum(bytes) | eval (Megabytes = sum / (1024 * 1024)) | chart Megabytes", - "alias": "Total Traffic" - } - ], - "tiles": [ - { - "title": "Event Counts", - "renderer": "numberCard", - "searchesIndex": 0, - "span": { - "col": 10, - "row": 3, - "x": 0, - "y": 0 - }, - "rendererOptions": { - "Range": "no", - "Precision": "no", - "NumberCardLabelFontSize": "", - "NumberCardNumberFontSize": "", - "NumberCardWidth": "" - }, - "id": 1648235742223 - }, - { - "title": "SaaS Events", - "renderer": "numberCard", - "searchesIndex": 1, - "span": { - "col": 2, - "row": 3, - "x": 10, - "y": 0 - }, - "rendererOptions": { - "Range": "no", - "Precision": "no", - "NumberCardLabelFontSize": "", - "NumberCardNumberFontSize": "", - "NumberCardWidth": "" - }, - "id": 1648235861790 - }, - { - "title": "Top Hostnames", - "renderer": "table", - "searchesIndex": 2, - "span": { - "col": 4, - "row": 6, - "x": 0, - "y": 3 - }, - "rendererOptions": { - "Range": "no", - "Precision": "no", - "NumberCardLabelFontSize": "", - "NumberCardNumberFontSize": "", - "NumberCardWidth": "" - }, - "id": 1648241873792 - }, - { - "title": "Top Web Categories", - "renderer": "pieChart", - "searchesIndex": 3, - "span": { - "col": 4, - "row": 6, - "x": 4, - "y": 3 - }, - "rendererOptions": { - "Range": "no", - "Precision": "no", - "NumberCardLabelFontSize": "", - "NumberCardNumberFontSize": "", - "NumberCardWidth": "", - "IncludeOther": "yes" - }, - "id": 1648244342156 - }, - { - "title": "Top Applications", - "renderer": "pieChart", - "searchesIndex": 4, - "span": { - "col": 4, - "row": 6, - "x": 8, - "y": 3 - }, - "rendererOptions": { - "Range": "no", - "Precision": "no", - "NumberCardLabelFontSize": "", - "NumberCardNumberFontSize": "", - "NumberCardWidth": "", - "IncludeOther": "yes" - }, - "id": 1648244488931 - }, - { - "title": "Rare Applications", - "renderer": "table", - "searchesIndex": 5, - "span": { - "col": 4, - "row": 5, - "x": 0, - "y": 9 - }, - "rendererOptions": { - "IncludeOther": "yes" - }, - "id": 1648245840175 - }, - { - "title": "Total Traffic", - "renderer": "areaChart", - "searchesIndex": 6, - "span": { - "col": 8, - "row": 5, - "x": 4, - "y": 9 - }, - "rendererOptions": { - "IncludeOther": "yes", - "Stack": "grouped", - "Smoothing": "normal", - "Orientation": "v", - "XAxisSplitLine": "no", - "YAxisSplitLine": "no", - "ConnectNulls": "no", - "LogScale": "no" - }, - "id": 1648659493013 - } - ], - "timeframe": { - "timeframe": "PT1H" - }, - "version": 2, - "lastDataUpdate": "2022-03-25T14:41:31-07:00" - }, - "Labels": [ - "palo" - ] -} diff --git a/paloalto/dashboard/6ce64d08-9962-4e1b-9654-78c0e2ac3a09.meta b/paloalto/dashboard/6ce64d08-9962-4e1b-9654-78c0e2ac3a09.meta index 1a89e23a..a4504f90 100644 --- a/paloalto/dashboard/6ce64d08-9962-4e1b-9654-78c0e2ac3a09.meta +++ b/paloalto/dashboard/6ce64d08-9962-4e1b-9654-78c0e2ac3a09.meta @@ -1,47 +1,85 @@ { "UUID": "6ce64d08-9962-4e1b-9654-78c0e2ac3a09", "Name": "Palo Alto GlobalProtect Overview", - "Description": "Information about clients connecting via GlobalProtect VPN", + "Description": "This dashboard is a general overview of your Palo Alto GlobalProtect VPN and client(s) data.", "Data": { + "timeframe": { + "durationString": null, + "timeframe": "PT1H", + "timezone": null, + "start": null, + "end": null + }, "searches": [ { - "timeframe": null, - "query": "tag=$PAN_GLOBALPROTECT ax stage==\"connected\" srcuser machinename client_os_ver | stats count by srcuser machinename client_os_ver | alias srcuser User machinename \"Client System\" client_os_ver \"Client OS\" | table User \"Client System\" \"Client OS\" count", - "alias": "GlobalProtect Users" + "alias": "Search - Palo Alto - NGFW - GlobalProtect - Authentication - Count by Status [numbercard]", + "color": null, + "reference": { + "id": "847bc392-e6f0-4aa3-ba1f-db7b9608c672", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_GLOBALPROTECT ax stage==\"login\" status | stats count by status | numbercard (count \"\")", - "alias": "Login Attempts" + "alias": "Search - Palo Alto - NGFW - GlobalProtect - Authentication - Count by Status [chart]", + "color": null, + "reference": { + "id": "d625b9af-4e63-40df-9392-62cbd04c8213", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_GLOBALPROTECT ax stage==\"login\" status==\"failure\" srcuser srcregion public_ip public_ipv6 | alias srcuser User srcregion Region public_ip \"IPv4\" public_ipv6 IPv6 | stats count as failures by User Region IPv4 IPv6| table User Region IPv4 IPv6 failures", - "alias": "Failed Logins" + "alias": "Search - Palo Alto - NGFW - GlobalProtect - Authentication - Failed Logins [table]", + "color": null, + "reference": { + "id": "029d59e0-bf7b-4fb0-a783-df0a644ca5b9", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_GLOBALPROTECT ax stage==\"login\" status | stats count by status | chart count by status", - "alias": "Login Events" + "alias": "Search - Palo Alto - NGFW - GlobalProtect - Diagnostics - Average Latency [chart]", + "color": null, + "reference": { + "id": "a787167f-da7d-4c92-b2fd-09698f21e49b", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_GLOBALPROTECT ax eventid==\"gateway-tunnel-latency\" description | regex -e description \"Pre-tunnel latency: (?P\u003cpre\u003e[^,]+), Post-tunnel latency: (?P\u003cpost\u003e[^,]+)\"\n/* We use toDuration to go from a string to a Duration */\n| eval pre = duration(pre);\n post = duration(post);\n| stats mean(pre) as pre mean(post) as post\n/* At this point, pre and post are in nanoseconds. Let's convert them to milliseconds */\n| eval $(Pre-tunnel Latency) = pre / 1000000; $(Post-tunnel Latency) = post / 1000000;\n| chart \"Pre-tunnel Latency\" \"Post-tunnel Latency\" ", - "alias": "Average Latency", - "color": null + "alias": "Search - Palo Alto - NGFW - GlobalProtect - Session - GlobalProtect Users [table]", + "color": null, + "reference": { + "id": "45a0354b-4971-4917-a273-a16dd78b5ee3", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } } ], "tiles": [ { + "id": 1648584113923, "title": "GlobalProtect Users", "renderer": "table", - "searchesIndex": 0, + "hideZoom": true, "span": { "col": 8, "row": 7, "x": 4, "y": 0 }, + "searchesIndex": 4, "rendererOptions": { "IncludeOther": "yes", "Stack": "grouped", @@ -51,19 +89,20 @@ "YAxisSplitLine": "no", "ConnectNulls": "no", "LogScale": "no" - }, - "id": 1648584113923 + } }, { + "id": 1648584574137, "title": "Login Attempts", "renderer": "numberCard", - "searchesIndex": 1, + "hideZoom": true, "span": { "col": 4, "row": 3, "x": 0, "y": 0 }, + "searchesIndex": 0, "rendererOptions": { "IncludeOther": "yes", "Stack": "grouped", @@ -73,19 +112,20 @@ "YAxisSplitLine": "no", "ConnectNulls": "no", "LogScale": "no" - }, - "id": 1648584574137 + } }, { + "id": 1648584815238, "title": "Failed Logins", "renderer": "table", - "searchesIndex": 2, + "hideZoom": true, "span": { "col": 8, "row": 7, "x": 4, "y": 7 }, + "searchesIndex": 2, "rendererOptions": { "IncludeOther": "yes", "Stack": "grouped", @@ -95,21 +135,22 @@ "YAxisSplitLine": "no", "ConnectNulls": "no", "LogScale": "no" - }, - "id": 1648584815238 + } }, { + "id": 1648584817463, "title": "Login Events", "renderer": "lineChart", - "searchesIndex": 3, + "hideZoom": true, "span": { "col": 4, "row": 6, "x": 0, "y": 3 }, + "searchesIndex": 1, "rendererOptions": { - "IncludeOther": "yes", + "IncludeOther": "no", "Stack": "grouped", "Smoothing": "normal", "Orientation": "v", @@ -117,29 +158,32 @@ "YAxisSplitLine": "no", "ConnectNulls": "no", "LogScale": "no" - }, - "id": 1648584817463 + } }, { + "id": 1648585687063, "title": "Average Latency", "renderer": "categoryBarChart", - "searchesIndex": 4, + "hideZoom": true, "span": { "col": 4, "row": 5, "x": 0, "y": 9 }, - "rendererOptions": {}, - "id": 1648585687063 + "searchesIndex": 3, + "rendererOptions": { + "Orientation": "v", + "IncludeOther": "no", + "SortCategoricalAxisBy": "value" + } } ], - "timeframe": { - "timeframe": "PT1H" - }, + "linkZooming": false, + "grid": {}, "version": 2 }, "Labels": [ "palo" ] -} +} \ No newline at end of file diff --git a/paloalto/dashboard/76cb01f8-2601-4d41-a418-4f3ab0666507.meta b/paloalto/dashboard/76cb01f8-2601-4d41-a418-4f3ab0666507.meta new file mode 100644 index 00000000..833779aa --- /dev/null +++ b/paloalto/dashboard/76cb01f8-2601-4d41-a418-4f3ab0666507.meta @@ -0,0 +1,244 @@ +{ + "UUID": "76cb01f8-2601-4d41-a418-4f3ab0666507", + "Name": "Palo Alto User Behavior Overview", + "Description": "This dashboard is a general overview of User Behavior in your Palo Alto data.", + "Data": { + "timeframe": { + "durationString": null, + "timeframe": "PT1H", + "timezone": null, + "start": null, + "end": null + }, + "searches": [ + { + "alias": "Search - Palo Alto - NGFW - Threat/Traffic - Event Type - Count by Type [numbercard]", + "color": null, + "reference": { + "id": "9a538ea3-3656-4d12-a252-9b4c88487299", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } + }, + { + "alias": "Search - Palo Alto - NGFW - Traffic - SaaS Application - SaaS Event Count [numbercard]", + "color": null, + "reference": { + "id": "2332615f-d68f-4635-98e2-f931ae86713c", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } + }, + { + "alias": "Search - Palo Alto - NGFW - Threat - URL - Count by Top Hostnames [table]", + "color": null, + "reference": { + "id": "f04b1ebf-96d1-4220-97da-291ab125f4d4", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } + }, + { + "alias": "Search - Palo Alto - NGFW - Threat - URL - Top Web Categories [chart]", + "color": null, + "reference": { + "id": "3afdb278-a9cb-4d28-afa9-1e06707ddb46", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } + }, + { + "alias": "Search - Palo Alto - NGFW - Traffic - Application - Top Applications [chart]", + "color": null, + "reference": { + "id": "0102c2d0-b817-413f-affc-92d00b4fd452", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } + }, + { + "alias": "Search - Palo Alto - NGFW - Traffic - Application - Rare Applications [table]", + "color": null, + "reference": { + "id": "ed30530c-b91b-4e37-aa5a-c9c3c889832c", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } + }, + { + "alias": "Search - Palo Alto - NGFW - Traffic - Bytes - Total Traffic Volume [chart]", + "color": null, + "reference": { + "id": "741a45c8-9248-4922-97c2-a6b9b525e6d4", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } + } + ], + "tiles": [ + { + "id": 4400190854031138, + "title": "Event Counts", + "renderer": "numberCard", + "hideZoom": true, + "span": { + "col": 10, + "row": 3, + "x": 0, + "y": 0 + }, + "searchesIndex": 0, + "rendererOptions": { + "Range": "no", + "Precision": "no", + "NumberCardLabelFontSize": "", + "NumberCardNumberFontSize": "", + "NumberCardWidth": "" + } + }, + { + "id": 65123309348160, + "title": "SaaS Events", + "renderer": "numberCard", + "hideZoom": true, + "span": { + "col": 2, + "row": 3, + "x": 10, + "y": 0 + }, + "searchesIndex": 1, + "rendererOptions": { + "Range": "no", + "Precision": "no", + "NumberCardLabelFontSize": "", + "NumberCardNumberFontSize": "", + "NumberCardWidth": "" + } + }, + { + "id": 8992512063647162, + "title": "Top Hostnames", + "renderer": "table", + "hideZoom": true, + "span": { + "col": 4, + "row": 6, + "x": 0, + "y": 3 + }, + "searchesIndex": 2, + "rendererOptions": { + "Range": "no", + "Precision": "no", + "NumberCardLabelFontSize": "", + "NumberCardNumberFontSize": "", + "NumberCardWidth": "" + } + }, + { + "id": 845946310381022, + "title": "Top Web Categories", + "renderer": "pieChart", + "hideZoom": true, + "span": { + "col": 4, + "row": 6, + "x": 4, + "y": 3 + }, + "searchesIndex": 3, + "rendererOptions": { + "Range": "no", + "Precision": "no", + "NumberCardLabelFontSize": "", + "NumberCardNumberFontSize": "", + "NumberCardWidth": "", + "IncludeOther": "no", + "SortCategoricalAxisBy": "value" + } + }, + { + "id": 8098291890601413, + "title": "Top Applications", + "renderer": "pieChart", + "hideZoom": true, + "span": { + "col": 4, + "row": 6, + "x": 8, + "y": 3 + }, + "searchesIndex": 4, + "rendererOptions": { + "Range": "no", + "Precision": "no", + "NumberCardLabelFontSize": "", + "NumberCardNumberFontSize": "", + "NumberCardWidth": "", + "IncludeOther": "no", + "SortCategoricalAxisBy": "value" + } + }, + { + "id": 4735757191112704, + "title": "Rare Applications", + "renderer": "table", + "hideZoom": true, + "span": { + "col": 4, + "row": 5, + "x": 0, + "y": 9 + }, + "searchesIndex": 5, + "rendererOptions": { + "IncludeOther": "yes" + } + }, + { + "id": 73970738049940, + "title": "Total Traffic", + "renderer": "areaChart", + "hideZoom": true, + "span": { + "col": 8, + "row": 5, + "x": 4, + "y": 9 + }, + "searchesIndex": 6, + "rendererOptions": { + "IncludeOther": "no", + "Stack": "grouped", + "Smoothing": "normal", + "Orientation": "v", + "XAxisSplitLine": "no", + "YAxisSplitLine": "no", + "ConnectNulls": "no", + "LogScale": "no" + } + } + ], + "linkZooming": false, + "grid": {}, + "version": 2 + }, + "Labels": [ + "palo" + ] +} \ No newline at end of file diff --git a/paloalto/dashboard/76e14b04-ed9b-4303-997b-5dd0183d1b1f.meta b/paloalto/dashboard/76e14b04-ed9b-4303-997b-5dd0183d1b1f.meta index 3bca2f3a..47d5fd19 100644 --- a/paloalto/dashboard/76e14b04-ed9b-4303-997b-5dd0183d1b1f.meta +++ b/paloalto/dashboard/76e14b04-ed9b-4303-997b-5dd0183d1b1f.meta @@ -1,46 +1,85 @@ { "UUID": "76e14b04-ed9b-4303-997b-5dd0183d1b1f", "Name": "Palo Alto Config Overview", - "Description": "Config logs from Palo Alto devices", + "Description": "This dashboard is a general overview of your Palo Alto Device Configuration data.", "Data": { + "timeframe": { + "durationString": null, + "timeframe": "PT1H", + "timezone": null, + "start": null, + "end": null + }, "searches": [ { - "timeframe": null, - "query": "tag=$PAN_CONFIG ax admin serial host client cmd result | alias admin User serial Serial host Host client Client cmd Command result Result | table User Serial Host Client Command Result", - "alias": "Latest Events" + "alias": "Search - Palo Alto - NGFW - Config - Events - Latest Events [table]", + "color": null, + "reference": { + "id": "52cd3303-4013-47e5-bc75-fa8f999222aa", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_CONFIG ax cmd | stats count by cmd | chart count by cmd", - "alias": "Config Events" + "alias": "Search - Palo Alto - NGFW - Config - Events - Count by Administrators [chart]", + "color": null, + "reference": { + "id": "8b60b817-ad70-4c99-95ec-c82c43e61d64", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_CONFIG ax admin | stats count by admin | chart count by admin", - "alias": "Configuration Administrators" + "alias": "Search - Palo Alto - NGFW - Config - Events - Count by Command [chart]", + "color": null, + "reference": { + "id": "32e6de72-2601-41be-b6ed-dc4acb4e834e", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_CONFIG ax client | stats count by client | chart count by client", - "alias": "Clients Used" + "alias": "Search - Palo Alto - NGFW - Config - Events - Count by Results [chart]", + "color": null, + "reference": { + "id": "17da5912-7283-4c8a-97a1-fb532c072fe8", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_CONFIG ax result | stats count by result | chart count by result", - "alias": "Results" + "alias": "Search - Palo Alto - NGFW - Config - Events - Count by Client [chart]", + "color": null, + "reference": { + "id": "1ef98531-447b-4dc0-8df2-3ad2e4815902", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } } ], "tiles": [ { + "id": 1648586624514, "title": "Latest Events", "renderer": "table", - "searchesIndex": 0, + "hideZoom": true, "span": { "col": 18, "row": 5, "x": 0, "y": 0 }, + "searchesIndex": 0, "rendererOptions": { "IncludeOther": "yes", "Stack": "grouped", @@ -50,101 +89,107 @@ "YAxisSplitLine": "no", "ConnectNulls": "no", "LogScale": "no" - }, - "id": 1648586624514 + } }, { + "id": 1648586754472, "title": "Config Events", "renderer": "categoryBarChart", - "searchesIndex": 1, + "hideZoom": true, "span": { "col": 9, "row": 6, "x": 9, "y": 5 }, + "searchesIndex": 2, "rendererOptions": { - "IncludeOther": "yes", + "IncludeOther": "no", "Stack": "grouped", "Smoothing": "normal", "Orientation": "v", "XAxisSplitLine": "no", "YAxisSplitLine": "no", "ConnectNulls": "no", - "LogScale": "no" - }, - "id": 1648586754472 + "LogScale": "no", + "SortCategoricalAxisBy": "value" + } }, { + "id": 1648586798062, "title": "Configuration Administrators", "renderer": "categoryBarChart", - "searchesIndex": 2, + "hideZoom": true, "span": { "col": 9, "row": 6, "x": 0, "y": 5 }, + "searchesIndex": 1, "rendererOptions": { - "IncludeOther": "yes", + "IncludeOther": "no", "Stack": "grouped", "Smoothing": "normal", "Orientation": "v", "XAxisSplitLine": "no", "YAxisSplitLine": "no", "ConnectNulls": "no", - "LogScale": "no" - }, - "id": 1648586798062 + "LogScale": "no", + "SortCategoricalAxisBy": "value" + } }, { + "id": 1648587008113, "title": "Clients Used", "renderer": "pieChart", - "searchesIndex": 3, + "hideZoom": true, "span": { "col": 9, "row": 6, "x": 9, "y": 11 }, + "searchesIndex": 4, "rendererOptions": { - "IncludeOther": "yes", + "IncludeOther": "no", "Stack": "grouped", "Smoothing": "normal", "Orientation": "v", "XAxisSplitLine": "no", "YAxisSplitLine": "no", "ConnectNulls": "no", - "LogScale": "no" - }, - "id": 1648587008113 + "LogScale": "no", + "SortCategoricalAxisBy": "value" + } }, { + "id": 1648587070381, "title": "Results", "renderer": "pieChart", - "searchesIndex": 4, + "hideZoom": true, "span": { "col": 9, "row": 6, "x": 0, "y": 11 }, + "searchesIndex": 3, "rendererOptions": { - "IncludeOther": "yes", + "IncludeOther": "no", "Stack": "grouped", "Smoothing": "normal", "Orientation": "v", "XAxisSplitLine": "no", "YAxisSplitLine": "no", "ConnectNulls": "no", - "LogScale": "no" - }, - "id": 1648587070381 + "LogScale": "no", + "SortCategoricalAxisBy": "value" + } } ], - "timeframe": { - "timeframe": "PT1H" - }, + "linkZooming": false, + "grid": {}, "version": 2 }, "Labels": [ diff --git a/paloalto/dashboard/7d826f9f-73b8-4047-9dfe-2f0163c9ccee.meta b/paloalto/dashboard/7d826f9f-73b8-4047-9dfe-2f0163c9ccee.meta index 1ea59b7b..baee0a0f 100644 --- a/paloalto/dashboard/7d826f9f-73b8-4047-9dfe-2f0163c9ccee.meta +++ b/paloalto/dashboard/7d826f9f-73b8-4047-9dfe-2f0163c9ccee.meta @@ -1,66 +1,129 @@ { "UUID": "7d826f9f-73b8-4047-9dfe-2f0163c9ccee", "Name": "Palo Alto Threat Overview", - "Description": "Threat log analysis", + "Description": "This Dashboard is a general overview of your Palo Alto Threat data.", "Data": { + "timeframe": { + "durationString": null, + "timeframe": "PT1H", + "timezone": null, + "start": null, + "end": null + }, "searches": [ { - "timeframe": null, - "query": "tag=$PAN_THREAT ax subtype | stats count by subtype | numbercard (count \"\")", - "alias": "Threat Log Types" + "alias": "Search - Palo Alto - NGFW - Threat - Events - Count by Subtype [numbercard]", + "color": null, + "reference": { + "id": "2e2a52c3-01c9-411e-9254-e205ac7b13fa", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_THREAT ax subtype threatid | stats count by threatid | awk -e threatid \"{gsub(/\\(9999\\)/, 'URL Filtering(9999)'); print}\" | alias threatid \"Threat ID\" | table \"Threat ID\" count", - "alias": "Most Frequent Threat IDs" + "alias": "Search - Palo Alto - NGFW - Threat - Events - Most Frequent Threat IDs [table]", + "color": null, + "reference": { + "id": "5a11f630-f7f2-4c98-9500-688928974ac3", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_THREAT ax subtype srcloc | stats count by srcloc | chart count by srcloc", - "alias": "Threat Source Locations" + "alias": "Search - Palo Alto - NGFW - Threat - Events - Count by Threat Source Location [chart]", + "color": null, + "reference": { + "id": "80ade539-a898-480c-b9da-c284f3da09dc", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_THREAT ax subtype dstloc | stats count by dstloc | chart count by dstloc", - "alias": "Threat Destination Locations" + "alias": "Search - Palo Alto - NGFW - Threat - Events - Count by Threat Destination Location [chart]", + "color": null, + "reference": { + "id": "8fbf3919-9199-41a0-b72e-07a4aed91ab7", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_THREAT ax subtype==\"scan\" src threatid | stats count by src threatid | alias src Source threatid \"Threat ID\" | table Source \"Threat ID\" count", - "alias": "Scans Detected" + "alias": "Search - Palo Alto - NGFW - Threat - Events - Scans Detected [table]", + "color": null, + "reference": { + "id": "2d5b39c9-8589-442f-b1dd-715ee4c6c677", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_THREAT ax subtype==\"scan\" srcloc | stats count by srcloc | chart count by srcloc", - "alias": "Scan Source Locations" + "alias": "Search - Palo Alto - NGFW - Threat - Events - Count by Scan Source Location [chart]", + "color": null, + "reference": { + "id": "1812fddf-4109-4d57-b274-1da9981b426f", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_THREAT ax subtype==\"scan\" threatid | stats count by threatid | chart count by threatid", - "alias": "Scan Types" + "alias": "Search - Palo Alto - NGFW - Threat - Events - Count by Scan Types [chart]", + "color": null, + "reference": { + "id": "fd4e2509-d685-49d4-b9c8-cdb8d1c0d153", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_THREAT ax subtype!=url src | geoip src.Location | heatmap", - "alias": "Threat Source Locations" + "alias": "Search - Palo Alto - NGFW - Threat - Events - Threat Source Locations [heatmap]", + "color": null, + "reference": { + "id": "3fd985ab-3814-433a-920c-42586088ca44", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_THREAT ax subtype==scan src | geoip src.Location | heatmap", - "alias": "Scan Source Locations" + "alias": "Search - Palo Alto - NGFW - Threat - Events - Scan Source Locations [heatmap]", + "color": null, + "reference": { + "id": "4890dfae-9bc6-4428-8f02-c32b98a7ddab", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } } ], "tiles": [ { + "id": 1648501709057, "title": "Threat Log Types", "renderer": "numberCard", - "searchesIndex": 0, + "hideZoom": true, "span": { "col": 12, "row": 3, "x": 0, "y": 0 }, + "searchesIndex": 0, "rendererOptions": { "IncludeOther": "yes", "Stack": "grouped", @@ -75,19 +138,20 @@ "NumberCardLabelFontSize": "", "NumberCardNumberFontSize": "", "NumberCardWidth": "" - }, - "id": 1648501709057 + } }, { + "id": 1648578324809, "title": "Most Frequent Threat IDs", "renderer": "table", - "searchesIndex": 1, + "hideZoom": true, "span": { "col": 4, "row": 5, "x": 0, "y": 3 }, + "searchesIndex": 1, "rendererOptions": { "IncludeOther": "yes", "Stack": "grouped", @@ -97,63 +161,68 @@ "YAxisSplitLine": "no", "ConnectNulls": "no", "LogScale": "no" - }, - "id": 1648578324809 + } }, { + "id": 1648578467521, "title": "Threat Source Locations", "renderer": "pieChart", - "searchesIndex": 2, + "hideZoom": true, "span": { "col": 4, "row": 5, "x": 4, "y": 3 }, + "searchesIndex": 2, "rendererOptions": { - "IncludeOther": "yes", + "IncludeOther": "no", "Stack": "grouped", "Smoothing": "normal", "Orientation": "v", "XAxisSplitLine": "no", "YAxisSplitLine": "no", "ConnectNulls": "no", - "LogScale": "no" - }, - "id": 1648578467521 + "LogScale": "no", + "SortCategoricalAxisBy": "value" + } }, { + "id": 1648578469419, "title": "Threat Destination Locations", "renderer": "pieChart", - "searchesIndex": 3, + "hideZoom": true, "span": { "col": 4, "row": 5, "x": 8, "y": 3 }, + "searchesIndex": 3, "rendererOptions": { - "IncludeOther": "yes", + "IncludeOther": "no", "Stack": "grouped", "Smoothing": "normal", "Orientation": "v", "XAxisSplitLine": "no", "YAxisSplitLine": "no", "ConnectNulls": "no", - "LogScale": "no" - }, - "id": 1648578469419 + "LogScale": "no", + "SortCategoricalAxisBy": "value" + } }, { + "id": 1648580013483, "title": "Scans Detected", "renderer": "table", - "searchesIndex": 4, + "hideZoom": true, "span": { "col": 4, "row": 6, "x": 0, "y": 8 }, + "searchesIndex": 4, "rendererOptions": { "IncludeOther": "yes", "Stack": "grouped", @@ -163,83 +232,87 @@ "YAxisSplitLine": "no", "ConnectNulls": "no", "LogScale": "no" - }, - "id": 1648580013483 + } }, { + "id": 1648580063888, "title": "Scan Source Locations", "renderer": "pieChart", - "searchesIndex": 5, + "hideZoom": true, "span": { "col": 4, "row": 6, "x": 4, "y": 8 }, + "searchesIndex": 5, "rendererOptions": { - "IncludeOther": "yes", + "IncludeOther": "no", "Stack": "grouped", "Smoothing": "normal", "Orientation": "v", "XAxisSplitLine": "no", "YAxisSplitLine": "no", "ConnectNulls": "no", - "LogScale": "no" - }, - "id": 1648580063888 + "LogScale": "no", + "SortCategoricalAxisBy": "value" + } }, { + "id": 1648580097100, "title": "Scan Types", "renderer": "pieChart", - "searchesIndex": 6, + "hideZoom": true, "span": { "col": 4, "row": 6, "x": 8, "y": 8 }, + "searchesIndex": 6, "rendererOptions": { - "IncludeOther": "yes", + "IncludeOther": "no", "Stack": "grouped", "Smoothing": "normal", "Orientation": "v", "XAxisSplitLine": "no", "YAxisSplitLine": "no", "ConnectNulls": "no", - "LogScale": "no" - }, - "id": 1648580097100 + "LogScale": "no", + "SortCategoricalAxisBy": "value" + } }, { + "id": 1648660210231, "title": "Threat Source Locations", "renderer": "heatmap", - "searchesIndex": 7, + "hideZoom": true, "span": { "col": 12, "row": 8, "x": 0, "y": 14 }, - "rendererOptions": {}, - "id": 1648660210231 + "searchesIndex": 7, + "rendererOptions": {} }, { + "id": 1648660274490, "title": "Scan Source Locations", "renderer": "heatmap", - "searchesIndex": 8, + "hideZoom": true, "span": { "col": 12, "row": 9, "x": 0, "y": 22 }, - "rendererOptions": {}, - "id": 1648660274490 + "searchesIndex": 8, + "rendererOptions": {} } ], - "timeframe": { - "timeframe": "PT1H" - }, + "linkZooming": false, + "grid": {}, "version": 2 }, "Labels": [ diff --git a/paloalto/dashboard/7fdbf49e-82e9-4b60-b69c-2ec32703c6a7.meta b/paloalto/dashboard/7fdbf49e-82e9-4b60-b69c-2ec32703c6a7.meta index 4707ed6e..ac2b43c8 100644 --- a/paloalto/dashboard/7fdbf49e-82e9-4b60-b69c-2ec32703c6a7.meta +++ b/paloalto/dashboard/7fdbf49e-82e9-4b60-b69c-2ec32703c6a7.meta @@ -1,69 +1,129 @@ { "UUID": "7fdbf49e-82e9-4b60-b69c-2ec32703c6a7", "Name": "Palo Alto SaaS Overview", - "Description": "", + "Description": "This dashboard is a general overview into your Palo Alto SaaS data.", "Data": { "timeframe": { - "timeframe": "PT1H" + "durationString": null, + "timeframe": "PT1H", + "timezone": null, + "start": null, + "end": null }, "searches": [ { - "timeframe": null, - "query": "tag=$PAN_TRAFFIC ax subtype==\"end\" is_saas_of_app==\"yes\" bytes | stats sum(bytes) | numbercard (sum \"SaaS bytes transferred\")", - "alias": "SaaS Bytes Transferred" + "alias": "Search - Palo Alto - NGFW - Traffic - SaaS - Total Bytes Transferred [numbercard]", + "color": null, + "reference": { + "id": "9b25ad03-4189-445f-b27c-48ec3af4b0e7", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_TRAFFIC ax subtype==\"end\" is_saas_of_app==\"yes\" app | stats count by app | chart count by app", - "alias": "SaaS Application Usage" + "alias": "Search - Palo Alto - NGFW - Traffic - SaaS - Count by Action [chart]", + "color": null, + "reference": { + "id": "ce08d927-0617-41e5-9b44-22f8568c5ff0", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_TRAFFIC ax is_saas_of_app==\"yes\" action | stats count by action | chart count by action", - "alias": "SaaS Actions" + "alias": "Search - Palo Alto - NGFW - Traffic - SaaS - Count by Application [chart]", + "color": null, + "reference": { + "id": "fe4898de-8dd2-46dc-a3bc-3263bdaae33a", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_TRAFFIC ax app category_of_app subcategory_of_app bytes is_saas_of_app==\"yes\"\n| alias app App category_of_app Category subcategory_of_app Subcategory \n| stats sum(bytes) count as Sessions by App Category Subcategory \n| eval Volume = sum; \n| sort by sum desc\n| table App Category Subcategory Sessions \"Volume\"", - "alias": "SaaS Application Distribution" + "alias": "Search - Palo Alto - NGFW - Traffic - SaaS - Application Distribution [table]", + "color": null, + "reference": { + "id": "47076a81-7c11-474f-86a1-4d1c3d53a8d8", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_TRAFFIC ax app category_of_app subcategory_of_app bytes is_saas_of_app==\"yes\" sanctioned_state_of_app==\"yes\"\n| alias app App category_of_app Category subcategory_of_app Subcategory \n| stats sum(bytes) count as Sessions by App Category Subcategory \n| eval Volume = sum; \n| sort by sum desc\n| table App Category Subcategory Sessions Volume", - "alias": "Sanctioned SaaS Applications" + "alias": "Search - Palo Alto - NGFW - Traffic - SaaS - Sanctioned Applications [table]", + "color": null, + "reference": { + "id": "bc005eda-32cf-4a11-accf-6684a2fb9af2", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_TRAFFIC ax app category_of_app subcategory_of_app bytes is_saas_of_app==\"yes\" sanctioned_state_of_app==\"no\"\n| alias app App category_of_app Category subcategory_of_app Subcategory \n| stats sum(bytes) count as Sessions by App Category Subcategory \n| eval Volume = sum; \n| sort by sum desc\n| table App Category Subcategory Sessions Volume", - "alias": "Unsanctioned SaaS Applications" + "alias": "Search - Palo Alto - NGFW - Traffic - SaaS - Unsanctioned Applications [table]", + "color": null, + "reference": { + "id": "308a0350-9e34-4e97-91e2-16d27ff0a350", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_TRAFFIC ax sanctioned_state_of_app\n| eval if (sanctioned_state_of_app == \"yes\") { state = \"Sanctioned\"; } else { state = \"Non-sanctioned\"; }\n| stats count by state\n| chart count by state", - "alias": "Sanctioned Application Percentages" + "alias": "Search - Palo Alto - NGFW - Traffic - SaaS - Sanctioned Application Percentages [chart]", + "color": null, + "reference": { + "id": "3233c046-6e37-4318-8b78-b5a4cb25f12a", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_TRAFFIC ax sanctioned_state_of_app==\"yes\" is_saas_of_app==\"yes\" subcategory_of_app\n| stats count by subcategory_of_app\n| chart count by subcategory_of_app limit 6", - "alias": "Top Categories - Sanctioned" + "alias": "Search - Palo Alto - NGFW - Traffic - SaaS - Count by Sanctioned Category [chart]", + "color": null, + "reference": { + "id": "2a0213fe-5013-4649-a859-4e1ed8299c99", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_TRAFFIC ax sanctioned_state_of_app==\"no\" is_saas_of_app==\"yes\" subcategory_of_app\n| stats count by subcategory_of_app\n| chart count by subcategory_of_app limit 6", - "alias": "Top Categories - Unsanctioned" + "alias": "Search - Palo Alto - NGFW - Traffic - SaaS - Count by Unsanctioned Category [chart]", + "color": null, + "reference": { + "id": "e442e808-5c6e-4509-a66b-cb744a26aff6", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } } ], "tiles": [ { + "id": 1648247098122, "title": "SaaS Bytes Transferred", "renderer": "numberCard", - "searchesIndex": 0, + "hideZoom": true, "span": { "col": 6, "row": 3, "x": 0, "y": 0 }, + "searchesIndex": 0, "rendererOptions": { "Range": "no", "Precision": "no", @@ -71,26 +131,27 @@ "NumberCardNumberFontSize": "", "NumberCardWidth": "", "IncludeOther": "yes" - }, - "id": 1648247098122 + } }, { + "id": 1648247288987, "title": "SaaS Application Usage", "renderer": "areaChart", - "searchesIndex": 1, + "hideZoom": true, "span": { "col": 16, "row": 5, "x": 6, "y": 0 }, + "searchesIndex": 2, "rendererOptions": { "Range": "no", "Precision": "no", "NumberCardLabelFontSize": "", "NumberCardNumberFontSize": "", "NumberCardWidth": "", - "IncludeOther": "yes", + "IncludeOther": "no", "Stack": "grouped", "Smoothing": "normal", "Orientation": "v", @@ -98,124 +159,138 @@ "YAxisSplitLine": "no", "ConnectNulls": "no", "LogScale": "no" - }, - "id": 1648247288987 + } }, { + "id": 1648247796635, "title": "SaaS Actions", "renderer": "categoryBarChart", - "searchesIndex": 2, + "hideZoom": true, "span": { "col": 6, "row": 7, "x": 0, "y": 3 }, + "searchesIndex": 1, "rendererOptions": { "Range": "no", "Precision": "no", "NumberCardLabelFontSize": "", "NumberCardNumberFontSize": "", "NumberCardWidth": "", - "IncludeOther": "yes", + "IncludeOther": "no", "Stack": "grouped", "Smoothing": "normal", "Orientation": "v", "XAxisSplitLine": "no", "YAxisSplitLine": "no", "ConnectNulls": "no", - "LogScale": "no" - }, - "id": 1648247796635 + "LogScale": "no", + "SortCategoricalAxisBy": "value" + } }, { + "id": 1648489778201, "title": "SaaS Application Distribution", "renderer": "table", - "searchesIndex": 3, + "hideZoom": true, "span": { "col": 16, "row": 5, "x": 6, "y": 5 }, - "rendererOptions": {}, - "id": 1648489778201 + "searchesIndex": 3, + "rendererOptions": {} }, { + "id": 1648493051305, "title": "Sanctioned SaaS Applications", "renderer": "table", - "searchesIndex": 4, + "hideZoom": true, "span": { "col": 10, "row": 4, "x": 0, "y": 10 }, - "rendererOptions": {}, - "id": 1648493051305 + "searchesIndex": 4, + "rendererOptions": {} }, { + "id": 1648493054508, "title": "Unsanctioned SaaS Applications", "renderer": "table", - "searchesIndex": 5, + "hideZoom": true, "span": { "col": 12, "row": 4, "x": 10, "y": 10 }, - "rendererOptions": {}, - "id": 1648493054508 + "searchesIndex": 5, + "rendererOptions": {} }, { + "id": 1648493416132, "title": "Sanctioned Application Percentages", "renderer": "pieChart", - "searchesIndex": 6, + "hideZoom": true, "span": { "col": 7, "row": 5, "x": 0, "y": 14 }, + "searchesIndex": 6, "rendererOptions": { - "IncludeOther": "yes" - }, - "id": 1648493416132 + "IncludeOther": "no", + "SortCategoricalAxisBy": "value" + } }, { + "id": 1648494628461, "title": "Top Categories - Sanctioned", "renderer": "categoryBarChart", - "searchesIndex": 7, + "hideZoom": true, "span": { "col": 7, "row": 5, "x": 7, "y": 14 }, + "searchesIndex": 7, "rendererOptions": { - "IncludeOther": "yes" - }, - "id": 1648494628461 + "IncludeOther": "no", + "Orientation": "v", + "SortCategoricalAxisBy": "value" + } }, { + "id": 1648494631338, "title": "Top Categories - Unsanctioned", "renderer": "categoryBarChart", - "searchesIndex": 8, + "hideZoom": true, "span": { "col": 8, "row": 5, "x": 14, "y": 14 }, + "searchesIndex": 8, "rendererOptions": { - "IncludeOther": "yes" - }, - "id": 1648494631338 + "IncludeOther": "no", + "Orientation": "v", + "SortCategoricalAxisBy": "value" + } } ], + "linkZooming": false, + "grid": {}, "version": 2 }, "Labels": [ "palo" ] -} +} \ No newline at end of file diff --git a/paloalto/dashboard/c30772c4-22a9-4495-8fbf-f62a69bc9640.meta b/paloalto/dashboard/c30772c4-22a9-4495-8fbf-f62a69bc9640.meta index 04eae50e..4ed5cdb8 100644 --- a/paloalto/dashboard/c30772c4-22a9-4495-8fbf-f62a69bc9640.meta +++ b/paloalto/dashboard/c30772c4-22a9-4495-8fbf-f62a69bc9640.meta @@ -1,61 +1,90 @@ { "UUID": "c30772c4-22a9-4495-8fbf-f62a69bc9640", "Name": "Palo Alto Wildfire Overview", - "Description": "Overview of Wildfire analysis submissions \u0026 verdicts.", + "Description": "This dashboard is a general overview of your Palo Alto Wildfire analysis submissions \u0026 verdicts.", "Data": { + "timeframe": { + "durationString": null, + "timeframe": "PT1H", + "timezone": null, + "start": null, + "end": null + }, "searches": [ { - "timeframe": null, - "query": "tag=$PAN_THREAT ax subtype==\"wildfire\" category | stats count by category | numbercard (count \"\")", - "alias": "Wildfire Verdicts" - }, - { - "timeframe": null, - "query": "tag=$PAN_THREAT ax subtype==\"wildfire\" category | stats count by category | chart count by category", - "alias": "Wildfire Verdicts Over Time" + "alias": "Copy of Search - Palo Alto - NGFW - Threat - WildFire - Count by Category [numbercard]", + "color": null, + "reference": { + "id": "dfec2b9b-5466-4ec5-9ce6-5a23b42488f7", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_THREAT ax subtype==\"wildfire\" app | stats count by app | chart count by app", - "alias": "Top Applications" + "alias": "Search - Palo Alto - NGFW - Threat - WildFire - Count by Application [chart]", + "color": null, + "reference": { + "id": "38108c90-9965-4eaa-8c00-13baef49fcb5", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_THREAT ax subtype==\"wildfire\" filetype | stats count by filetype | chart count by filetype", - "alias": "Top File Types" + "alias": "Search - Palo Alto - NGFW - Threat - WildFire - Count by File Type [chart]", + "color": null, + "reference": { + "id": "eb5f3a03-f3fc-479e-a4fb-babff92baf97", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } }, { - "timeframe": null, - "query": "tag=$PAN_THREAT ax subtype==\"wildfire\" category!=\"benign\" | alias misc filename | table category rule app src dst filename filetype filedigest", - "alias": "Recent Wildfire Submissions" + "alias": "Search - Palo Alto - NGFW - Threat - WildFire - Recent Wildfire Submissions [table]", + "color": null, + "reference": { + "id": "9ed28079-5408-43b7-8d44-c1b9c9dfbfed", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } } ], "tiles": [ { + "id": 1648497094768, "title": "Wildfire Verdicts", "renderer": "numberCard", - "searchesIndex": 0, + "hideZoom": true, "span": { "col": 12, "row": 3, "x": 0, "y": 0 }, + "searchesIndex": 0, "rendererOptions": { "IncludeOther": "yes" - }, - "id": 1648497094768 + } }, { + "id": 1648498280976, "title": "Wildfire Verdicts Over Time", "renderer": "lineChart", - "searchesIndex": 1, + "hideZoom": true, "span": { "col": 12, "row": 6, "x": 0, "y": 3 }, + "searchesIndex": 0, "rendererOptions": { "IncludeOther": "yes", "Stack": "grouped", @@ -65,41 +94,44 @@ "YAxisSplitLine": "no", "ConnectNulls": "no", "LogScale": "no" - }, - "id": 1648498280976 + } }, { + "id": 1648498460927, "title": "Top Applications", "renderer": "pieChart", - "searchesIndex": 2, + "hideZoom": true, "span": { "col": 6, "row": 6, "x": 0, "y": 9 }, + "searchesIndex": 1, "rendererOptions": { - "IncludeOther": "yes", + "IncludeOther": "no", "Stack": "grouped", "Smoothing": "normal", "Orientation": "v", "XAxisSplitLine": "no", "YAxisSplitLine": "no", "ConnectNulls": "no", - "LogScale": "no" - }, - "id": 1648498460927 + "LogScale": "no", + "SortCategoricalAxisBy": "value" + } }, { + "id": 1648498463825, "title": "Top File Types", "renderer": "pieChart", - "searchesIndex": 3, + "hideZoom": true, "span": { "col": 6, "row": 6, "x": 6, "y": 9 }, + "searchesIndex": 2, "rendererOptions": { "IncludeOther": "yes", "Stack": "grouped", @@ -109,19 +141,20 @@ "YAxisSplitLine": "no", "ConnectNulls": "no", "LogScale": "no" - }, - "id": 1648498463825 + } }, { + "id": 1648498739363, "title": "Recent Wildfire Submissions", "renderer": "table", - "searchesIndex": 4, + "hideZoom": true, "span": { "col": 12, "row": 9, "x": 0, "y": 15 }, + "searchesIndex": 3, "rendererOptions": { "IncludeOther": "yes", "Stack": "grouped", @@ -131,13 +164,11 @@ "YAxisSplitLine": "no", "ConnectNulls": "no", "LogScale": "no" - }, - "id": 1648498739363 + } } ], - "timeframe": { - "timeframe": "PT1H" - }, + "linkZooming": false, + "grid": {}, "version": 2 }, "Labels": [ diff --git a/paloalto/dashboard/f91107ca-9fb8-4315-b0c8-f98173fb54d3.meta b/paloalto/dashboard/f91107ca-9fb8-4315-b0c8-f98173fb54d3.meta new file mode 100644 index 00000000..73359d48 --- /dev/null +++ b/paloalto/dashboard/f91107ca-9fb8-4315-b0c8-f98173fb54d3.meta @@ -0,0 +1,200 @@ +{ + "UUID": "f91107ca-9fb8-4315-b0c8-f98173fb54d3", + "Name": "Palo Alto General Overview", + "Description": "This Dashboard is a general overview of your Palo Alto data.", + "Data": { + "timeframe": { + "durationString": null, + "timeframe": "P30DT", + "timezone": null, + "start": null, + "end": null + }, + "searches": [ + { + "alias": "Search - Palo Alto - NGFW - Event Types - Count by Tag [numbercard]", + "color": null, + "reference": { + "id": "80c5d3bb-81fb-475a-b922-f5387e023102", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } + }, + { + "alias": "Search - Palo Alto - NGFW - Event Types - Count by Tag [chart]", + "color": null, + "reference": { + "id": "165321ca-629d-4560-afbb-2ac6cc3ecc56", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } + }, + { + "alias": "Search - Palo Alto - NGFW - Threat - Events - Count by Subtype [numbercard]", + "color": null, + "reference": { + "id": "2e2a52c3-01c9-411e-9254-e205ac7b13fa", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } + }, + { + "alias": "Search - Palo Alto - NGFW - Traffic - Events - Count by Subtype [numbercard]", + "color": null, + "reference": { + "id": "03e0c1e3-b239-433a-855d-cca56e0867f9", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } + }, + { + "alias": "Search - Palo Alto - NGFW - Config - Events - Count by Command [numbercard]", + "color": null, + "reference": { + "id": "73263790-9a8a-43e1-b231-be2b784de192", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } + }, + { + "alias": "Search - Palo Alto - NGFW - GlobalProtect - Events - Count by Subtype [numbercard]", + "color": null, + "reference": { + "id": "4898082c-5181-43a9-86f9-00b86bead404", + "type": "savedQuery", + "extras": { + "defaultValue": null + } + } + } + ], + "tiles": [ + { + "id": 17738380834010, + "title": "Event Count by Tag [numbercard]", + "renderer": "numberCard", + "hideZoom": true, + "span": { + "col": 12, + "row": 6, + "x": 0, + "y": 0 + }, + "searchesIndex": 0, + "rendererOptions": {} + }, + { + "id": 17738381146451, + "title": "Event Count by Tag [pie chart]", + "renderer": "pieChart", + "hideZoom": true, + "span": { + "col": 6, + "row": 9, + "x": 0, + "y": 6 + }, + "searchesIndex": 1, + "rendererOptions": { + "IncludeOther": "no", + "SortCategoricalAxisBy": "value" + } + }, + { + "id": 17738381545232, + "title": "Event Count by Tag [line chart]", + "renderer": "lineChart", + "hideZoom": true, + "span": { + "col": 6, + "row": 9, + "x": 6, + "y": 6 + }, + "searchesIndex": 1, + "rendererOptions": { + "Stack": "grouped", + "Smoothing": "normal", + "Orientation": "v", + "XAxisSplitLine": "no", + "YAxisSplitLine": "no", + "IncludeOther": "no", + "ConnectNulls": "no", + "LogScale": "no" + } + }, + { + "id": 17738382757923, + "title": "Threat Log Types", + "renderer": "numberCard", + "hideZoom": true, + "span": { + "col": 6, + "row": 3, + "x": 0, + "y": 15 + }, + "searchesIndex": 2, + "rendererOptions": {} + }, + { + "id": 17738385632364, + "title": "Traffic Log Types", + "renderer": "numberCard", + "hideZoom": true, + "span": { + "col": 6, + "row": 3, + "x": 6, + "y": 15 + }, + "searchesIndex": 3, + "rendererOptions": {} + }, + { + "id": 17738388361375, + "title": "Config Event Count by Command [numbercard]", + "renderer": "numberCard", + "hideZoom": true, + "span": { + "col": 6, + "row": 6, + "x": 0, + "y": 18 + }, + "searchesIndex": 4, + "rendererOptions": {} + }, + { + "id": 17738390145306, + "title": "GlobalProtect Log Types", + "renderer": "numberCard", + "hideZoom": true, + "span": { + "col": 6, + "row": 6, + "x": 6, + "y": 18 + }, + "searchesIndex": 5, + "rendererOptions": {} + } + ], + "linkZooming": false, + "grid": {}, + "version": 2 + }, + "Labels": [ + "palo" + ] +} \ No newline at end of file diff --git a/paloalto/dashboard/fe0de242-49f7-4c50-9860-26a51ff9ef56.meta b/paloalto/dashboard/fe0de242-49f7-4c50-9860-26a51ff9ef56.meta index 9f960dcd..622fa5ca 100644 --- a/paloalto/dashboard/fe0de242-49f7-4c50-9860-26a51ff9ef56.meta +++ b/paloalto/dashboard/fe0de242-49f7-4c50-9860-26a51ff9ef56.meta @@ -1,120 +1,149 @@ { "UUID": "fe0de242-49f7-4c50-9860-26a51ff9ef56", - "Name": "Palo Alto Threat Investigative Dashboard", - "Description": "Investigate Palo Alto threat logs for a particular IP address.", + "Name": "Palo Alto Investigations", + "Description": "This Dashboard is intended to be used for Palo Alto investigations.", "Data": { + "timeframe": { + "durationString": null, + "timeframe": "PT1H", + "timezone": null, + "start": null, + "end": null + }, "searches": [ { - "alias": "Threat subtypes for IP", + "alias": "Template - Palo Alto - NGFW - GlobalProtect - Events - All VPN Events for User \u0026 IP [table]", + "color": null, "reference": { - "id": "21c85c02-8c7a-42fd-9cba-005d36c2cce1", - "type": "template" - }, - "color": null + "id": "ecd856f4-ee40-4cc9-a327-5f85ed518a13", + "type": "template", + "extras": { + "defaultValue": null + } + } }, { - "alias": "Threat Table for IP", + "alias": "Template - Palo Alto - NGFW - Threat - Events - All Threat Events for User \u0026 IP [table]", + "color": null, "reference": { - "id": "8ff368b5-1d29-422a-89a7-7eb20c50d224", - "type": "template" - }, - "color": null + "id": "15e8e4fd-763e-4043-97f0-162778ec859c", + "type": "template", + "extras": { + "defaultValue": null + } + } }, { - "alias": "Traffic categories for IP", + "alias": "Template - Palo Alto - NGFW - Threat - WildFire - All Submissions for User \u0026 IP [table]", + "color": null, "reference": { - "id": "182e5db7-4513-4056-a8a8-987fbf570599", - "type": "template" - }, - "color": null + "id": "10e2589a-08f8-4665-857d-3e6092c9500a", + "type": "template", + "extras": { + "defaultValue": null + } + } }, { - "alias": "Wildfire Submissions for IP", + "alias": "Template - Palo Alto - NGFW - Threat - Subtype - Count by Subtypes for User \u0026 IP [numbercard]", + "color": null, "reference": { - "id": "e06715fe-29f6-4d29-bdf2-df6ef933fc72", - "type": "template" - }, - "color": null + "id": "c9e19be7-3673-4d7e-8303-352a1a3ce0bc", + "type": "template", + "extras": { + "defaultValue": null + } + } }, { - "alias": "GlobalProtect Info for IP", + "alias": "Template - Palo Alto - NGFW - Traffic - Category - Count by Category [chart]", + "color": null, "reference": { - "id": "f451f8b7-cf3d-423b-95c6-3738852bd9ea", - "type": "template" - }, - "color": null + "id": "278a59ad-0113-42d1-8cf5-3c8bd2bc921c", + "type": "template", + "extras": { + "defaultValue": null + } + } } ], "tiles": [ { + "id": 16486619162920, "title": "Threat Subtypes for IP", "renderer": "numberCard", + "hideZoom": true, "span": { "col": 7, "row": 3, "x": 0, "y": 0 }, - "id": 16486619162920, - "searchesIndex": 0, + "searchesIndex": 3, "rendererOptions": {} }, { + "id": 16486621222771, "title": "Threats", "renderer": "table", + "hideZoom": true, "span": { "col": 7, "row": 7, "x": 0, "y": 3 }, - "id": 16486621222771, "searchesIndex": 1, "rendererOptions": {} }, { + "id": 16486622862572, "title": "Traffic Categories Seen", "renderer": "pieChart", + "hideZoom": true, "span": { "col": 5, "row": 5, "x": 7, "y": 0 }, - "id": 16486622862572, - "searchesIndex": 2, - "rendererOptions": {} + "searchesIndex": 4, + "rendererOptions": { + "IncludeOther": "no", + "SortCategoricalAxisBy": "value" + } }, { + "id": 16486624828083, "title": "Wildfire Submissions", "renderer": "table", + "hideZoom": true, "span": { "col": 12, "row": 6, "x": 0, "y": 10 }, - "id": 16486624828083, - "searchesIndex": 3, + "searchesIndex": 2, "rendererOptions": {} }, { + "id": 16486627597934, "title": "GlobalProtect Correlations", "renderer": "table", + "hideZoom": true, "span": { "col": 5, "row": 5, "x": 7, "y": 5 }, - "id": 16486627597934, - "searchesIndex": 4, + "searchesIndex": 0, "rendererOptions": {} } ], - "timeframe": { - "timeframe": "PT1H" - }, + "linkZooming": false, + "grid": {}, "version": 2 }, "Labels": [ diff --git a/paloalto/file/16b991a1-86c7-4f08-b408-c5faa8afeef3.meta b/paloalto/file/16b991a1-86c7-4f08-b408-c5faa8afeef3.meta index 0fe3fd2e..7ef7fdcf 100644 --- a/paloalto/file/16b991a1-86c7-4f08-b408-c5faa8afeef3.meta +++ b/paloalto/file/16b991a1-86c7-4f08-b408-c5faa8afeef3.meta @@ -1,6 +1,8 @@ { "GUID": "16b991a1-86c7-4f08-b408-c5faa8afeef3", - "Name": "logforwarding", - "Desc": "Log Forwarding", - "Labels": null + "Name": "Palo Alto Log Forwarding Profile", + "Desc": "Shows a Palo Alto Log Forwarding Profile", + "Labels": [ + "palo" + ] } \ No newline at end of file diff --git a/paloalto/file/1f8f6d4b-0ff4-4764-a053-50cf8c876cc7.meta b/paloalto/file/1f8f6d4b-0ff4-4764-a053-50cf8c876cc7.meta index 8d66dead..aa2a880e 100644 --- a/paloalto/file/1f8f6d4b-0ff4-4764-a053-50cf8c876cc7.meta +++ b/paloalto/file/1f8f6d4b-0ff4-4764-a053-50cf8c876cc7.meta @@ -1,8 +1,9 @@ { "GUID": "1f8f6d4b-0ff4-4764-a053-50cf8c876cc7", - "Name": "cover file for kit build \"Palo Alto v1\"", - "Desc": "", + "Name": "Palo Alto Cover", + "Desc": "cover file for kit build \"Palo Alto v1\"", "Labels": [ - "Kit Build" + "Kit Build", + "palo" ] } \ No newline at end of file diff --git a/paloalto/file/3392b289-f7e5-4f0a-802e-075cd62b45a5.contents b/paloalto/file/3392b289-f7e5-4f0a-802e-075cd62b45a5.contents deleted file mode 100644 index 2e7472d5..00000000 Binary files a/paloalto/file/3392b289-f7e5-4f0a-802e-075cd62b45a5.contents and /dev/null differ diff --git a/paloalto/file/3392b289-f7e5-4f0a-802e-075cd62b45a5.meta b/paloalto/file/3392b289-f7e5-4f0a-802e-075cd62b45a5.meta deleted file mode 100644 index 01735625..00000000 --- a/paloalto/file/3392b289-f7e5-4f0a-802e-075cd62b45a5.meta +++ /dev/null @@ -1,6 +0,0 @@ -{ - "GUID": "3392b289-f7e5-4f0a-802e-075cd62b45a5", - "Name": "PANW_Parent_Brand_Primary_Logo_RGB.png", - "Desc": "Banner for Palo Alto Kit", - "Labels": null -} \ No newline at end of file diff --git a/paloalto/file/3bfcce25-dc9f-40dd-a838-fddd02e1cbdf.meta b/paloalto/file/3bfcce25-dc9f-40dd-a838-fddd02e1cbdf.meta deleted file mode 100644 index 557e7244..00000000 --- a/paloalto/file/3bfcce25-dc9f-40dd-a838-fddd02e1cbdf.meta +++ /dev/null @@ -1,6 +0,0 @@ -{ - "GUID": "3bfcce25-dc9f-40dd-a838-fddd02e1cbdf", - "Name": "palo-syslog.png", - "Desc": "palo-syslog.png", - "Labels": null -} \ No newline at end of file diff --git a/paloalto/file/50cb5863-6867-47da-bc49-7bef73317ddc.meta b/paloalto/file/50cb5863-6867-47da-bc49-7bef73317ddc.meta index 36e6573a..bd46343a 100644 --- a/paloalto/file/50cb5863-6867-47da-bc49-7bef73317ddc.meta +++ b/paloalto/file/50cb5863-6867-47da-bc49-7bef73317ddc.meta @@ -1,6 +1,8 @@ { "GUID": "50cb5863-6867-47da-bc49-7bef73317ddc", - "Name": "payloadformat", - "Desc": "Payload Format", - "Labels": null + "Name": "Palo Alto Payload Format", + "Desc": "Shows the payload format of the Palo Alto logs", + "Labels": [ + "palo" + ] } \ No newline at end of file diff --git a/paloalto/file/7d17282a-b57b-41d7-aa76-ebae78021abc.meta b/paloalto/file/7d17282a-b57b-41d7-aa76-ebae78021abc.meta deleted file mode 100644 index 735635dc..00000000 --- a/paloalto/file/7d17282a-b57b-41d7-aa76-ebae78021abc.meta +++ /dev/null @@ -1,6 +0,0 @@ -{ - "GUID": "7d17282a-b57b-41d7-aa76-ebae78021abc", - "Name": "PANW_icon.png", - "Desc": "Cover for Palo Alto Kit", - "Labels": null -} \ No newline at end of file diff --git a/paloalto/file/3bfcce25-dc9f-40dd-a838-fddd02e1cbdf.contents b/paloalto/file/8c6e109a-e0e8-4347-9f9b-687ac9291e81.contents similarity index 100% rename from paloalto/file/3bfcce25-dc9f-40dd-a838-fddd02e1cbdf.contents rename to paloalto/file/8c6e109a-e0e8-4347-9f9b-687ac9291e81.contents diff --git a/paloalto/file/8c6e109a-e0e8-4347-9f9b-687ac9291e81.meta b/paloalto/file/8c6e109a-e0e8-4347-9f9b-687ac9291e81.meta new file mode 100644 index 00000000..0bb63db6 --- /dev/null +++ b/paloalto/file/8c6e109a-e0e8-4347-9f9b-687ac9291e81.meta @@ -0,0 +1,8 @@ +{ + "GUID": "8c6e109a-e0e8-4347-9f9b-687ac9291e81", + "Name": "Palo Alto Syslog Server Profile", + "Desc": "Shows a configured syslog server within Palo Alto", + "Labels": [ + "palo" + ] +} \ No newline at end of file diff --git a/paloalto/file/ac8d907f-c540-4237-8327-1ad55c173b6e.meta b/paloalto/file/ac8d907f-c540-4237-8327-1ad55c173b6e.meta index 670a58a8..920a4331 100644 --- a/paloalto/file/ac8d907f-c540-4237-8327-1ad55c173b6e.meta +++ b/paloalto/file/ac8d907f-c540-4237-8327-1ad55c173b6e.meta @@ -1,8 +1,9 @@ { "GUID": "ac8d907f-c540-4237-8327-1ad55c173b6e", - "Name": "banner file for kit build \"Palo Alto v1\"", - "Desc": "", + "Name": "Palo Alto Banner", + "Desc": "banner file for kit build \"Palo Alto v1\"", "Labels": [ - "Kit Build" + "Kit Build", + "palo" ] } \ No newline at end of file diff --git a/paloalto/file/c69dee69-d682-4d6c-951b-a66924098495.meta b/paloalto/file/c69dee69-d682-4d6c-951b-a66924098495.meta index c04f5878..f7347293 100644 --- a/paloalto/file/c69dee69-d682-4d6c-951b-a66924098495.meta +++ b/paloalto/file/c69dee69-d682-4d6c-951b-a66924098495.meta @@ -1,8 +1,9 @@ { "GUID": "c69dee69-d682-4d6c-951b-a66924098495", - "Name": "icon file for kit build \"Palo Alto v1\"", - "Desc": "", + "Name": "Palo Alto Icon", + "Desc": "icon file for kit build \"Palo Alto v1\"", "Labels": [ - "Kit Build" + "Kit Build", + "palo" ] } \ No newline at end of file diff --git a/paloalto/file/f99bf07b-e093-4631-85d4-687b039ecda2.meta b/paloalto/file/f99bf07b-e093-4631-85d4-687b039ecda2.meta index b9655036..03fdf9e1 100644 --- a/paloalto/file/f99bf07b-e093-4631-85d4-687b039ecda2.meta +++ b/paloalto/file/f99bf07b-e093-4631-85d4-687b039ecda2.meta @@ -1,6 +1,8 @@ { "GUID": "f99bf07b-e093-4631-85d4-687b039ecda2", - "Name": "palo enumerated values", - "Desc": "Showing enumerated values expanded in text results for Palo Alto logs", - "Labels": null + "Name": "Palo Alto Enumerated Values", + "Desc": "Shows EVs expanded in text results for Palo Alto logs", + "Labels": [ + "palo" + ] } \ No newline at end of file diff --git a/paloalto/license/Apache 2.0 License.meta b/paloalto/license/Apache 2.0 License.meta new file mode 100644 index 00000000..2bb9ad24 --- /dev/null +++ b/paloalto/license/Apache 2.0 License.meta @@ -0,0 +1,176 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS \ No newline at end of file diff --git a/paloalto/macro/PAN_ALL.expansion b/paloalto/macro/PAN_ALL.expansion index 5b706004..b0b6bd18 100644 --- a/paloalto/macro/PAN_ALL.expansion +++ b/paloalto/macro/PAN_ALL.expansion @@ -1 +1 @@ -pan_* +pan_* \ No newline at end of file diff --git a/paloalto/macro/PAN_ALL.meta b/paloalto/macro/PAN_ALL.meta index 8b5ba0a7..20ab580f 100644 --- a/paloalto/macro/PAN_ALL.meta +++ b/paloalto/macro/PAN_ALL.meta @@ -1,8 +1,8 @@ { "Name": "PAN_ALL", - "Description": "Palo Alto tag containing type=* events", + "Description": "Configuration Macro; Tag used for all Palo Alto data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. ", "Labels": [ "palo", "RecordType" ] -} +} \ No newline at end of file diff --git a/paloalto/macro/PAN_AUTH.expansion b/paloalto/macro/PAN_AUTH.expansion new file mode 100644 index 00000000..0e8c7c10 --- /dev/null +++ b/paloalto/macro/PAN_AUTH.expansion @@ -0,0 +1 @@ +pan_auth \ No newline at end of file diff --git a/paloalto/macro/PAN_AUTH.meta b/paloalto/macro/PAN_AUTH.meta new file mode 100644 index 00000000..217e4e30 --- /dev/null +++ b/paloalto/macro/PAN_AUTH.meta @@ -0,0 +1,7 @@ +{ + "Name": "PAN_AUTH", + "Description": "Configuration Macro; Tag used for all Palo Alto Authentication data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "Labels": [ + "palo" + ] +} \ No newline at end of file diff --git a/paloalto/macro/PAN_CONFIG.expansion b/paloalto/macro/PAN_CONFIG.expansion index c098ddbb..8165df34 100644 --- a/paloalto/macro/PAN_CONFIG.expansion +++ b/paloalto/macro/PAN_CONFIG.expansion @@ -1 +1 @@ -pan_config +pan_config \ No newline at end of file diff --git a/paloalto/macro/PAN_CONFIG.meta b/paloalto/macro/PAN_CONFIG.meta index ce814a78..72aa0739 100644 --- a/paloalto/macro/PAN_CONFIG.meta +++ b/paloalto/macro/PAN_CONFIG.meta @@ -1,8 +1,7 @@ { "Name": "PAN_CONFIG", - "Description": "Palo Alto tag containing type=config events", + "Description": "Configuration Macro; Tag used for all Palo Alto Config data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. ", "Labels": [ - "palo", - "RecordType" + "palo" ] -} +} \ No newline at end of file diff --git a/paloalto/macro/PAN_CORRELATION.expansion b/paloalto/macro/PAN_CORRELATION.expansion new file mode 100644 index 00000000..782cf97c --- /dev/null +++ b/paloalto/macro/PAN_CORRELATION.expansion @@ -0,0 +1 @@ +pan_correlation \ No newline at end of file diff --git a/paloalto/macro/PAN_CORRELATION.meta b/paloalto/macro/PAN_CORRELATION.meta new file mode 100644 index 00000000..5ab25a1e --- /dev/null +++ b/paloalto/macro/PAN_CORRELATION.meta @@ -0,0 +1,7 @@ +{ + "Name": "PAN_CORRELATION", + "Description": "Configuration Macro; Tag used for all Palo Alto Correlation data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "Labels": [ + "palo" + ] +} \ No newline at end of file diff --git a/paloalto/macro/PAN_DECRYPTION.expansion b/paloalto/macro/PAN_DECRYPTION.expansion new file mode 100644 index 00000000..36a6d0fe --- /dev/null +++ b/paloalto/macro/PAN_DECRYPTION.expansion @@ -0,0 +1 @@ +pan_decryption \ No newline at end of file diff --git a/paloalto/macro/PAN_DECRYPTION.meta b/paloalto/macro/PAN_DECRYPTION.meta new file mode 100644 index 00000000..8c41b560 --- /dev/null +++ b/paloalto/macro/PAN_DECRYPTION.meta @@ -0,0 +1,7 @@ +{ + "Name": "PAN_DECRYPTION", + "Description": "Configuration Macro; Tag used for all Palo Alto Decryption data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "Labels": [ + "palo" + ] +} \ No newline at end of file diff --git a/paloalto/macro/PAN_GLOBALPROTECT.expansion b/paloalto/macro/PAN_GLOBALPROTECT.expansion index edd41c5f..ab6f3e53 100644 --- a/paloalto/macro/PAN_GLOBALPROTECT.expansion +++ b/paloalto/macro/PAN_GLOBALPROTECT.expansion @@ -1 +1 @@ -pan_globalprotect +pan_globalprotect \ No newline at end of file diff --git a/paloalto/macro/PAN_GLOBALPROTECT.meta b/paloalto/macro/PAN_GLOBALPROTECT.meta index ae383d1a..bd2ba3d7 100644 --- a/paloalto/macro/PAN_GLOBALPROTECT.meta +++ b/paloalto/macro/PAN_GLOBALPROTECT.meta @@ -1,8 +1,8 @@ { "Name": "PAN_GLOBALPROTECT", - "Description": "Palo Alto tag containing type=globalprotect events", + "Description": "Configuration Macro; Tag used for all Palo Alto GlobalProtect data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. ", "Labels": [ "palo", "RecordType" ] -} +} \ No newline at end of file diff --git a/paloalto/macro/PAN_GTP.expansion b/paloalto/macro/PAN_GTP.expansion new file mode 100644 index 00000000..8f6dba14 --- /dev/null +++ b/paloalto/macro/PAN_GTP.expansion @@ -0,0 +1 @@ +pan_gtp \ No newline at end of file diff --git a/paloalto/macro/PAN_GTP.meta b/paloalto/macro/PAN_GTP.meta new file mode 100644 index 00000000..14732915 --- /dev/null +++ b/paloalto/macro/PAN_GTP.meta @@ -0,0 +1,7 @@ +{ + "Name": "PAN_GTP", + "Description": "Configuration Macro; Tag used for all Palo Alto data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "Labels": [ + "palo" + ] +} \ No newline at end of file diff --git a/paloalto/macro/PAN_HIPMATCH.expansion b/paloalto/macro/PAN_HIPMATCH.expansion new file mode 100644 index 00000000..4f59eac0 --- /dev/null +++ b/paloalto/macro/PAN_HIPMATCH.expansion @@ -0,0 +1 @@ +pan_hip_match \ No newline at end of file diff --git a/paloalto/macro/PAN_HIPMATCH.meta b/paloalto/macro/PAN_HIPMATCH.meta new file mode 100644 index 00000000..3fe1dff9 --- /dev/null +++ b/paloalto/macro/PAN_HIPMATCH.meta @@ -0,0 +1,7 @@ +{ + "Name": "PAN_HIPMATCH", + "Description": "Configuration Macro; Tag used for all Palo Alto HIP Match data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "Labels": [ + "palo" + ] +} \ No newline at end of file diff --git a/paloalto/macro/PAN_IPTAG.expansion b/paloalto/macro/PAN_IPTAG.expansion new file mode 100644 index 00000000..41fd7aa3 --- /dev/null +++ b/paloalto/macro/PAN_IPTAG.expansion @@ -0,0 +1 @@ +pan_iptag \ No newline at end of file diff --git a/paloalto/macro/PAN_IPTAG.meta b/paloalto/macro/PAN_IPTAG.meta new file mode 100644 index 00000000..526d54c5 --- /dev/null +++ b/paloalto/macro/PAN_IPTAG.meta @@ -0,0 +1,7 @@ +{ + "Name": "PAN_IPTAG", + "Description": "Configuration Macro; Tag used for all Palo Alto IP Tag data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "Labels": [ + "palo" + ] +} \ No newline at end of file diff --git a/paloalto/macro/PAN_SCTP.expansion b/paloalto/macro/PAN_SCTP.expansion new file mode 100644 index 00000000..8a7202c3 --- /dev/null +++ b/paloalto/macro/PAN_SCTP.expansion @@ -0,0 +1 @@ +pan_sctp \ No newline at end of file diff --git a/paloalto/macro/PAN_SCTP.meta b/paloalto/macro/PAN_SCTP.meta new file mode 100644 index 00000000..a6af5027 --- /dev/null +++ b/paloalto/macro/PAN_SCTP.meta @@ -0,0 +1,7 @@ +{ + "Name": "PAN_SCTP", + "Description": "Configuration Macro; Tag used for all Palo Alto Stream Control Transmission Protocol (SCTP) data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "Labels": [ + "palo" + ] +} \ No newline at end of file diff --git a/paloalto/macro/PAN_SYSTEM.expansion b/paloalto/macro/PAN_SYSTEM.expansion new file mode 100644 index 00000000..fd1a02a8 --- /dev/null +++ b/paloalto/macro/PAN_SYSTEM.expansion @@ -0,0 +1 @@ +pan_system \ No newline at end of file diff --git a/paloalto/macro/PAN_SYSTEM.meta b/paloalto/macro/PAN_SYSTEM.meta new file mode 100644 index 00000000..9e115da0 --- /dev/null +++ b/paloalto/macro/PAN_SYSTEM.meta @@ -0,0 +1,7 @@ +{ + "Name": "PAN_SYSTEM", + "Description": "Configuration Macro; Tag used for all Palo Alto System data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "Labels": [ + "palo" + ] +} \ No newline at end of file diff --git a/paloalto/macro/PAN_THREAT.expansion b/paloalto/macro/PAN_THREAT.expansion index dd7907ca..0b7939f0 100644 --- a/paloalto/macro/PAN_THREAT.expansion +++ b/paloalto/macro/PAN_THREAT.expansion @@ -1 +1 @@ -pan_threat +pan_threat \ No newline at end of file diff --git a/paloalto/macro/PAN_THREAT.meta b/paloalto/macro/PAN_THREAT.meta index ac1434c0..189bbd7d 100644 --- a/paloalto/macro/PAN_THREAT.meta +++ b/paloalto/macro/PAN_THREAT.meta @@ -1,8 +1,7 @@ { "Name": "PAN_THREAT", - "Description": "Palo Alto tag containing type=threat events", + "Description": "Configuration Macro; Tag used for all Palo Alto Threat data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. ", "Labels": [ - "palo", - "RecordType" + "palo" ] -} +} \ No newline at end of file diff --git a/paloalto/macro/PAN_THREAT_TRAFFIC.meta b/paloalto/macro/PAN_THREAT_TRAFFIC.meta index 435c077d..cb473368 100644 --- a/paloalto/macro/PAN_THREAT_TRAFFIC.meta +++ b/paloalto/macro/PAN_THREAT_TRAFFIC.meta @@ -1,8 +1,8 @@ { "Name": "PAN_THREAT_TRAFFIC", - "Description": "Palo Alto tag containing type=threat and type=traffic events", + "Description": "Configuration Macro; Tag used for all Palo Alto Threat \u0026 Traffic data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. ", "Labels": [ "palo", "RecordType" ] -} +} \ No newline at end of file diff --git a/paloalto/macro/PAN_TRAFFIC.expansion b/paloalto/macro/PAN_TRAFFIC.expansion index a3550e83..a0089278 100644 --- a/paloalto/macro/PAN_TRAFFIC.expansion +++ b/paloalto/macro/PAN_TRAFFIC.expansion @@ -1 +1 @@ -pan_traffic +pan_traffic \ No newline at end of file diff --git a/paloalto/macro/PAN_TRAFFIC.meta b/paloalto/macro/PAN_TRAFFIC.meta index 9aae0602..3ae7082c 100644 --- a/paloalto/macro/PAN_TRAFFIC.meta +++ b/paloalto/macro/PAN_TRAFFIC.meta @@ -1,8 +1,7 @@ { "Name": "PAN_TRAFFIC", - "Description": "Palo Alto tag containing type=traffic events", + "Description": "Configuration Macro; Tag used for all Palo Alto Traffic data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. ", "Labels": [ - "palo", - "RecordType" + "palo" ] -} +} \ No newline at end of file diff --git a/paloalto/macro/PAN_TUNNEL.expansion b/paloalto/macro/PAN_TUNNEL.expansion new file mode 100644 index 00000000..ad37d42f --- /dev/null +++ b/paloalto/macro/PAN_TUNNEL.expansion @@ -0,0 +1 @@ +pan_tunnel \ No newline at end of file diff --git a/paloalto/macro/PAN_TUNNEL.meta b/paloalto/macro/PAN_TUNNEL.meta new file mode 100644 index 00000000..cc911727 --- /dev/null +++ b/paloalto/macro/PAN_TUNNEL.meta @@ -0,0 +1,7 @@ +{ + "Name": "PAN_TUNNEL", + "Description": "Configuration Macro; Tag used for all Palo Alto Tunnel data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "Labels": [ + "palo" + ] +} \ No newline at end of file diff --git a/paloalto/macro/PAN_USERID.expansion b/paloalto/macro/PAN_USERID.expansion new file mode 100644 index 00000000..0e1bb001 --- /dev/null +++ b/paloalto/macro/PAN_USERID.expansion @@ -0,0 +1 @@ +pan_userid \ No newline at end of file diff --git a/paloalto/macro/PAN_USERID.meta b/paloalto/macro/PAN_USERID.meta new file mode 100644 index 00000000..fcbccc91 --- /dev/null +++ b/paloalto/macro/PAN_USERID.meta @@ -0,0 +1,7 @@ +{ + "Name": "PAN_USERID", + "Description": "Configuration Macro; Tag used for all Palo Alto User ID data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates.", + "Labels": [ + "palo" + ] +} \ No newline at end of file diff --git a/paloalto/banner.png b/paloalto/paloalto-banner.png similarity index 100% rename from paloalto/banner.png rename to paloalto/paloalto-banner.png diff --git a/paloalto/cover.png b/paloalto/paloalto-cover.png similarity index 100% rename from paloalto/cover.png rename to paloalto/paloalto-cover.png diff --git a/paloalto/file/7d17282a-b57b-41d7-aa76-ebae78021abc.contents b/paloalto/paloalto-icon.png similarity index 100% rename from paloalto/file/7d17282a-b57b-41d7-aa76-ebae78021abc.contents rename to paloalto/paloalto-icon.png diff --git a/paloalto/paloalto.metadata b/paloalto/paloalto.metadata index a64e2a7d..6d11d9a0 100644 --- a/paloalto/paloalto.metadata +++ b/paloalto/paloalto.metadata @@ -1,9 +1,54 @@ { - "Tags": ["pan_traffic", "pan_threat"], - "Ingesters": ["simplerelay"], - "Assets": [ - { "Type": "image", "Source": "cover.png", "Legend": "Gravwell", "Featured": true}, - { "Type": "image", "Source": "banner.png", "Legend": "Gravwell", "Featured": true, "Banner": true}, - { "Type": "readme", "Source": "README.md"} - ] + "Tags": [ + "pan_auth", + "pan_config", + "pan_correlation", + "pan_decryption", + "pan_globalprotect", + "pan_gtp", + "pan_hipmatch", + "pan_iptag", + "pan_sctp", + "pan_system", + "pan_threat", + "pan_traffic", + "pan_tunnel", + "pan_userid" + ], + "Ingesters": [ + "simplerelay" + ], + "Assets": [ + { + "Type": "image", + "Source": "paloalto-cover.png", + "Legend": "Palo Alto Cover", + "Featured": true + }, + { + "Type": "image", + "Source": "paloalto-banner.png", + "Legend": "Palo Alto Banner", + "Featured": true, + "Banner": true + }, + { + "Type": "readme", + "Source": "README.md" + } + ], + "dashboards": [], + "attachments": [ + { + "context": "cover", + "type": "image", + "file": "paloalto-cover.png" + }, + { + "context": "banner", + "type": "image", + "file": "paloalto-banner.png" + } + ], + "readme": "README.md" } diff --git a/paloalto/pivot/6991b96f-3b3f-4255-b790-a7623ccc18c6.meta b/paloalto/pivot/6991b96f-3b3f-4255-b790-a7623ccc18c6.meta index 0c3088f2..60b5bd36 100644 --- a/paloalto/pivot/6991b96f-3b3f-4255-b790-a7623ccc18c6.meta +++ b/paloalto/pivot/6991b96f-3b3f-4255-b790-a7623ccc18c6.meta @@ -1,38 +1,39 @@ { "UUID": "6991b96f-3b3f-4255-b790-a7623ccc18c6", - "Name": "IP Address", - "Description": "Palo Alto actions on IP address", + "Name": "Palo Alto IP", + "Description": "Palo Alto actions on IP Address", "Data": { "menuLabel": null, - "triggers": [ - { - "pattern": "/\\b(?:[0-9]{1,3}\\.){3}[0-9]{1,3}\\b/g", - "hyperlink": true - } - ], "actions": [ { - "name": "Investigate Threats", + "name": "Investigate", "description": "Look for threats in Palo Alto logs", "placeholder": null, - "start": { - "type": "string", - "format": null, - "placeholder": null - }, - "end": { - "type": "string", - "format": null, - "placeholder": null - }, "command": { "type": "dashboard", "reference": "fe0de242-49f7-4c50-9860-26a51ff9ef56", "options": { - "variable": "%%IP%%" + "variable": "%%ip%%" } + }, + "noValueUrlEncode": false, + "start": { + "type": "string", + "placeholder": null, + "format": null + }, + "end": { + "type": "string", + "placeholder": null, + "format": null } } + ], + "triggers": [ + { + "pattern": "/\\b(?:[0-9]{1,3}\\.){3}[0-9]{1,3}\\b/g", + "hyperlink": true + } ] }, "Labels": [ diff --git a/paloalto/pivot/dbf5d89f-f36d-4382-92d1-8c1e335562f6.meta b/paloalto/pivot/dbf5d89f-f36d-4382-92d1-8c1e335562f6.meta new file mode 100644 index 00000000..9f6035ea --- /dev/null +++ b/paloalto/pivot/dbf5d89f-f36d-4382-92d1-8c1e335562f6.meta @@ -0,0 +1,43 @@ +{ + "UUID": "dbf5d89f-f36d-4382-92d1-8c1e335562f6", + "Name": "Palo Alto User", + "Description": "Palo Alto Actions on src/dst user", + "Data": { + "menuLabel": "", + "actions": [ + { + "name": "Investigate", + "description": "This actionable will launch the Palo Alto Investigations Dashboard to see if there are any events performed by this user. ", + "placeholder": null, + "command": { + "type": "dashboard", + "reference": "fe0de242-49f7-4c50-9860-26a51ff9ef56", + "options": { + "variable": "%%user%%" + } + }, + "noValueUrlEncode": false, + "start": { + "type": "string", + "placeholder": null, + "format": null + }, + "end": { + "type": "string", + "placeholder": null, + "format": null + } + } + ], + "triggers": [ + { + "pattern": "/[,]\\b([A-Za-z][A-Za-z0-9_-]{1,31}[._][A-Za-z][A-Za-z0-9_-]{1,31})\\b/gm", + "hyperlink": true, + "disabled": false + } + ] + }, + "Labels": [ + "palo" + ] +} \ No newline at end of file diff --git a/paloalto/playbook/10f92652-bef8-43ec-8fc1-8acf5f465093.body b/paloalto/playbook/10f92652-bef8-43ec-8fc1-8acf5f465093.body new file mode 100644 index 00000000..8e1c0b17 --- /dev/null +++ b/paloalto/playbook/10f92652-bef8-43ec-8fc1-8acf5f465093.body @@ -0,0 +1,613 @@ +*** + +A toolkit for interacting with Palo Alto data in Gravwell. This kit includes queries, resources (lookups), templates, autoextractors, macros, dashboards, alerts, scheduled searches, and flows to help streamline Palo Alto analysis across Authentication, Config, Correlation, Decryption, GlobalProtect, GTP, HIP Match, IP Tag, Stream Control Transmission Protocol (SCTP), System, Threat, Traffic, Tunnel, and User ID log sources. + +*** + +## Table of Contents +0. [Data Ingestion](#0-data-ingestion) + 0.1. [Simple Relay Ingester](#0-1-simple-relay-ingester) + 0.2. [Install & Configure IngesterType](#0-2-install--configure-simple-relay) + 0.3. [HTTP Ingester](#0-3-http-ingester) + 0.4. [Install & Configure HTTP Ingester](#0-4-install--configure-http-ingester) + 0.5. [Data Tags](#0-5-data-tags) + 0.6. [Working with the Data](#0-6-working-with-the-data) +1. [Tags & Macros](#1-tags--macros) + 1.1. [Tags](#1-1-tags) + 1.2. [Autoextractors](#1-2-autoextractors) + 1.3. [Macros](#1-3-macros) +2. [Query Library](#2-query-library) +3. [Naming Schema](#3-naming-schema) +4. [Resources](#4-resources) + 4.1. [Lookups](#4-1-lookups) +5. [Alerts](#5-alerts) + 5.1. [Dispatchers](#5-1-dispatchers) + 5.2. [Consumers](#5-2-consumers) +6. [Scheduled Searches](#6-scheduled-searches) + 6.1. [Flows](#6-1-flows) +7. [Playbooks](#7-playbooks) + 7.1. [Files](#7-1-files) +8. [Searches](#8-searches) + 8.1. [Dashboard Searches](#8-1-dashboard-searches) + 8.2. [Alert Queries](#8-2-alert-queries) +9. [Templates](#9-templates) +10. [Dashboards](#10-dashboards) + 10.1. [Actionables](#10-1-actionables) +11. [Useful Resources & References](#11-useful-resources--references) +12. [Notes](#12-notes) +13. [Image credits](#13-image-credits) + +*** + +## 0. [Data Ingestion](#0-data-ingestion) + +This kit provides tools for working with logs from Palo Alto next-gen firewalls. Note that at this time, only PAN-OS 10.x is supported. + +Before you can use the kit, you'll need to get logs flowing from your Palo Alto device into Gravwell. The recommended method is via *syslog forwarding*. Gravwell can receive syslog data using the [Simple Relay](https://docs.gravwell.io/ingesters/simple_relay.html) ingester. Configuration of Simple Relay is described below. + +You can also send logs via the HTTP ingester; instructions for that are in the "Install & Configure HTTP Ingester" section below. + +#### 0.1 [Simple Relay Ingester](#0-1-simple-relay-ingester) + +- Simple Relay is the go-to ingester for text based data sources that can be delivered over plaintext TCP, encrypted TCP, or plaintext UDP network connections via either IPv4 or IPv6. + - [Documentation](https://docs.gravwell.io/ingesters/simple_relay.html) + +#### 0.2 [Install & Configure Simple Relay](#0-2-install--configure-simple-relay) + +- Deploy the [Simple Relay](https://docs.gravwell.io/ingesters/simple_relay.html) ingester on a server which is both accessible from the Palo Alto device and which can route to the Gravwell indexer(s). Configure it with the appropriate Ingest-Secret value for your indexers and point either its Cleartext-Backend-Target or Encrypted-Backend-Target fields at the indexer addresses; refer to the [Ingesters documentation](https://docs.gravwell.io/ingesters/ingesters.html) for more information. +- Drop the following config snippet into a new file named /opt/gravwell/etc/simple\_relay.conf.d/paloalto.conf on the ingester machine, then run sudo systemctl restart gravwell\_simple\_relay.service to restart the ingester. This will make it start listening for incoming syslog on port 6601, with special rules to route Palo Alto logs into the correct Gravwell tags. + + ```ini + [Listener "syslogtcp_paloalto"] + Bind-String="tcp://0.0.0.0:6601" + Reader-Type=line + Tag-Name=pan_events + Assume-Local-Timezone=true + Preprocessor="PaloAlto Audit Router" + Preprocessor="PaloAlto Tunnel Inspection Router" + Preprocessor="PaloAlto PAN Type Router" + + # Route Audit logs. Audit logs identify as AUDIT in the 3rd CSV field and + # use a different CSV layout than standard SYSTEM logs. + [preprocessor "PaloAlto Audit Router"] + Type=regexrouter + Drop-Misses=false + Regex=`^(?:[^,]*,){2}(?PAUDIT|audit),` + Route-Extraction=subtype + Route=AUDIT:pan_audit + Route=audit:pan_audit + + # Route Tunnel Inspection logs. These logs use START/END in the 4th CSV field + # instead of a family name such as TRAFFIC or THREAT. + # The additional severity check helps distinguish this format from other PAN logs. + [preprocessor "PaloAlto Tunnel Inspection Router"] + Type=regexrouter + Drop-Misses=false + Regex=`^(?:[^,]*,){3}(?PSTART|END|start|end),(?:[^,]*,){27}(?:informational|low|medium|high|critical),` + Route-Extraction=event + Route=START:pan_tunnel + Route=END:pan_tunnel + Route=start:pan_tunnel + Route=end:pan_tunnel + + # Route all remaining PAN log families by the 4th CSV field. + [preprocessor "PaloAlto PAN Type Router"] + Type=regexrouter + Drop-Misses=false + Regex=`^(?:[^,]*,){3}(?P[^,]+),` + Route-Extraction=type + Route=AUTHENTICATION:pan_auth + Route=CONFIG:pan_config + Route=CORRELATION:pan_correlation + Route=DECRYPTION:pan_decryption + Route=GLOBALPROTECT:pan_globalprotect + Route=GTP:pan_gtp + Route=HIP-MATCH:pan_hipmatch + Route=HIPMATCH:pan_hipmatch + Route=IPTAG:pan_iptag + Route=SCTP:pan_sctp + Route=SYSTEM:pan_system + Route=THREAT:pan_threat + Route=TRAFFIC:pan_traffic + Route=USERID:pan_userid + ``` + +- Ensure that the server running Simple Relay allows incoming connections on port 6601, and that any firewalls between the Palo Alto device and the Simple Relay system allow port 6601 traffic. +- Configure log forwarding as described in [the Palo Alto documentation](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/configure-syslog-monitoring), defining the syslog server profile to point at the Simple Relay server on port 6601 as seen below. When configuring forwarding, make sure you enable all desired log families, including System/Audit and Tunnel Inspection. + +> ![Palo Alto Syslog Server Profile: Shows a configured syslog server within Palo Alto](/api/files/8c6e109a-e0e8-4347-9f9b-687ac9291e81?1773840659459 =663x345) + +- Once the changes have been committed, logs should begin flowing into Gravwell. You can check by running the following query: + + ```gravwell + tag=$PAN_ALL limit 10 + ``` + +- If any results appear, logs are coming in properly. + +#### 0.3 [HTTP Ingester](#0-3-http-ingester) + +- HTTP Ingester can be used when you want Palo Alto to deliver logs over HTTP instead of syslog. + - [Documentation](https://docs.gravwell.io/ingesters/http.html) + +#### 0.4 [Install & Configure HTTP Ingester](#0-4-install--configure-http-ingester) + +- Deploy the [HTTP Ingester](https://docs.gravwell.io/ingesters/http.html) on a server which is both accessible from the Palo Alto device and which can route to the Gravwell indexer(s). Configure it with the appropriate Ingest-Secret value for your indexers and point either its Cleartext-Backend-Target or Encrypted-Backend-Target fields at the indexer addresses; refer to the [Ingesters documentation](https://docs.gravwell.io/ingesters/ingesters.html) for more information. +- Drop the following config snippet into a new file named /opt/gravwell/etc/gravwell\_http\_ingester.conf.d/paloalto.conf on the ingester machine, then run sudo systemctl restart gravwell\_http\_ingester.service to restart the ingester. By default, the HTTP ingester listens on port 8080; this config adds an HTTP endpoint at /pan/logs, with HTTP basic authentication in place. It also defines preprocessors with special rules to route Palo Alto logs to the correct Gravwell tags. + + ```ini + [Listener "palo"] + AuthType=basic + Username=paloalto + Password=paloaltopassword + URL="/pan/logs" + Tag-Name=pan_events + Assume-Local-Timezone=true + Preprocessor="PaloAlto Audit Router" + Preprocessor="PaloAlto Tunnel Inspection Router" + Preprocessor="PaloAlto PAN Type Router" + + [preprocessor "PaloAlto Audit Router"] + Type=regexrouter + Drop-Misses=false + Regex=`^(?:[^,]*,){2}(?PAUDIT|audit),` + Route-Extraction=subtype + Route=AUDIT:pan_audit + Route=audit:pan_audit + + [preprocessor "PaloAlto Tunnel Inspection Router"] + Type=regexrouter + Drop-Misses=false + Regex=`^(?:[^,]*,){3}(?PSTART|END|start|end),(?:[^,]*,){27}(?:informational|low|medium|high|critical),` + Route-Extraction=event + Route=START:pan_tunnel + Route=END:pan_tunnel + Route=start:pan_tunnel + Route=end:pan_tunnel + + [preprocessor "PaloAlto PAN Type Router"] + Type=regexrouter + Drop-Misses=false + Regex=`^(?:[^,]*,){3}(?P[^,]+),` + Route-Extraction=type + Route=AUTHENTICATION:pan_auth + Route=CONFIG:pan_config + Route=CORRELATION:pan_correlation + Route=DECRYPTION:pan_decryption + Route=GLOBALPROTECT:pan_globalprotect + Route=GTP:pan_gtp + Route=HIP-MATCH:pan_hipmatch + Route=HIPMATCH:pan_hipmatch + Route=IPTAG:pan_iptag + Route=SCTP:pan_sctp + Route=SYSTEM:pan_system + Route=THREAT:pan_threat + Route=TRAFFIC:pan_traffic + Route=USERID:pan_userid + ``` + +- Ensure that the server running the HTTP Ingester allows incoming connections on port 8080, and that any firewalls between the Palo Alto device and the ingester system allow port 8080 traffic. +- Once the ingester is configured, set up log forwarding on the Palo Alto device as described in [the Palo Alto documentation](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/forward-logs-to-an-https-destination). You will need to set up the following: + - An HTTP Server Profile. The "Address" field corresponds to the HTTP Ingester's address, "Port" should be 8080, "HTTP Method" is POST, and you should populate the Username and Password fields to match your configuration above. In the "Payload Format" tab, ensure each log type sends the raw CSV field order expected by the preprocessors above, as shown in the image below: +> + > ![Palo Alto Payload Format: Shows the payload format of the logs](/api/files/50cb5863-6867-47da-bc49-7bef73317ddc?1773841161343 =705x467) +> +- A Log Forwarding Profile which sends all desired log types to the HTTP Server Profile created above. Note that it is possible to use one Log Forwarding Profile to send logs to both syslog and HTTP ingesters at the same time, if desired, as seen below: +> +> ![Palo Alto Log Forwarding Profile: Shows a Palo Alto Log Forwarding Profile](/api/files/16b991a1-86c7-4f08-b408-c5faa8afeef3?1773841216952 =792x384) +> +- Once the changes have been committed, logs should begin flowing into Gravwell. You can check by running the following query: + +```gravwell + tag=$PAN_ALL limit 10 +``` + +- If any results appear, logs are coming in properly. +- Warning: We strongly recommend changing the "Username" and "Password" fields before deploying. We also recommend setting up a TLS frontend for better security. Palo Alto also notes that HTTP/S forwarding is intended for lower-volume deployments and can lose logs at higher forwarding rates, so syslog via Simple Relay remains the recommended option for primary ingestion. + +#### 0.5 [Data Tags](#0-5-data-tags) + +- Palo Alto logs are sorted into tags on Gravwell based on the log family or format, using the mappings defined in the preprocessor configuration above. The tags are: + - pan_traffic: [Traffic logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields) + - pan_threat: [Threat logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields), including [URL Filtering](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/url-filtering-log-fields), [Data Filtering](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/data-filtering-log-fields), and WildFire Submission / other THREAT-family subtypes + - pan_hipmatch: [HIP Match logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/hip-match-log-fields) + - pan_globalprotect: [GlobalProtect logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/globalprotect-log-fields) + - pan_iptag: [IP-Tag logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/ip-tag-log-fields) + - pan_userid: [User-ID logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/user-id-log-fields) + - pan_decryption: [Decryption logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/decryption-log-fields) + - pan_tunnel: [Tunnel Inspection logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/tunnel-inspection-log-fields) + - pan_sctp: [SCTP logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/sctp-log-fields) + - pan_auth: [Authentication logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/authentication-log-fields) + - pan_config: [Config logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/config-log-fields) + - pan_system: [System logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/system-log-fields) + - pan_correlation: [Correlated Events logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/correlated-events-log-fields) + - pan_gtp: [GTP logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/gtp-log-fields) + - pan_audit: [Audit logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/audit-log-fields) + - pan_events: Catch-all for unmatched, unknown, or newly introduced PAN log formats that arrive on the dedicated Palo Alto listener or HTTP endpoint + +- The links in the list above will take you to the official Palo Alto documentation for each log type. These are the best places to find out what any given field *means*. For instance, the traffic log page includes the following definitions: + - Source Address (src): Original session source IP address. + - Destination Address (dst): Original session destination IP address. +- The names in parentheses are the names of the fields used in Gravwell; thus to extract the source and destination IP addresses of a session, one would type ax src dst. See the next section for more information on extracting data fields. +- If your kit defines a PAN_ALL macro, update it to include pan_audit, pan_tunnel, and pan_events in addition to the existing PAN tags. + +#### 0.6 [Working with the Data](#0-6-working-with-the-data) + +- One key component of this kit is the pre-configured *auto extractors* which apply structure to the CSV-formatted logs in the system. Each log type contains *many* fields, so we recommend using a particular trick when exploring the extracted fields of a given data type. First, run a query on the tag using the ax module with no arguments, sent to the text renderer: + + ```gravwell + tag=$PAN_TRAFFIC ax + | text + ``` + +- Then, in the results, click the "Show details" floating button for any one of the results. This will expand the entry to show the extracted enumerated values. This lets you rapidly scroll through the raw results until you find one that looks interesting, then expand it to see which enumerated values are available: + +> ![Palo Alto Enumerated Values: Shows EVs expanded in text results for Palo Alto logs](/api/files/f99bf07b-e093-4631-85d4-687b039ecda2?1773841268896 =1870x710) + +- In the image above, a single enumerated value pair is highlighted; from this, we might modify the query to filter down to only traffic destined for Switzerland for further examination: + + ```gravwell + tag=$PAN_TRAFFIC ax dstloc=="Switzerland" + | text + ``` + +- Audit and Tunnel Inspection logs use their own tags because their CSV layouts differ from standard System and Traffic logs. Explore those tags directly when validating ingestion: + + ```gravwell + tag=pan_config limit 10 + ``` + +*** + +## 1. [Tags & Macros](#1-tags--macros) + +#### 1.1. [Tags](#1-1-tags) + +- Purpose: Tags are an essential Gravwell concept. Every entry has a single tag associated with it; these tags allow us to separate and categorize data at a basic level. +- [Documentation]() +- The Palo Alto Kit for Gravwell makes use of the following tags: +- Total: ***14*** + - pan\_auth: Tag used for all Palo Alto Authentication data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - Usage: ``tag=pan_auth`` + - pan\_config: Tag used for all Palo Alto Config data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - Usage: ``tag=pan_config`` + - pan\_correlation: Tag used for all Palo Alto Correlation data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - Usage: ``tag=pan_correlation`` + - pan\_decryption: Tag used for all Palo Alto Decryption data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - Usage: ``tag=pan_decryption`` + - pan\_globalprotect: Tag used for all Palo Alto GlobalProtect data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - Usage: ``tag=pan_globalprotect`` + - pan\_gtp: Tag used for all Palo Alto data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - Usage: ``tag=pan_gtp`` + - pan\_hipmatch: Tag used for all Palo Alto HIP Match data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - Usage: ``tag=pan_hipmatch`` + - pan\_iptag: Tag used for all Palo Alto IP Tag data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - Usage: ``tag=pan_iptag`` + - pan\_sctp: Tag used for all Palo Alto Stream Control Transmission Protocol (SCTP) data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - Usage: ``tag=pan_sctp`` + - pan\_system: Tag used for all Palo Alto System data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - Usage: ``tag=pan_system`` + - pan\_threat: Tag used for all Palo Alto Threat data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - Usage: ``tag=pan_threat`` + - pan\_traffic: Tag used for all Palo Alto Traffic data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - Usage: ``tag=pan_traffic`` + - pan\_tunnel: Tag used for all Palo Alto Tunnel data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - Usage: ``tag=pan_tunnel`` + - pan\_userid: Tag used for all Palo Alto User ID data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - Usage: ``tag=pan_userid`` + +#### 1.2. [Autoextractors](#1-2-autoextractors) + +- Purpose: Autoextractors are simply definitions that can be applied to tags and describe how to correctly extract fields from the data in a given tag. The *ax* module then automatically invokes the appropriate functionality of other modules. +- [Documentation]() +- The Palo Alto Kit for Gravwell makes use of the following autoextractors: +- Total: ***14*** + - Palo Alto Authentication Logs: Gravwell generated CSV extraction for Palo Alto Authentication Logs + - Palo Alto Config Logs: Gravwell generated CSV extraction for Palo Alto Config Logs + - Palo Alto Correlation Logs: Gravwell generated CSV extraction for Palo Alto Correlation Logs + - Palo Alto Decryption Logs: Gravwell generated CSV extraction for Palo Alto Decryption Logs + - Palo Alto GPRS Tunning Protocol (GTP) Logs: Gravwell generated CSV extraction for Palo Alto GPRS Tunning Protocol (GTP) Logs + - Palo Alto GlobalProtect Logs: Gravwell generated CSV extraction for Palo Alto GlobalProtect logs + - Palo Alto HIP Match Logs: Gravwell generated CSV extraction for Palo Alto HIP Match Logs + - Palo Alto IP-Tag Logs: Gravwell generated CSV extraction for Palo Alto IP-Tag Logs + - Palo Alto Stream Control Transmission Protocol (SCTP) Logs: Gravwell generated CSV extraction for Palo Alto (Stream Control Transmission Protocol) SCTP Logs + - Palo Alto System Logs: Gravwell generated CSV extraction for Palo Alto System Logs + - Palo Alto Threat Logs: Gravwell generated CSV extraction for Palo Alto Threat Logs + - Palo Alto Traffic Logs: Gravwell generated CSV extraction for Palo Alto Traffic Logs + - Palo Alto Tunnel Logs: Gravwell generated CSV extraction for Palo Alto Tunnel Logs + - Palo Alto User ID Logs: Gravwell generated CSV extraction for Palo Alto User ID Logs + +#### 1.3. [Macros](#1-3-macros) + +- Purpose: Search macros are a powerful feature that can help you use Gravwell more effectively. Macros can turn long, repetitive search queries into easily-remembered shortcuts. +- [Documentation]() +- The Palo Alto Kit for Gravwell makes use of the following macros: +- Total: ***16*** + - $PAN\_ALL: Configuration Macro; Tag used for all Palo Alto data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - $PAN\_AUTH: Configuration Macro; Tag used for all Palo Alto Authentication data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - $PAN\_CONFIG: Configuration Macro; Tag used for all Palo Alto Config data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - $PAN\_CORRELATION: Configuration Macro; Tag used for all Palo Alto Correlation data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - $PAN\_DECRYPTION: Configuration Macro; Tag used for all Palo Alto Decryption data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - $PAN\_GLOBALPROTECT: Configuration Macro; Tag used for all Palo Alto GlobalProtect data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - $PAN\_GTP: Configuration Macro; Tag used for all Palo Alto data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - $PAN\_HIPMATCH: Configuration Macro; Tag used for all Palo Alto HIP Match data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - $PAN\_IPTAG: Configuration Macro; Tag used for all Palo Alto IP Tag data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - $PAN\_SCTP: Configuration Macro; Tag used for all Palo Alto Stream Control Transmission Protocol (SCTP) data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - $PAN\_SYSTEM: Configuration Macro; Tag used for all Palo Alto System data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - $PAN\_THREAT: Configuration Macro; Tag used for all Palo Alto Threat data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - $PAN\_THREAT\_TRAFFIC: Configuration Macro; Tag used for all Palo Alto Threat & Traffic data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - $PAN\_TRAFFIC: Configuration Macro; Tag used for all Palo Alto Traffic data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - $PAN\_TUNNEL: Configuration Macro; Tag used for all Palo Alto Tunnel data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + - $PAN\_USERID: Configuration Macro; Tag used for all Palo Alto User ID data; necessary for any queries within the Gravwell Palo Alto Kit to run properly for dashboards, query library, and templates. + +*** + +## 2. [Query Library](#2-query-library) + +- Purpose: Queries within the Query Library drive [dashboards](#10-dashboards) via [searches](#8-searches), [scheduled searches](#6-scheduled-searches) via [alert queries](#8-2-alert-queries), and [playbooks](#7-playbooks). +- [Documentation]() + - Updating a query in the library updates dependent dashboards and scheduled searches automatically. + - Total queries: ***45*** + - [8.1 Dashboard Searches](#8-1-dashboard-searches): ***45*** + - [8.2 Alert Queries](#8-2-alert-queries): ***0*** + +*** + +## 3. [Naming Schema](#3-naming-schema) + +- Purpose: The use of a standard naming convention enables users to quickly understand the function, severity, and context of a query or component. This approach facilitates efficient identification, reuse, and troubleshooting without ambiguity. +- *QueryType - Palo Alto - NGFW - Category/Logtype - Subcategory/Log Subtype - Severity/Priority - Name [Visualization - if any]* +- Examples: + - Templates: *Template - Palo Alto - NGFW - GlobalProtect - Events - All VPN Events for User & IP [table]* + - Searches: *Search - Palo Alto - NGFW - Config - Events - Count by Administrators [chart]* + - Alert Queries: *AlertQuery - Palo Alto - NGFW - Category/Logtype - Subcategory/Log Subtype - Severity/Priority - SearchName [Visualization - if any]* + +*** + +## 4. [Resources](#4-resources) + +- Purpose: Resources allow users to store persistent data for use in searches. +- [Documentation]() +- Total: ***1*** + +#### 4.1. [Lookups](#4-1-lookups) + +- Purpose: Lookup Resources are used by the *lookup* module to perform data enrichment and translation off of a static lookup table stored in a resource. +- [Documentation]() +- Total: ***1*** + - excluded\_url\_categories: Palo Alto URL categories to be excluded. + +*** + +## 5. [Alerts](#5-alerts) + +- Purpose: Alerts notify you of potential nefarious actions that took place within and/or against your environment by tying dispatchers and consumers together. +- [Documentation]() +- Total: ***0*** + +#### 5.1. [Dispatchers](#5-1-dispatchers) + +- Purpose: Dispatchers generate events. A typical dispatcher would be a scheduled search that runs on an interval; every result returned by a scheduled search is considered an event. + - Dispatchers = [Scheduled Searches](#6-scheduled-searches) +- [Documentation]() +- Total: ***0*** + +#### 5.2. [Consumers](#5-2-consumers) + +- Purpose: Consumers process and respond to events. A typical consumer would be a flow that sends an email to an administrator, or opens a ticket in the ticketing system. Each consumer runs once per event. + - Consumers = [Flows](#6-1-flows) +- [Documentation]() +- Total: ***0*** + +*** + +## 6. [Scheduled Searches](#6-scheduled-searches) + +- Purpose: Scheduled Searches are typically dependent on *AlertQuery - Palo Alto - ...* queries within the [Query Library](#2-query-library). +- [Documentation]() +- Total: ***0*** + +#### 6.1. [Flows](#6-1-flows) + +- Purpose: Flows provide a no-code method for developing advanced automations in Gravwell. +- [Documentation]() +- Total: ***0*** + +*** + +## 7. [Playbooks](#7-playbooks) + +- Purpose: Playbooks are hypertext documents within Gravwell which help guide users through common tasks, describe functionality, and record information about data in the system. +- [Documentation]() +- Total: ***9*** + - Palo Alto Kit - Integration Guide: An Integration Guide for onboarding your Palo Alto logs into Gravwell. + - Palo Alto Kit - README: A toolkit for interacting with Palo Alto data in Gravwell. This kit includes queries, resources (lookups), templates, autoextractors, macros, and dashboards to help streamline Palo Alto analysis across various log sources. + - Palo Alto Banner: banner file for kit build "Palo Alto v1" + - Palo Alto Cover: cover file for kit build "Palo Alto v1" + - Palo Alto Icon: icon file for kit build "Palo Alto v1" + - Palo Alto Log Forwarding Profile: Shows a Palo Alto Log Forwarding Profile + - Palo Alto Enumerated Values: Shows EVs expanded in text results for Palo Alto logs + - Palo Alto Payload Format: Shows the payload format of the logs + - Palo Alto Syslog Server Profile: Shows a configured syslog server within Palo Alto + +#### 7.1. [Files](#7-1-files) + +- Purpose: Gravwell users can upload small files for use in playbooks, as cover images for kits, etc. Typically, these files are created or selected at the point of use: via a picker in the playbook editor, in the kit builder, etc. +- [Documentation]() +- Total: ***0*** + +*** + +## 8. [Searches](#8-searches) + +- Purpose: These queries within the Query Library drive [dashboards](#10-dashboards) to quickly view Palo Alto data in an easily digestible format or [scheduled searches](#6-scheduled-searches) to ultimately feed [alerts](#5-alerts). +- [Documentation]() +- Total: ***45*** + - Dashboard Search Total: ***45*** + - Alert Query Total: ***0*** + +#### 8.1. [Dashboard Searches](#8-1-dashboard-searches) + +- Purpose: These queries within the Query Library drive [dashboards](#10-dashboards) to quickly view vendor data in an easily digestible format. +- Total: ***45*** + - Search - Palo Alto - NGFW - Config - Events - Count by Administrators [chart]: Displays a chart of configuration event counts by administrator. + - Search - Palo Alto - NGFW - Config - Events - Count by Client [chart]: Displays a chart of configuration event counts by client used to perform the action. + - Search - Palo Alto - NGFW - Config - Events - Count by Command [chart]: Displays a chart of configuration event counts by command executed. + - Search - Palo Alto - NGFW - Config - Events - Count by Command [numbercard]: Displays a numbercard of configuration event counts by command executed. + - Search - Palo Alto - NGFW - Config - Events - Count by Results [chart]: Displays a chart of configuration event counts by command result. + - Search - Palo Alto - NGFW - Config - Events - Latest Events [table]: Displays a chart of configuration event counts by administrator. + - Search - Palo Alto - NGFW - Event Types - Count by Tag [chart]: Displays a chart of event counts by TAG. + - Search - Palo Alto - NGFW - Event Types - Count by Tag [numbercard]: Displays a numbercard of event counts by TAG. + - Search - Palo Alto - NGFW - GlobalProtect - Authentication - Count by Status [chart]: Displays a chart of GlobalProtect login attempt counts by status. + - Search - Palo Alto - NGFW - GlobalProtect - Authentication - Count by Status [numbercard]: Displays a numbercard of GlobalProtect login attempt counts by status. + - Search - Palo Alto - NGFW - GlobalProtect - Authentication - Failed Logins [table]: Displays a table of failed GlobalProtect login attempts by user, region, and source IP. + - Search - Palo Alto - NGFW - GlobalProtect - Diagnostics - Average Latency [chart]: Displays a chart of average pre-tunnel and post-tunnel latency for GlobalProtect gateway connections. + - Search - Palo Alto - NGFW - GlobalProtect - Events - Count by Subtype [numbercard]: Displays a numbercard of GlobalProtect event counts by subtype. + - Search - Palo Alto - NGFW - GlobalProtect - Session - GlobalProtect Users [table]: Displays a table of GlobalProtect users with associated client system and operating system information. + - Search - Palo Alto - NGFW - Threat - Events - Count by Scan Source Location [chart]: Displays a chart of scan event counts by source location. + - Search - Palo Alto - NGFW - Threat - Events - Count by Scan Types [chart]: Displays a chart of scan event counts by threat ID. + - Search - Palo Alto - NGFW - Threat - Events - Count by Subtype [numbercard]: Displays a numbercard of threat event counts by subtype. + - Search - Palo Alto - NGFW - Threat - Events - Count by Threat Destination Location [chart]: Displays a chart of threat event counts by destination location. + - Search - Palo Alto - NGFW - Threat - Events - Count by Threat Source Location [chart]: Displays a chart of threat event counts by source location. + - Search - Palo Alto - NGFW - Threat - Events - Most Frequent Threat IDs [table]: Displays a table of the most frequently observed threat IDs in threat events. + - Search - Palo Alto - NGFW - Threat - Events - Scan Source Locations [heatmap]: Displays a heatmap of scan event source IP locations. + - Search - Palo Alto - NGFW - Threat - Events - Scans Detected [table]: Displays a table of detected scan events grouped by source and threat ID. + - Search - Palo Alto - NGFW - Threat - Events - Threat Source Locations [heatmap]: Displays a heatmap of threat event source IP locations. + - Search - Palo Alto - NGFW - Threat - URL - Count by Top Hostnames [table]: Displays a table of hostname counts extracted from URL threat events. + - Search - Palo Alto - NGFW - Threat - URL - Top Web Categories [chart]: Displays a numbercard of SaaS event counts by type. + - Search - Palo Alto - NGFW - Threat - WildFire - Count by Application [chart]: Displays a chart of WildFire submission counts by application. + - Search - Palo Alto - NGFW - Threat - WildFire - Count by Category [chart]: Displays a chart of WildFire verdict counts by category. + - Search - Palo Alto - NGFW - Threat - WildFire - Count by Category [numbercard]: Displays a numbercard of WildFire verdict counts by category. + - Search - Palo Alto - NGFW - Threat - WildFire - Count by File Type [chart]: Displays a chart of WildFire submission counts by file type. + - Search - Palo Alto - NGFW - Threat - WildFire - Recent Wildfire Submissions [table]: Displays a table of recent non-benign WildFire file submissions including source, destination, and file details. + - Search - Palo Alto - NGFW - Threat/Traffic - Event Type - Count by Type [numbercard]: Displays a numbercard of event counts by type. + - Search - Palo Alto - NGFW - Traffic - Application - Rare Applications [table]: Displays a table of the least frequently observed applications in traffic logs. + - Search - Palo Alto - NGFW - Traffic - Application - Top Applications [chart]: Displays a chart of the most frequently observed applications in traffic logs. + - Search - Palo Alto - NGFW - Traffic - Bytes - Total Traffic Volume [chart]: Displays a chart of total traffic volume in megabytes based on summed byte counts from traffic logs. + - Search - Palo Alto - NGFW - Traffic - Events - Count by Subtype [numbercard]: Displays a numbercard of threat event counts by subtype. + - Search - Palo Alto - NGFW - Traffic - SaaS - Application Distribution [table]: Displays a table of SaaS applications with session counts and total traffic volume by category and subcategory. + - Search - Palo Alto - NGFW - Traffic - SaaS - Count by Action [chart]: Displays a chart of SaaS traffic event counts by action. + - Search - Palo Alto - NGFW - Traffic - SaaS - Count by Application [chart]: Displays a chart of SaaS traffic session counts by application. + - Search - Palo Alto - NGFW - Traffic - SaaS - Count by Sanctioned Category [chart]: Displays a chart of the most frequently observed sanctioned SaaS application categories. + - Search - Palo Alto - NGFW - Traffic - SaaS - Count by Unsanctioned Category [chart]: Displays a chart of the least frequently observed sanctioned SaaS application categories. + - Search - Palo Alto - NGFW - Traffic - SaaS - SaaS Event Count [numbercard]: Displays a numbercard of SaaS event counts by type. + - Search - Palo Alto - NGFW - Traffic - SaaS - Sanctioned Application Percentages [chart]: Displays a chart of SaaS traffic counts comparing sanctioned and non-sanctioned applications. + - Search - Palo Alto - NGFW - Traffic - SaaS - Sanctioned Applications [table]: Displays a table of sanctioned SaaS applications with session counts and total traffic volume. + - Search - Palo Alto - NGFW - Traffic - SaaS - Total Bytes Transferred [numbercard]: Displays a numbercard of total bytes transferred for SaaS traffic sessions. + - Search - Palo Alto - NGFW - Traffic - SaaS - Unsanctioned Applications [table]: Displays a table of unsanctioned SaaS applications with session counts and total traffic volume. +- Naming Schema: *Search - Palo Alto - NGFW - Category/Logtype - Subcategory/Log Subtype - Severity/Priority - SearchName [Visualization - if any]* + +#### 8.2. [Alert Queries](#8-2-alert-queries) + +- Purpose: These queries within the Query Library drive [scheduled searches](#6-scheduled-searches) which ultimately feed [alerts](#5-alerts). +- IMPORTANT: If you need to update or tune, this is where you perform that action. +- Total: ***0*** +- Naming Schema: *AlertQuery - Palo Alto - NGFW - Category/Logtype - Subcategory/Log Subtype - Severity/Priority - SearchName [Visualization - if any]* + +*** + +## 9. [Templates](#9-templates) + +- Purpose: Templates are special objects which define a Gravwell query containing variables. +- [Documentation]() +- Total: ***5*** + - Template - Palo Alto - NGFW - GlobalProtect - Events - All VPN Events for User & IP [table]: Displays a table of GlobalProtect sessions associated with the specified IP address including user and machine information. + - Template - Palo Alto - NGFW - Threat - Events - All Threat Events for User & IP [table]: Displays a table of threat events associated with the specified IP address including source, destination, and threat ID. + - Template - Palo Alto - NGFW - Threat - Subtype - Count by Subtypes for User & IP [numbercard]: Displays a numbercard of threat event counts by subtype for the specified IP address. + - Template - Palo Alto - NGFW - Threat - WildFire - All Submissions for User & IP [table]: Displays a table of WildFire file submissions associated with the specified IP address. + - Template - Palo Alto - NGFW - Traffic - Category - Count by Category [chart]: Displays a chart of traffic event counts by application category for the specified IP address. + +*** + +## 10. [Dashboards](#10-dashboards) + +- Purpose: Dashboards are Gravwell’s way of showing the results from multiple searches at the same time. +- [Documentation]() +- Total: ***8*** + - Palo Alto Config Overview: This dashboard is a general overview of your Palo Alto Device Configuration data. + - Palo Alto General Overview: This Dashboard is a general overview of your Palo Alto data. + - Palo Alto GlobalProtect Overview: This dashboard is a general overview of your Palo Alto GlobalProtect VPN and client(s) data. + - Palo Alto Investigations: This Dashboard is intended to be used for Palo Alto investigations. + - Palo Alto SaaS Overview: This dashboard is a general overview into your Palo Alto SaaS data. + - Palo Alto Threat Overview: This Dashboard is a general overview of your Palo Alto Threat data. + - Palo Alto User Behavior Overview: This dashboard is a general overview of User Behavior in your Palo Alto data. + - Palo Alto Wildfire Overview: This dashboard is a general overview of your Palo Alto Wildfire analysis submissions & verdicts. + +#### 10.1. [Actionables](#10-1-actionables) + +- Purpose: Actionables provide a way to create custom menus that key on any text rendered in a query; users can take different actions on that text by selecting options in the menus. +- [Documentation]() +- Total: ***2*** + - Palo Alto IP: Palo Alto actions on IP Address + - Palo Alto User: Palo Alto actions on src/dst user + +*** + +## 11. [Useful Resources & References](#11-useful-resources--references) + +- Gravwell + - [Actionables]() + - [Alerts]() + - [Autoextractors]() + - [Consumers]() + - [Dashboards]() + - [Dispatchers]() + - [Files]() + - [Flows]() + - [Lookup Module]() + - [Macros]() + - [Playbooks]() + - [Query Library]() + - [regexrouter Preprocessor]() + - [Resources]() + - [Scheduled Searches]() + - [Simple Relay]() + - [Tags]() + - [Templates]() +- Palo Alto + - [Palo Alto Traffic Log Fields]() + - [Palo Alto Threat Log Fields]() + - [Palo Alto URL Filtering Log Fields]() + - [Palo Alto Data Filtering Log Fields]() + - [Palo Alto HIP Match Log Fields]() + - [Palo Alto GlobalProtect Log Fields]() + - [Palo Alto IP-Tag Log Fields]() + - [Palo Alto User-ID Log Fields]() + - [Palo Alto Decryption Log Fields]() + - [Palo Alto Tunnel Inspection Log Fields]() + - [Palo Alto SCTP Log Fields]() + - [Palo Alto Authentication Log Fields]() + - [Palo Alto Config Log Fields]() + - [Palo Alto System Log Fields]() + - [Palo Alto Correlated Events Log Fields]() + - [Palo Alto GTP Log Fields]() + - [Palo Alto Audit Log Fields]() + - [Palo Alto Syslog Severity]() + +*** + +## 12. [Notes](#12-notes) + +- Default log source mapping for Palo Alto Kit: + - pan\_auth = Authentication + - pan\_config = Config + - pan\_correlation = Correlation + - pan\_decryption = Decryption + - pan\_globalprotect = GlobalProtect + - pan\_gtp = GTP + - pan\_hipmatch = HIP Match + - pan\_iptag = IP Tag + - pan\_sctp = Stream Control Transmission Protocol (SCTP) + - pan\_system = System + - pan\_threat = Threat + - pan\_traffic = Traffic + - pan\_tunnel = Tunnel + - pan\_userid = User ID + +*** + +## 13. [Image credits](#13-image-credits) + +- Icon: Palo Alto Icon +- Banner: Palo Alto Banner +- Cover: Palo Alto Cover diff --git a/paloalto/playbook/10f92652-bef8-43ec-8fc1-8acf5f465093.meta b/paloalto/playbook/10f92652-bef8-43ec-8fc1-8acf5f465093.meta new file mode 100644 index 00000000..30c9295a --- /dev/null +++ b/paloalto/playbook/10f92652-bef8-43ec-8fc1-8acf5f465093.meta @@ -0,0 +1,24 @@ +{ + "UUID": "916b3899-b370-4fdb-8984-5933224e6468", + "GUID": "10f92652-bef8-43ec-8fc1-8acf5f465093", + "UID": 1, + "GIDs": [], + "Global": true, + "WriteAccess": { + "Global": false, + "GIDs": [] + }, + "Name": "Palo Alto Kit - README", + "Desc": "A toolkit for interacting with Palo Alto data in Gravwell. This kit includes queries, resources (lookups), templates, autoextractors, macros, and dashboards to help streamline Palo Alto analysis across various log sources.", + "Labels": [ + "palo" + ], + "LastUpdated": "2026-03-18T19:58:34.336045971Z", + "Author": { + "Name": "Kyle Mallett", + "Email": "info@gravwell.io", + "Company": "Gravwell", + "URL": "gravwell.io" + }, + "Synced": false +} \ No newline at end of file diff --git a/paloalto/playbook/10f92652-bef8-43ec-8fc1-8acf5f465093.playbook_metadata b/paloalto/playbook/10f92652-bef8-43ec-8fc1-8acf5f465093.playbook_metadata new file mode 100644 index 00000000..779c3cc7 --- /dev/null +++ b/paloalto/playbook/10f92652-bef8-43ec-8fc1-8acf5f465093.playbook_metadata @@ -0,0 +1 @@ +{"dashboards":[],"attachments":[{"context":"cover","type":"image","fileGUID":"c69dee69-d682-4d6c-951b-a66924098495"},{"context":"banner","type":"image","fileGUID":"ac8d907f-c540-4237-8327-1ad55c173b6e"}]} \ No newline at end of file diff --git a/paloalto/playbook/e4aac01c-abda-4b6e-a95c-d42887ad29ed.body b/paloalto/playbook/e4aac01c-abda-4b6e-a95c-d42887ad29ed.body index 2b8e1c20..b0084f36 100644 --- a/paloalto/playbook/e4aac01c-abda-4b6e-a95c-d42887ad29ed.body +++ b/paloalto/playbook/e4aac01c-abda-4b6e-a95c-d42887ad29ed.body @@ -1,28 +1,76 @@ -This kit provides tools for working with logs from Palo Alto next-gen firewalls. Note that at this time, only PAN-OS 10.x is supported. +*** + +A toolkit for interacting with Palo Alto data in Gravwell. This playbook is a log ingestion integration guide for onboarding Palo Alto logs into Gravwell. + +*** -# Configure Log Forwarding +## Table of Contents +0. [Data Ingestion](#0-data-ingestion) + 0.1. [Simple Relay Ingester](#0-1-simple-relay-ingester) + 0.2. [Install & Configure IngesterType](#0-2-install--configure-simple-relay) + 0.3. [HTTP Ingester](#0-3-http-ingester) + 0.4. [Install & Configure HTTP Ingester](#0-4-install--configure-http-ingester) + 0.5. [Data Tags](#0-5-data-tags) + 0.6. [Working with the Data](#0-6-working-with-the-data) -Before you can use the kit, you'll need to get logs flowing from your Palo Alto device into Gravwell. Our recommended method is via *syslog forwarding*. Gravwell can receive syslog data using the [Simple Relay](https://docs.gravwell.io/#!ingesters/simple_relay.md) ingester. Configuration of Simple Relay is described below. +*** + +## 0. [Data Ingestion](#0-data-ingestion) + +This kit provides tools for working with logs from Palo Alto next-gen firewalls. Note that at this time, only PAN-OS 10.x is supported. + +Before you can use the kit, you'll need to get logs flowing from your Palo Alto device into Gravwell. The recommended method is via *syslog forwarding*. Gravwell can receive syslog data using the [Simple Relay](https://docs.gravwell.io/ingesters/simple_relay.html) ingester. Configuration of Simple Relay is described below. You can also send logs via the HTTP ingester; instructions for that are in the "Install & Configure HTTP Ingester" section below. -## Install & Configure Simple Relay +#### 0.1 [Simple Relay Ingester](#0-1-simple-relay-ingester) + +- Simple Relay is the go-to ingester for text based data sources that can be delivered over plaintext TCP, encrypted TCP, or plaintext UDP network connections via either IPv4 or IPv6. + - [Documentation](https://docs.gravwell.io/ingesters/simple_relay.html) + +#### 0.2 [Install & Configure Simple Relay](#0-2-install--configure-simple-relay) -1. Deploy the [Simple Relay](https://docs.gravwell.io/#!ingesters/simple_relay.md) ingester on a server which is both accessible from the Palo Alto device and which can route to the Gravwell indexer(s). Configure it with the appropriate Ingest-Secret value for your indexers and point either its Cleartext-Backend-Target or Encrypted-Backend-Target fields at the indexer addresses; refer to the [Ingesters documentation](https://docs.gravwell.io/#!ingesters/ingesters.md) for more information. -2. Drop the following config snippet into a new file named /opt/gravwell/etc/simple\_relay.conf.d/paloalto.conf on the ingester machine, then run sudo systemctl restart gravwell\_simple\_relay.service to restart the ingester. This will make it start listening for incoming syslog on port 6601, with special rules to route Palo Alto traffic to different Gravwell tags. +- Deploy the [Simple Relay](https://docs.gravwell.io/ingesters/simple_relay.html) ingester on a server which is both accessible from the Palo Alto device and which can route to the Gravwell indexer(s). Configure it with the appropriate Ingest-Secret value for your indexers and point either its Cleartext-Backend-Target or Encrypted-Backend-Target fields at the indexer addresses; refer to the [Ingesters documentation](https://docs.gravwell.io/ingesters/ingesters.html) for more information. +- Drop the following config snippet into a new file named /opt/gravwell/etc/simple\_relay.conf.d/paloalto.conf on the ingester machine, then run sudo systemctl restart gravwell\_simple\_relay.service to restart the ingester. This will make it start listening for incoming syslog on port 6601, with special rules to route Palo Alto logs into the correct Gravwell tags. -
-[Listener "syslogtcp"]
+    ```ini
+    [Listener "syslogtcp_paloalto"]
         Bind-String="tcp://0.0.0.0:6601"
         Reader-Type=line
-        Tag-Name=syslog
-        Assume-Local-Timezone=true #if a time format does not have a timezone, assume local time
-        Preprocessor="PaloAlto PAN"
-
-[preprocessor "PaloAlto PAN"]
-        Type = regexrouter
+        Tag-Name=pan_events
+        Assume-Local-Timezone=true
+        Preprocessor="PaloAlto Audit Router"
+        Preprocessor="PaloAlto Tunnel Inspection Router"
+        Preprocessor="PaloAlto PAN Type Router"
+
+    # Route Audit logs. Audit logs identify as AUDIT in the 3rd CSV field and
+    # use a different CSV layout than standard SYSTEM logs.
+    [preprocessor "PaloAlto Audit Router"]
+        Type=regexrouter
+        Drop-Misses=false
+        Regex=`^(?:[^,]*,){2}(?PAUDIT|audit),`
+        Route-Extraction=subtype
+        Route=AUDIT:pan_audit
+        Route=audit:pan_audit
+
+    # Route Tunnel Inspection logs. These logs use START/END in the 4th CSV field
+    # instead of a family name such as TRAFFIC or THREAT.
+    # The additional severity check helps distinguish this format from other PAN logs.
+    [preprocessor "PaloAlto Tunnel Inspection Router"]
+        Type=regexrouter
         Drop-Misses=false
-        Regex=`^[^,]+,[^,]+,[^,]+,(?P<type>[^,]+),`
+        Regex=`^(?:[^,]*,){3}(?PSTART|END|start|end),(?:[^,]*,){27}(?:informational|low|medium|high|critical),`
+        Route-Extraction=event
+        Route=START:pan_tunnel
+        Route=END:pan_tunnel
+        Route=start:pan_tunnel
+        Route=end:pan_tunnel
+
+    # Route all remaining PAN log families by the 4th CSV field.
+    [preprocessor "PaloAlto PAN Type Router"]
+        Type=regexrouter
+        Drop-Misses=false
+        Regex=`^(?:[^,]*,){3}(?P[^,]+),`
         Route-Extraction=type
         Route=AUTHENTICATION:pan_auth
         Route=CONFIG:pan_config
@@ -30,6 +78,7 @@ You can also send logs via the HTTP ingester; instructions for that are in the "
         Route=DECRYPTION:pan_decryption
         Route=GLOBALPROTECT:pan_globalprotect
         Route=GTP:pan_gtp
+        Route=HIP-MATCH:pan_hipmatch
         Route=HIPMATCH:pan_hipmatch
         Route=IPTAG:pan_iptag
         Route=SCTP:pan_sctp
@@ -37,121 +86,151 @@ You can also send logs via the HTTP ingester; instructions for that are in the "
         Route=THREAT:pan_threat
         Route=TRAFFIC:pan_traffic
         Route=USERID:pan_userid
-
- -3. Ensure that the server running Simple Relay allows incoming connections on port 6601, and that any firewalls between the Palo Alto device and the Simple Relay system allow port 6601 traffic. -4. Configure log forwarding as described in [the Palo Alto documentation](https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/monitoring/use-syslog-for-monitoring/configure-syslog-monitoring.html), defining the syslog server profile to point at the Simple Relay server on port 6601 as seen below: - -![](/api/files/3bfcce25-dc9f-40dd-a838-fddd02e1cbdf =663x345) - -Once the changes have been committed, logs should begin flowing into Gravwell. You can check by running the folowing query: - -``` -tag=$PAN_ALL limit 10 -``` - -If any results appear, logs are coming in properly. + ``` -## Install & Configure HTTP Ingester +- Ensure that the server running Simple Relay allows incoming connections on port 6601, and that any firewalls between the Palo Alto device and the Simple Relay system allow port 6601 traffic. +- Configure log forwarding as described in [the Palo Alto documentation](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/configure-syslog-monitoring), defining the syslog server profile to point at the Simple Relay server on port 6601 as seen below. When configuring forwarding, make sure you enable all desired log families, including System/Audit and Tunnel Inspection. -1. Deploy the [HTTP Ingester](https://docs.gravwell.io/#!ingesters/http.md) on a server which is both accessible from the Palo Alto device and which can route to the Gravwell indexer(s). Configure it with the appropriate Ingest-Secret value for your indexers and point either its Cleartext-Backend-Target or Encrypted-Backend-Target fields at the indexer addresses; refer to the [Ingesters documentation](https://docs.gravwell.io/#!ingesters/ingesters.md) for more information. -2. Drop the following config snippet into a new file named /opt/gravwell/etc/gravwell_http_ingester.conf.d/paloalto.conf on the ingester machine, then run sudo systemctl restart gravwell\_http_ingester.service to restart the ingester. By default, the HTTP ingester listens on port 8080; this config adds an HTTP endpoint at "/pan/logs", with HTTP basic authentication in place. It also defines a preprocessor with special rules to route Palo Alto traffic to different Gravwell tags. +> ![Palo Alto Syslog Server Profile: Shows a configured syslog server within Palo Alto](/api/files/8c6e109a-e0e8-4347-9f9b-687ac9291e81?1773840659459 =663x345) -
-[Listener "palo"]
-	AuthType=basic
-	Username=paloalto
-	Password=paloaltopassword
-	URL="/pan/logs"
-	Tag-Name=pan_other
-	Assume-Local-Timezone=true
-	Preprocessor="PaloAlto PAN"
+- Once the changes have been committed, logs should begin flowing into Gravwell. You can check by running the following query:
 
-[preprocessor "PaloAlto PAN"]
-	Type = regexrouter
-	Drop-Misses=false
-	Regex=`^[^,]+,[^,]+,[^,]+,(?P<type>[^,]+),`
-	Route-Extraction=type
-	Route=AUTHENTICATION:pan_auth
-	Route=CONFIG:pan_config
-	Route=CORRELATION:pan_correlation
-	Route=DECRYPTION:pan_decryption
-	Route=GLOBALPROTECT:pan_globalprotect
-	Route=GTP:pan_gtp
-	Route=HIPMATCH:pan_hipmatch
-	Route=IPTAG:pan_iptag
-	Route=SCTP:pan_sctp
-	Route=SYSTEM:pan_system
-	Route=THREAT:pan_threat
-	Route=TRAFFIC:pan_traffic
-	Route=USERID:pan_userid
-
+ ```gravwell + tag=$PAN_ALL limit 10 + ``` -3. Ensure that the server running the HTTP Ingester allows incoming connections on port 8080, and that any firewalls between the Palo Alto device and the ingester system allow port 8080 traffic. +- If any results appear, logs are coming in properly. -Once the ingester is configured, set up log forwarding on the Palo Alto device as described in [the Palo Alto documentation]https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/forward-logs-to-an-https-destination). You will need to set up the following: +#### 0.3 [HTTP Ingester](#0-3-http-ingester) -* An HTTP Server Profile. The "Address" field corresponds to the HTTP Ingester's address, "Port" should be 8080, "HTTP Method" is POST, and you should populate the Username and Password fields to match your configuration above. In the "Payload Format" tab, set each log type as shown in the image below: +- HTTP Ingester can be used when you want Palo Alto to deliver logs over HTTP instead of syslog. + - [Documentation](https://docs.gravwell.io/ingesters/http.html) -![](/api/files/50cb5863-6867-47da-bc49-7bef73317ddc =705x467) +#### 0.4 [Install & Configure HTTP Ingester](#0-4-install--configure-http-ingester) -* A Log Forwarding Profile which sends all desired log types to the HTTP Server Profile created above. Note that it is possible to use one Log Forwarding Profile to send logs to both syslog and HTTP ingesters at the same time, if desired, as seen below: +- Deploy the [HTTP Ingester](https://docs.gravwell.io/ingesters/http.html) on a server which is both accessible from the Palo Alto device and which can route to the Gravwell indexer(s). Configure it with the appropriate Ingest-Secret value for your indexers and point either its Cleartext-Backend-Target or Encrypted-Backend-Target fields at the indexer addresses; refer to the [Ingesters documentation](https://docs.gravwell.io/ingesters/ingesters.html) for more information. +- Drop the following config snippet into a new file named /opt/gravwell/etc/gravwell\_http\_ingester.conf.d/paloalto.conf on the ingester machine, then run sudo systemctl restart gravwell\_http\_ingester.service to restart the ingester. By default, the HTTP ingester listens on port 8080; this config adds an HTTP endpoint at /pan/logs, with HTTP basic authentication in place. It also defines preprocessors with special rules to route Palo Alto logs to the correct Gravwell tags. -![](/api/files/16b991a1-86c7-4f08-b408-c5faa8afeef3 =792x384) + ```ini + [Listener "palo"] + AuthType=basic + Username=paloalto + Password=paloaltopassword + URL="/pan/logs" + Tag-Name=pan_events + Assume-Local-Timezone=true + Preprocessor="PaloAlto Audit Router" + Preprocessor="PaloAlto Tunnel Inspection Router" + Preprocessor="PaloAlto PAN Type Router" -Once the changes have been committed, logs should begin flowing into Gravwell. You can check by running the folowing query: + [preprocessor "PaloAlto Audit Router"] + Type=regexrouter + Drop-Misses=false + Regex=`^(?:[^,]*,){2}(?PAUDIT|audit),` + Route-Extraction=subtype + Route=AUDIT:pan_audit + Route=audit:pan_audit -``` -tag=$PAN_ALL limit 10 + [preprocessor "PaloAlto Tunnel Inspection Router"] + Type=regexrouter + Drop-Misses=false + Regex=`^(?:[^,]*,){3}(?PSTART|END|start|end),(?:[^,]*,){27}(?:informational|low|medium|high|critical),` + Route-Extraction=event + Route=START:pan_tunnel + Route=END:pan_tunnel + Route=start:pan_tunnel + Route=end:pan_tunnel + + [preprocessor "PaloAlto PAN Type Router"] + Type=regexrouter + Drop-Misses=false + Regex=`^(?:[^,]*,){3}(?P[^,]+),` + Route-Extraction=type + Route=AUTHENTICATION:pan_auth + Route=CONFIG:pan_config + Route=CORRELATION:pan_correlation + Route=DECRYPTION:pan_decryption + Route=GLOBALPROTECT:pan_globalprotect + Route=GTP:pan_gtp + Route=HIP-MATCH:pan_hipmatch + Route=HIPMATCH:pan_hipmatch + Route=IPTAG:pan_iptag + Route=SCTP:pan_sctp + Route=SYSTEM:pan_system + Route=THREAT:pan_threat + Route=TRAFFIC:pan_traffic + Route=USERID:pan_userid + ``` + +- Ensure that the server running the HTTP Ingester allows incoming connections on port 8080, and that any firewalls between the Palo Alto device and the ingester system allow port 8080 traffic. +- Once the ingester is configured, set up log forwarding on the Palo Alto device as described in [the Palo Alto documentation](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/forward-logs-to-an-https-destination). You will need to set up the following: + - An HTTP Server Profile. The "Address" field corresponds to the HTTP Ingester's address, "Port" should be 8080, "HTTP Method" is POST, and you should populate the Username and Password fields to match your configuration above. In the "Payload Format" tab, ensure each log type sends the raw CSV field order expected by the preprocessors above, as shown in the image below: +> + > ![Palo Alto Payload Format: Shows the payload format of the logs](/api/files/50cb5863-6867-47da-bc49-7bef73317ddc?1773841161343 =705x467) +> +- A Log Forwarding Profile which sends all desired log types to the HTTP Server Profile created above. Note that it is possible to use one Log Forwarding Profile to send logs to both syslog and HTTP ingesters at the same time, if desired, as seen below: +> +> ![Palo Alto Log Forwarding Profile: Shows a Palo Alto Log Forwarding Profile](/api/files/16b991a1-86c7-4f08-b408-c5faa8afeef3?1773841216952 =792x384) +> +- Once the changes have been committed, logs should begin flowing into Gravwell. You can check by running the following query: + +```gravwell + tag=$PAN_ALL limit 10 ``` -If any results appear, logs are coming in properly. +- If any results appear, logs are coming in properly. +- Warning: We strongly recommend changing the "Username" and "Password" fields before deploying. We also recommend setting up a TLS frontend for better security. Palo Alto also notes that HTTP/S forwarding is intended for lower-volume deployments and can lose logs at higher forwarding rates, so syslog via Simple Relay remains the recommended option for primary ingestion. -Warning: We strongly recommend changing the "Username" and "Password" fields before deploying! We also recommend setting up a TLS frontend (e.g. nginx) for better security, but this is beyond the scope of this playbook. +#### 0.5 [Data Tags](#0-5-data-tags) -## Data Tags +- Palo Alto logs are sorted into tags on Gravwell based on the log family or format, using the mappings defined in the preprocessor configuration above. The tags are: + - pan_traffic: [Traffic logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields) + - pan_threat: [Threat logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields), including [URL Filtering](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/url-filtering-log-fields), [Data Filtering](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/data-filtering-log-fields), and WildFire Submission / other THREAT-family subtypes + - pan_hipmatch: [HIP Match logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/hip-match-log-fields) + - pan_globalprotect: [GlobalProtect logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/globalprotect-log-fields) + - pan_iptag: [IP-Tag logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/ip-tag-log-fields) + - pan_userid: [User-ID logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/user-id-log-fields) + - pan_decryption: [Decryption logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/decryption-log-fields) + - pan_tunnel: [Tunnel Inspection logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/tunnel-inspection-log-fields) + - pan_sctp: [SCTP logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/sctp-log-fields) + - pan_auth: [Authentication logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/authentication-log-fields) + - pan_config: [Config logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/config-log-fields) + - pan_system: [System logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/system-log-fields) + - pan_correlation: [Correlated Events logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/correlated-events-log-fields) + - pan_gtp: [GTP logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/gtp-log-fields) + - pan_audit: [Audit logs](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/audit-log-fields) + - pan_events: Catch-all for unmatched, unknown, or newly introduced PAN log formats that arrive on the dedicated Palo Alto listener or HTTP endpoint -Palo Alto logs are sorted into tags on Gravwell based on the log type, using mappings defined in the preprocessor configuration above. The tags are: +- The links in the list above will take you to the official Palo Alto documentation for each log type. These are the best places to find out what any given field *means*. For instance, the traffic log page includes the following definitions: + - Source Address (src): Original session source IP address. + - Destination Address (dst): Original session destination IP address. +- The names in parentheses are the names of the fields used in Gravwell; thus to extract the source and destination IP addresses of a session, one would type ax src dst. See the next section for more information on extracting data fields. +- If your kit defines a PAN_ALL macro, update it to include pan_audit, pan_tunnel, and pan_events in addition to the existing PAN tags. -* pan_auth: [Authentication logs](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/authentication-log-fields.html) -* pan_config: [Device configuration logs](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/config-log-fields.html) -* pan_correlation: [Correlated event logs](https://docs.paloaltonetworks.com/content/techdocs/en_US/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/correlated-events-log-fields.html) -* pan_decryption: [Decryption logs](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/decryption-log-fields.html) -* pan_globalprotect: [GlobalProtect VPN logs](https://docs.paloaltonetworks.com/content/techdocs/en_US/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/globalprotect-log-fields.html) -* pan_gtp: [GTP logs](https://docs.paloaltonetworks.com/content/techdocs/en_US/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/gtp-log-fields.html) -* pan_hipmatch: [HIP match logs](https://docs.paloaltonetworks.com/content/techdocs/en_US/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/hip-match-log-fields.html) -* pan_iptag: [IP-Tag logs](https://docs.paloaltonetworks.com/content/techdocs/en_US/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/ip-tag-log-fields.html) -* pan_sctp: [SCTP logs](https://docs.paloaltonetworks.com/content/techdocs/en_US/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/sctp-log-fields.html) -* pan_system: [System logs](https://docs.paloaltonetworks.com/content/techdocs/en_US/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/system-log-fields.html) -* pan_threat: [Threat logs](https://docs.paloaltonetworks.com/content/techdocs/en_US/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields.html) -* pan_traffic: [Traffic logs](https://docs.paloaltonetworks.com/content/techdocs/en_US/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields.html) -* pan_userid: [User-ID logs](https://docs.paloaltonetworks.com/content/techdocs/en_US/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/user-id-log-fields.html) +#### 0.6 [Working with the Data](#0-6-working-with-the-data) -The links in the list above will take you to the official Palo Alto documentation for each log type. These are the best places to find out what any given field *means*. For instance, the traffic log page includes the following definitions: +- One key component of this kit is the pre-configured *auto extractors* which apply structure to the CSV-formatted logs in the system. Each log type contains *many* fields, so we recommend using a particular trick when exploring the extracted fields of a given data type. First, run a query on the tag using the ax module with no arguments, sent to the text renderer: -
-
-Source Address (src): Original session source IP address.
-Destination Address (dst): Original session destination IP address.
-
-
+ ```gravwell + tag=$PAN_TRAFFIC ax + | text + ``` -The names in parentheses are the names of the fields used in Gravwell; thus to extract the source and destination IP addresses of a session, one would type ax src dst. See the next session for more information on extracting data fields. +- Then, in the results, click the "Show details" floating button for any one of the results. This will expand the entry to show the extracted enumerated values. This lets you rapidly scroll through the raw results until you find one that looks interesting, then expand it to see which enumerated values are available: -## Working with the Data +> ![Palo Alto Enumerated Values: Shows EVs expanded in text results for Palo Alto logs](/api/files/f99bf07b-e093-4631-85d4-687b039ecda2?1773841268896 =1870x710) -One key component of this kit is the pre-configured *auto extractors* which apply structure to the CSV-formatted logs in the system. Each log type contains *many* fields; for instance, the traffic logs consist of 114 individual fields! A table with 114 columns is difficult to deal with on even the largest monitor, so we recommend using a particular trick when exploring the extracted fields of a given data type. First, run a query on the tag using the ax module with no arguments, sent to the text renderer: +- In the image above, a single enumerated value pair is highlighted; from this, we might modify the query to filter down to only traffic destined for Switzerland for further examination: -``` -tag=$PAN_TRAFFIC ax | text -``` - -Then, in the results, click the "Show details" floating button for any one of the results. This will expand the entry to show the extracted enumerated values. This lets you rapidly scroll through the raw results until you find one that looks interesting, then expand it to see which enumerated values are available: + ```gravwell + tag=$PAN_TRAFFIC ax dstloc=="Switzerland" + | text + ``` -![](/api/files/f99bf07b-e093-4631-85d4-687b039ecda2 =1870x710) +- Audit and Tunnel Inspection logs use their own tags because their CSV layouts differ from standard System and Traffic logs. Explore those tags directly when validating ingestion: -In the image above, a single enumerated value pair is highlighted; from this, we might modify the query to filter down to only traffic destined for Switzerland for further examination: + ```gravwell + tag=pan_config limit 10 + ``` -``` -tag=$PAN_TRAFFIC ax dstloc=="Switzerland" | text -``` +*** \ No newline at end of file diff --git a/paloalto/playbook/e4aac01c-abda-4b6e-a95c-d42887ad29ed.meta b/paloalto/playbook/e4aac01c-abda-4b6e-a95c-d42887ad29ed.meta index fc808495..9a6ab4ec 100644 --- a/paloalto/playbook/e4aac01c-abda-4b6e-a95c-d42887ad29ed.meta +++ b/paloalto/playbook/e4aac01c-abda-4b6e-a95c-d42887ad29ed.meta @@ -1,20 +1,24 @@ { - "UUID": "0768d1ac-85b8-4ab5-ba31-db55ca7e541f", + "UUID": "7ce212f3-cae7-46a6-9188-e662082edebb", "GUID": "e4aac01c-abda-4b6e-a95c-d42887ad29ed", - "UID": 2, - "GIDs": null, - "Global": false, - "Name": "Palo Alto Kit", - "Desc": "High-level overview of the Palo Alto kit from Gravwell", + "UID": 1, + "GIDs": [], + "Global": true, + "WriteAccess": { + "Global": false, + "GIDs": [] + }, + "Name": "Palo Alto Kit - Integration Guide", + "Desc": "An Integration Guide for onboarding your Palo Alto logs into Gravwell.", "Labels": [ "palo" ], - "LastUpdated": "2022-03-31T16:28:58.693423457Z", + "LastUpdated": "2026-03-18T18:41:34.414889805Z", "Author": { - "Name": "The Gravwell Authors", + "Name": "Kyle Mallett", "Email": "info@gravwell.io", "Company": "Gravwell", - "URL": "https://gravwell.io" + "URL": "gravwell.io" }, - "Synced": true + "Synced": false } \ No newline at end of file diff --git a/paloalto/playbook/e4aac01c-abda-4b6e-a95c-d42887ad29ed.playbook_metadata b/paloalto/playbook/e4aac01c-abda-4b6e-a95c-d42887ad29ed.playbook_metadata index 3bf8b10a..779c3cc7 100644 --- a/paloalto/playbook/e4aac01c-abda-4b6e-a95c-d42887ad29ed.playbook_metadata +++ b/paloalto/playbook/e4aac01c-abda-4b6e-a95c-d42887ad29ed.playbook_metadata @@ -1 +1 @@ -{"dashboards":[],"attachments":[{"context":"cover","type":"image","fileGUID":"7d17282a-b57b-41d7-aa76-ebae78021abc"},{"context":"banner","type":"image","fileGUID":"3392b289-f7e5-4f0a-802e-075cd62b45a5"}]} \ No newline at end of file +{"dashboards":[],"attachments":[{"context":"cover","type":"image","fileGUID":"c69dee69-d682-4d6c-951b-a66924098495"},{"context":"banner","type":"image","fileGUID":"ac8d907f-c540-4237-8327-1ad55c173b6e"}]} \ No newline at end of file diff --git a/paloalto/resource/excluded_url_categories.meta b/paloalto/resource/excluded_url_categories.meta index e0409f69..eb5dcb09 100644 --- a/paloalto/resource/excluded_url_categories.meta +++ b/paloalto/resource/excluded_url_categories.meta @@ -1,7 +1,10 @@ { - "VersionNumber": 2, + "VersionNumber": 1, "ResourceName": "excluded_url_categories", "Description": "Palo Alto URL categories to be excluded.", + "Labels": [ + "palo" + ], "Size": 125, "Hash": "OIRl5vXUFzq7WsFx5iFs7A==", "Data": "" diff --git a/paloalto/searchlibrary/0102c2d0-b817-413f-affc-92d00b4fd452.meta b/paloalto/searchlibrary/0102c2d0-b817-413f-affc-92d00b4fd452.meta new file mode 100644 index 00000000..c05ed99a --- /dev/null +++ b/paloalto/searchlibrary/0102c2d0-b817-413f-affc-92d00b4fd452.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Traffic - Application - Top Applications [chart]", + "Description": "Displays a chart of the most frequently observed applications in traffic logs.\n\nDependencies\n- Dashboard: Palo Alto User Behavior Overview", + "GUID": "0102c2d0-b817-413f-affc-92d00b4fd452", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/0102c2d0-b817-413f-affc-92d00b4fd452.query b/paloalto/searchlibrary/0102c2d0-b817-413f-affc-92d00b4fd452.query new file mode 100644 index 00000000..c26e68d8 --- /dev/null +++ b/paloalto/searchlibrary/0102c2d0-b817-413f-affc-92d00b4fd452.query @@ -0,0 +1,5 @@ +// Search - Palo Alto - NGFW - Traffic - Application - Top Applications [chart] +tag=$PAN_TRAFFIC ax app!="incomplete" +| alias app Application +| stats count by Application +| chart count by Application limit 16 \ No newline at end of file diff --git a/paloalto/searchlibrary/029d59e0-bf7b-4fb0-a783-df0a644ca5b9.meta b/paloalto/searchlibrary/029d59e0-bf7b-4fb0-a783-df0a644ca5b9.meta new file mode 100644 index 00000000..3a31a59a --- /dev/null +++ b/paloalto/searchlibrary/029d59e0-bf7b-4fb0-a783-df0a644ca5b9.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - GlobalProtect - Authentication - Failed Logins [table]", + "Description": "Displays a table of failed GlobalProtect login attempts by user, region, and source IP.\n\nDependencies\n- Dashboard: Palo Alto GlobalProtect Overview", + "GUID": "029d59e0-bf7b-4fb0-a783-df0a644ca5b9", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/029d59e0-bf7b-4fb0-a783-df0a644ca5b9.query b/paloalto/searchlibrary/029d59e0-bf7b-4fb0-a783-df0a644ca5b9.query new file mode 100644 index 00000000..6be27e73 --- /dev/null +++ b/paloalto/searchlibrary/029d59e0-bf7b-4fb0-a783-df0a644ca5b9.query @@ -0,0 +1,5 @@ +// Search - Palo Alto - NGFW - GlobalProtect - Authentication - Failed Logins [table] +tag=$PAN_GLOBALPROTECT ax stage=="login" status=="failure" srcuser srcregion public_ip public_ipv6 +| alias srcuser User srcregion Region public_ip "IPv4" public_ipv6 IPv6 +| stats count as failures by User Region IPv4 IPv6 +| table User Region IPv4 IPv6 failures \ No newline at end of file diff --git a/paloalto/searchlibrary/03e0c1e3-b239-433a-855d-cca56e0867f9.meta b/paloalto/searchlibrary/03e0c1e3-b239-433a-855d-cca56e0867f9.meta new file mode 100644 index 00000000..6cd98e89 --- /dev/null +++ b/paloalto/searchlibrary/03e0c1e3-b239-433a-855d-cca56e0867f9.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Traffic - Events - Count by Subtype [numbercard]", + "Description": "Displays a numbercard of threat event counts by subtype.\n\nDependencies\n- Dashboard: Palo Alto Threat Overview", + "GUID": "03e0c1e3-b239-433a-855d-cca56e0867f9", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/03e0c1e3-b239-433a-855d-cca56e0867f9.query b/paloalto/searchlibrary/03e0c1e3-b239-433a-855d-cca56e0867f9.query new file mode 100644 index 00000000..9f186f3d --- /dev/null +++ b/paloalto/searchlibrary/03e0c1e3-b239-433a-855d-cca56e0867f9.query @@ -0,0 +1,4 @@ +// Search - Palo Alto - NGFW - Traffic - Events - Count by Subtype [numbercard] +tag=$PAN_TRAFFIC ax subtype +| stats count by subtype +| numbercard (count "") \ No newline at end of file diff --git a/paloalto/searchlibrary/165321ca-629d-4560-afbb-2ac6cc3ecc56.meta b/paloalto/searchlibrary/165321ca-629d-4560-afbb-2ac6cc3ecc56.meta new file mode 100644 index 00000000..047c0c61 --- /dev/null +++ b/paloalto/searchlibrary/165321ca-629d-4560-afbb-2ac6cc3ecc56.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Event Types - Count by Tag [chart]", + "Description": "Displays a chart of event counts by TAG.\n\nDependencies\n- Dashboard: Palo Alto General Overview", + "GUID": "165321ca-629d-4560-afbb-2ac6cc3ecc56", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/165321ca-629d-4560-afbb-2ac6cc3ecc56.query b/paloalto/searchlibrary/165321ca-629d-4560-afbb-2ac6cc3ecc56.query new file mode 100644 index 00000000..fbbc7729 --- /dev/null +++ b/paloalto/searchlibrary/165321ca-629d-4560-afbb-2ac6cc3ecc56.query @@ -0,0 +1,4 @@ +tag=$PAN_ALL +| stats count by TAG +| alias count " " +| chart " " by TAG \ No newline at end of file diff --git a/paloalto/searchlibrary/17da5912-7283-4c8a-97a1-fb532c072fe8.meta b/paloalto/searchlibrary/17da5912-7283-4c8a-97a1-fb532c072fe8.meta new file mode 100644 index 00000000..5823c98f --- /dev/null +++ b/paloalto/searchlibrary/17da5912-7283-4c8a-97a1-fb532c072fe8.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Config - Events - Count by Results [chart]", + "Description": "Displays a chart of configuration event counts by command result.\n\nDependencies\n- Dashboard: Palo Alto Config Overview", + "GUID": "17da5912-7283-4c8a-97a1-fb532c072fe8", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/17da5912-7283-4c8a-97a1-fb532c072fe8.query b/paloalto/searchlibrary/17da5912-7283-4c8a-97a1-fb532c072fe8.query new file mode 100644 index 00000000..11e469a2 --- /dev/null +++ b/paloalto/searchlibrary/17da5912-7283-4c8a-97a1-fb532c072fe8.query @@ -0,0 +1,4 @@ +// Search - Palo Alto - NGFW - Config - Events - Count by Results [chart] +tag=$PAN_CONFIG ax result +| stats count by result +| chart count by result \ No newline at end of file diff --git a/paloalto/searchlibrary/1812fddf-4109-4d57-b274-1da9981b426f.meta b/paloalto/searchlibrary/1812fddf-4109-4d57-b274-1da9981b426f.meta new file mode 100644 index 00000000..87fbe270 --- /dev/null +++ b/paloalto/searchlibrary/1812fddf-4109-4d57-b274-1da9981b426f.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Threat - Events - Count by Scan Source Location [chart]", + "Description": "Displays a chart of scan event counts by source location.\n\nDependencies\n- Dashboard: Palo Alto Threat Overview", + "GUID": "1812fddf-4109-4d57-b274-1da9981b426f", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/1812fddf-4109-4d57-b274-1da9981b426f.query b/paloalto/searchlibrary/1812fddf-4109-4d57-b274-1da9981b426f.query new file mode 100644 index 00000000..33f0dfb7 --- /dev/null +++ b/paloalto/searchlibrary/1812fddf-4109-4d57-b274-1da9981b426f.query @@ -0,0 +1,4 @@ +// Search - Palo Alto - NGFW - Threat - Events - Count by Scan Source Location [chart] +tag=$PAN_THREAT ax subtype=="scan" srcloc +| stats count by srcloc +| chart count by srcloc \ No newline at end of file diff --git a/paloalto/searchlibrary/1ef98531-447b-4dc0-8df2-3ad2e4815902.meta b/paloalto/searchlibrary/1ef98531-447b-4dc0-8df2-3ad2e4815902.meta new file mode 100644 index 00000000..355b5425 --- /dev/null +++ b/paloalto/searchlibrary/1ef98531-447b-4dc0-8df2-3ad2e4815902.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Config - Events - Count by Client [chart]", + "Description": "Displays a chart of configuration event counts by client used to perform the action.\n\nDependencies\n- Dashboard: Palo Alto Config Overview", + "GUID": "1ef98531-447b-4dc0-8df2-3ad2e4815902", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/1ef98531-447b-4dc0-8df2-3ad2e4815902.query b/paloalto/searchlibrary/1ef98531-447b-4dc0-8df2-3ad2e4815902.query new file mode 100644 index 00000000..c5758aa5 --- /dev/null +++ b/paloalto/searchlibrary/1ef98531-447b-4dc0-8df2-3ad2e4815902.query @@ -0,0 +1,4 @@ +// Search - Palo Alto - NGFW - Config - Events - Count by Client [chart] +tag=$PAN_CONFIG ax client +| stats count by client +| chart count by client \ No newline at end of file diff --git a/paloalto/searchlibrary/2332615f-d68f-4635-98e2-f931ae86713c.meta b/paloalto/searchlibrary/2332615f-d68f-4635-98e2-f931ae86713c.meta new file mode 100644 index 00000000..6f482c63 --- /dev/null +++ b/paloalto/searchlibrary/2332615f-d68f-4635-98e2-f931ae86713c.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Traffic - SaaS - SaaS Event Count [numbercard]", + "Description": "Displays a numbercard of SaaS event counts by type. \n\nDependencies\n- Dashboard: Palo Alto User Behavior Overview", + "GUID": "2332615f-d68f-4635-98e2-f931ae86713c", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/2332615f-d68f-4635-98e2-f931ae86713c.query b/paloalto/searchlibrary/2332615f-d68f-4635-98e2-f931ae86713c.query new file mode 100644 index 00000000..0fe2d52a --- /dev/null +++ b/paloalto/searchlibrary/2332615f-d68f-4635-98e2-f931ae86713c.query @@ -0,0 +1,4 @@ +// Search - Palo Alto - NGFW - Traffic - SaaS - SaaS Event Count [numbercard] +tag=$PAN_TRAFFIC ax is_saas_of_app=="yes" +| stats count +| numbercard (count "SaaS Events") \ No newline at end of file diff --git a/paloalto/searchlibrary/2a0213fe-5013-4649-a859-4e1ed8299c99.meta b/paloalto/searchlibrary/2a0213fe-5013-4649-a859-4e1ed8299c99.meta new file mode 100644 index 00000000..56d33a30 --- /dev/null +++ b/paloalto/searchlibrary/2a0213fe-5013-4649-a859-4e1ed8299c99.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Traffic - SaaS - Count by Sanctioned Category [chart]", + "Description": "Displays a chart of the most frequently observed sanctioned SaaS application categories.\n\nDependencies\n- Dashboard: Palo Alto SaaS Overview", + "GUID": "2a0213fe-5013-4649-a859-4e1ed8299c99", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/2a0213fe-5013-4649-a859-4e1ed8299c99.query b/paloalto/searchlibrary/2a0213fe-5013-4649-a859-4e1ed8299c99.query new file mode 100644 index 00000000..f6118bab --- /dev/null +++ b/paloalto/searchlibrary/2a0213fe-5013-4649-a859-4e1ed8299c99.query @@ -0,0 +1,4 @@ +// Search - Palo Alto - NGFW - Traffic - SaaS - Count by Sanctioned Category [chart] +tag=$PAN_TRAFFIC ax sanctioned_state_of_app=="yes" is_saas_of_app=="yes" subcategory_of_app +| stats count by subcategory_of_app +| chart count by subcategory_of_app limit 6 \ No newline at end of file diff --git a/paloalto/searchlibrary/2d5b39c9-8589-442f-b1dd-715ee4c6c677.meta b/paloalto/searchlibrary/2d5b39c9-8589-442f-b1dd-715ee4c6c677.meta new file mode 100644 index 00000000..f0e4fa2d --- /dev/null +++ b/paloalto/searchlibrary/2d5b39c9-8589-442f-b1dd-715ee4c6c677.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Threat - Events - Scans Detected [table]", + "Description": "Displays a table of detected scan events grouped by source and threat ID.\n\nDependencies\n- Dashboard: Palo Alto Threat Overview", + "GUID": "2d5b39c9-8589-442f-b1dd-715ee4c6c677", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/2d5b39c9-8589-442f-b1dd-715ee4c6c677.query b/paloalto/searchlibrary/2d5b39c9-8589-442f-b1dd-715ee4c6c677.query new file mode 100644 index 00000000..753536a3 --- /dev/null +++ b/paloalto/searchlibrary/2d5b39c9-8589-442f-b1dd-715ee4c6c677.query @@ -0,0 +1,5 @@ +// Search - Palo Alto - NGFW - Threat - Events - Scans Detected [table] +tag=$PAN_THREAT ax subtype=="scan" src threatid +| stats count by src threatid +| alias src Source threatid "Threat ID" +| table Source "Threat ID" count \ No newline at end of file diff --git a/paloalto/searchlibrary/2e2a52c3-01c9-411e-9254-e205ac7b13fa.meta b/paloalto/searchlibrary/2e2a52c3-01c9-411e-9254-e205ac7b13fa.meta new file mode 100644 index 00000000..26069821 --- /dev/null +++ b/paloalto/searchlibrary/2e2a52c3-01c9-411e-9254-e205ac7b13fa.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Threat - Events - Count by Subtype [numbercard]", + "Description": "Displays a numbercard of threat event counts by subtype.\n\nDependencies\n- Dashboard: Palo Alto Threat Overview", + "GUID": "2e2a52c3-01c9-411e-9254-e205ac7b13fa", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/2e2a52c3-01c9-411e-9254-e205ac7b13fa.query b/paloalto/searchlibrary/2e2a52c3-01c9-411e-9254-e205ac7b13fa.query new file mode 100644 index 00000000..5a8e726a --- /dev/null +++ b/paloalto/searchlibrary/2e2a52c3-01c9-411e-9254-e205ac7b13fa.query @@ -0,0 +1,4 @@ +// Search - Palo Alto - NGFW - Threat - Events - Count by Subtype [numbercard] +tag=$PAN_THREAT ax subtype +| stats count by subtype +| numbercard (count "") \ No newline at end of file diff --git a/paloalto/searchlibrary/308a0350-9e34-4e97-91e2-16d27ff0a350.meta b/paloalto/searchlibrary/308a0350-9e34-4e97-91e2-16d27ff0a350.meta new file mode 100644 index 00000000..3d68a3a4 --- /dev/null +++ b/paloalto/searchlibrary/308a0350-9e34-4e97-91e2-16d27ff0a350.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Traffic - SaaS - Unsanctioned Applications [table]", + "Description": "Displays a table of unsanctioned SaaS applications with session counts and total traffic volume.\n\nDependencies\n- Dashboard: Palo Alto SaaS Overview", + "GUID": "308a0350-9e34-4e97-91e2-16d27ff0a350", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/308a0350-9e34-4e97-91e2-16d27ff0a350.query b/paloalto/searchlibrary/308a0350-9e34-4e97-91e2-16d27ff0a350.query new file mode 100644 index 00000000..86b6ed0a --- /dev/null +++ b/paloalto/searchlibrary/308a0350-9e34-4e97-91e2-16d27ff0a350.query @@ -0,0 +1,7 @@ +// Search - Palo Alto - NGFW - Traffic - SaaS - Unsanctioned Applications [table] +tag=$PAN_TRAFFIC ax app category_of_app subcategory_of_app bytes is_saas_of_app=="yes" sanctioned_state_of_app=="no" +| alias app App category_of_app Category subcategory_of_app Subcategory +| stats sum(bytes) count as Sessions by App Category Subcategory +| eval Volume = sum; +| sort by sum desc +| table App Category Subcategory Sessions Volume \ No newline at end of file diff --git a/paloalto/searchlibrary/3233c046-6e37-4318-8b78-b5a4cb25f12a.meta b/paloalto/searchlibrary/3233c046-6e37-4318-8b78-b5a4cb25f12a.meta new file mode 100644 index 00000000..e98ea4fe --- /dev/null +++ b/paloalto/searchlibrary/3233c046-6e37-4318-8b78-b5a4cb25f12a.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Traffic - SaaS - Sanctioned Application Percentages [chart]", + "Description": "Displays a chart of SaaS traffic counts comparing sanctioned and non-sanctioned applications.\n\nDependencies\n- Dashboard: Palo Alto SaaS Overview", + "GUID": "3233c046-6e37-4318-8b78-b5a4cb25f12a", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/3233c046-6e37-4318-8b78-b5a4cb25f12a.query b/paloalto/searchlibrary/3233c046-6e37-4318-8b78-b5a4cb25f12a.query new file mode 100644 index 00000000..dbdd0268 --- /dev/null +++ b/paloalto/searchlibrary/3233c046-6e37-4318-8b78-b5a4cb25f12a.query @@ -0,0 +1,5 @@ +// Search - Palo Alto - NGFW - Traffic - SaaS - Sanctioned Application Percentages [chart] +tag=$PAN_TRAFFIC ax sanctioned_state_of_app +| eval if (sanctioned_state_of_app == "yes") { state = "Sanctioned"; } else { state = "Non-sanctioned"; } +| stats count by state +| chart count by state \ No newline at end of file diff --git a/paloalto/searchlibrary/32e6de72-2601-41be-b6ed-dc4acb4e834e.meta b/paloalto/searchlibrary/32e6de72-2601-41be-b6ed-dc4acb4e834e.meta new file mode 100644 index 00000000..daf5f096 --- /dev/null +++ b/paloalto/searchlibrary/32e6de72-2601-41be-b6ed-dc4acb4e834e.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Config - Events - Count by Command [chart]", + "Description": "Displays a chart of configuration event counts by command executed.\n\nDependencies\n- Dashboard: Palo Alto Config Overview", + "GUID": "32e6de72-2601-41be-b6ed-dc4acb4e834e", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/32e6de72-2601-41be-b6ed-dc4acb4e834e.query b/paloalto/searchlibrary/32e6de72-2601-41be-b6ed-dc4acb4e834e.query new file mode 100644 index 00000000..fc8a20a3 --- /dev/null +++ b/paloalto/searchlibrary/32e6de72-2601-41be-b6ed-dc4acb4e834e.query @@ -0,0 +1,4 @@ +// Search - Palo Alto - NGFW - Config - Events - Count by Command [chart] +tag=$PAN_CONFIG ax cmd +| stats count by cmd +| chart count by cmd \ No newline at end of file diff --git a/paloalto/searchlibrary/38108c90-9965-4eaa-8c00-13baef49fcb5.meta b/paloalto/searchlibrary/38108c90-9965-4eaa-8c00-13baef49fcb5.meta new file mode 100644 index 00000000..c43b39e3 --- /dev/null +++ b/paloalto/searchlibrary/38108c90-9965-4eaa-8c00-13baef49fcb5.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Threat - WildFire - Count by Application [chart]", + "Description": "Displays a chart of WildFire submission counts by application.\n\nDependencies\n- Dashboard: Palo Alto Wildfire Overview", + "GUID": "38108c90-9965-4eaa-8c00-13baef49fcb5", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/38108c90-9965-4eaa-8c00-13baef49fcb5.query b/paloalto/searchlibrary/38108c90-9965-4eaa-8c00-13baef49fcb5.query new file mode 100644 index 00000000..1b8fdc27 --- /dev/null +++ b/paloalto/searchlibrary/38108c90-9965-4eaa-8c00-13baef49fcb5.query @@ -0,0 +1,4 @@ +// Search - Palo Alto - NGFW - Threat - WildFire - Count by Application [chart] +tag=$PAN_THREAT ax subtype=="wildfire" app +| stats count by app +| chart count by app \ No newline at end of file diff --git a/paloalto/searchlibrary/3afdb278-a9cb-4d28-afa9-1e06707ddb46.meta b/paloalto/searchlibrary/3afdb278-a9cb-4d28-afa9-1e06707ddb46.meta new file mode 100644 index 00000000..d2176a4e --- /dev/null +++ b/paloalto/searchlibrary/3afdb278-a9cb-4d28-afa9-1e06707ddb46.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Threat - URL - Top Web Categories [chart]", + "Description": "Displays a numbercard of SaaS event counts by type. \n\nDependencies\n- Dashboard: Palo Alto User Behavior Overview", + "GUID": "3afdb278-a9cb-4d28-afa9-1e06707ddb46", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/3afdb278-a9cb-4d28-afa9-1e06707ddb46.query b/paloalto/searchlibrary/3afdb278-a9cb-4d28-afa9-1e06707ddb46.query new file mode 100644 index 00000000..68174693 --- /dev/null +++ b/paloalto/searchlibrary/3afdb278-a9cb-4d28-afa9-1e06707ddb46.query @@ -0,0 +1,7 @@ +// Search - Palo Alto - NGFW - Threat - URL - Top Web Categories [chart] +tag=$PAN_THREAT ax url_category_list +| split -clean -d "," url_category_list +| alias url_category_list url_category +| lookup -v -s -r excluded_url_categories url_category category reason +| stats count by url_category +| chart count by url_category limit 16 \ No newline at end of file diff --git a/paloalto/searchlibrary/3fd985ab-3814-433a-920c-42586088ca44.meta b/paloalto/searchlibrary/3fd985ab-3814-433a-920c-42586088ca44.meta new file mode 100644 index 00000000..8bfc1e7d --- /dev/null +++ b/paloalto/searchlibrary/3fd985ab-3814-433a-920c-42586088ca44.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Threat - Events - Threat Source Locations [heatmap]", + "Description": "Displays a heatmap of threat event source IP locations.\n\nDependencies\n- Dashboard: Palo Alto Threat Overview", + "GUID": "3fd985ab-3814-433a-920c-42586088ca44", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/3fd985ab-3814-433a-920c-42586088ca44.query b/paloalto/searchlibrary/3fd985ab-3814-433a-920c-42586088ca44.query new file mode 100644 index 00000000..41413115 --- /dev/null +++ b/paloalto/searchlibrary/3fd985ab-3814-433a-920c-42586088ca44.query @@ -0,0 +1,4 @@ +// Search - Palo Alto - NGFW - Threat - Events - Threat Source Locations [heatmap] +tag=$PAN_THREAT ax subtype!=url src +| geoip src.Location +| heatmap \ No newline at end of file diff --git a/paloalto/searchlibrary/45a0354b-4971-4917-a273-a16dd78b5ee3.meta b/paloalto/searchlibrary/45a0354b-4971-4917-a273-a16dd78b5ee3.meta new file mode 100644 index 00000000..380aa780 --- /dev/null +++ b/paloalto/searchlibrary/45a0354b-4971-4917-a273-a16dd78b5ee3.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - GlobalProtect - Session - GlobalProtect Users [table]", + "Description": "Displays a table of GlobalProtect users with associated client system and operating system information.\n\nDependencies\n- Dashboard: Palo Alto GlobalProtect Overview", + "GUID": "45a0354b-4971-4917-a273-a16dd78b5ee3", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/45a0354b-4971-4917-a273-a16dd78b5ee3.query b/paloalto/searchlibrary/45a0354b-4971-4917-a273-a16dd78b5ee3.query new file mode 100644 index 00000000..125b5359 --- /dev/null +++ b/paloalto/searchlibrary/45a0354b-4971-4917-a273-a16dd78b5ee3.query @@ -0,0 +1,5 @@ +// Search - Palo Alto - NGFW - GlobalProtect - Session - GlobalProtect Users [table] +tag=$PAN_GLOBALPROTECT ax stage=="connected" srcuser machinename client_os_ver +| stats count by srcuser machinename client_os_ver +| alias srcuser User machinename "Client System" client_os_ver "Client OS" +| table User "Client System" "Client OS" count \ No newline at end of file diff --git a/paloalto/searchlibrary/47076a81-7c11-474f-86a1-4d1c3d53a8d8.meta b/paloalto/searchlibrary/47076a81-7c11-474f-86a1-4d1c3d53a8d8.meta new file mode 100644 index 00000000..f35ca9ce --- /dev/null +++ b/paloalto/searchlibrary/47076a81-7c11-474f-86a1-4d1c3d53a8d8.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Traffic - SaaS - Application Distribution [table]", + "Description": "Displays a table of SaaS applications with session counts and total traffic volume by category and subcategory.\n\nDependencies\n- Dashboard: Palo Alto SaaS Overview", + "GUID": "47076a81-7c11-474f-86a1-4d1c3d53a8d8", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/47076a81-7c11-474f-86a1-4d1c3d53a8d8.query b/paloalto/searchlibrary/47076a81-7c11-474f-86a1-4d1c3d53a8d8.query new file mode 100644 index 00000000..96d870e6 --- /dev/null +++ b/paloalto/searchlibrary/47076a81-7c11-474f-86a1-4d1c3d53a8d8.query @@ -0,0 +1,7 @@ +// Search - Palo Alto - NGFW - Traffic - SaaS - Application Distribution [table] +tag=$PAN_TRAFFIC ax app category_of_app subcategory_of_app bytes is_saas_of_app=="yes" +| alias app App category_of_app Category subcategory_of_app Subcategory +| stats sum(bytes) count as Sessions by App Category Subcategory +| eval Volume = sum; +| sort by sum desc +| table App Category Subcategory Sessions "Volume" \ No newline at end of file diff --git a/paloalto/searchlibrary/4890dfae-9bc6-4428-8f02-c32b98a7ddab.meta b/paloalto/searchlibrary/4890dfae-9bc6-4428-8f02-c32b98a7ddab.meta new file mode 100644 index 00000000..538e5bb6 --- /dev/null +++ b/paloalto/searchlibrary/4890dfae-9bc6-4428-8f02-c32b98a7ddab.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Threat - Events - Scan Source Locations [heatmap]", + "Description": "Displays a heatmap of scan event source IP locations.\n\nDependencies\n- Dashboard: Palo Alto Threat Overview", + "GUID": "4890dfae-9bc6-4428-8f02-c32b98a7ddab", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/4890dfae-9bc6-4428-8f02-c32b98a7ddab.query b/paloalto/searchlibrary/4890dfae-9bc6-4428-8f02-c32b98a7ddab.query new file mode 100644 index 00000000..426c2771 --- /dev/null +++ b/paloalto/searchlibrary/4890dfae-9bc6-4428-8f02-c32b98a7ddab.query @@ -0,0 +1,4 @@ +// Search - Palo Alto - NGFW - Threat - Events - Scan Source Locations [heatmap] +tag=$PAN_THREAT ax subtype==scan src +| geoip src.Location +| heatmap \ No newline at end of file diff --git a/paloalto/searchlibrary/4898082c-5181-43a9-86f9-00b86bead404.meta b/paloalto/searchlibrary/4898082c-5181-43a9-86f9-00b86bead404.meta new file mode 100644 index 00000000..9e163d44 --- /dev/null +++ b/paloalto/searchlibrary/4898082c-5181-43a9-86f9-00b86bead404.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - GlobalProtect - Events - Count by Subtype [numbercard]", + "Description": "Displays a numbercard of GlobalProtect event counts by subtype.\n\nDependencies\n- Dashboard: Palo Alto Threat Overview", + "GUID": "4898082c-5181-43a9-86f9-00b86bead404", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/4898082c-5181-43a9-86f9-00b86bead404.query b/paloalto/searchlibrary/4898082c-5181-43a9-86f9-00b86bead404.query new file mode 100644 index 00000000..a152b133 --- /dev/null +++ b/paloalto/searchlibrary/4898082c-5181-43a9-86f9-00b86bead404.query @@ -0,0 +1,4 @@ +// Search - Palo Alto - NGFW - Threat - GlobalProtect - Count by Subtype [numbercard] +tag=$PAN_GLOBALPROTECT ax subtype +| stats count by subtype +| numbercard (count "") \ No newline at end of file diff --git a/paloalto/searchlibrary/52cd3303-4013-47e5-bc75-fa8f999222aa.meta b/paloalto/searchlibrary/52cd3303-4013-47e5-bc75-fa8f999222aa.meta new file mode 100644 index 00000000..a7dcc0aa --- /dev/null +++ b/paloalto/searchlibrary/52cd3303-4013-47e5-bc75-fa8f999222aa.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Config - Events - Latest Events [table]", + "Description": "Displays a chart of configuration event counts by administrator.\n\nDependencies\n- Dashboard: Palo Alto Config Overview", + "GUID": "52cd3303-4013-47e5-bc75-fa8f999222aa", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/52cd3303-4013-47e5-bc75-fa8f999222aa.query b/paloalto/searchlibrary/52cd3303-4013-47e5-bc75-fa8f999222aa.query new file mode 100644 index 00000000..5dd90e4c --- /dev/null +++ b/paloalto/searchlibrary/52cd3303-4013-47e5-bc75-fa8f999222aa.query @@ -0,0 +1,4 @@ +// Search - Palo Alto - NGFW - Config - Events - Latest Events [table] +tag=$PAN_CONFIG ax admin serial host client cmd result +| alias admin User serial Serial host Host client Client cmd Command result Result +| table User Serial Host Client Command Result \ No newline at end of file diff --git a/paloalto/searchlibrary/5a11f630-f7f2-4c98-9500-688928974ac3.meta b/paloalto/searchlibrary/5a11f630-f7f2-4c98-9500-688928974ac3.meta new file mode 100644 index 00000000..3aca3297 --- /dev/null +++ b/paloalto/searchlibrary/5a11f630-f7f2-4c98-9500-688928974ac3.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Threat - Events - Most Frequent Threat IDs [table]", + "Description": "Displays a table of the most frequently observed threat IDs in threat events.\n\nDependencies\n- Dashboard: Palo Alto Threat Overview", + "GUID": "5a11f630-f7f2-4c98-9500-688928974ac3", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/5a11f630-f7f2-4c98-9500-688928974ac3.query b/paloalto/searchlibrary/5a11f630-f7f2-4c98-9500-688928974ac3.query new file mode 100644 index 00000000..259abeeb --- /dev/null +++ b/paloalto/searchlibrary/5a11f630-f7f2-4c98-9500-688928974ac3.query @@ -0,0 +1,6 @@ +// Search - Palo Alto - NGFW - Threat - Events - Most Frequent Threat IDs [table] +tag=$PAN_THREAT ax subtype threatid +| stats count by threatid +| awk -e threatid "{gsub(/\(9999\)/, 'URL Filtering(9999)'); print}" +| alias threatid "Threat ID" +| table "Threat ID" count \ No newline at end of file diff --git a/paloalto/searchlibrary/61fde793-b8b0-47ab-8c6b-7a4fa7a90dd4.meta b/paloalto/searchlibrary/61fde793-b8b0-47ab-8c6b-7a4fa7a90dd4.meta new file mode 100644 index 00000000..da3f453d --- /dev/null +++ b/paloalto/searchlibrary/61fde793-b8b0-47ab-8c6b-7a4fa7a90dd4.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Threat - WildFire - Count by Category [numbercard]", + "Description": "Displays a numbercard of WildFire verdict counts by category.\n\nDependencies\n- Dashboard: Palo Alto Wildfire Overview", + "GUID": "61fde793-b8b0-47ab-8c6b-7a4fa7a90dd4", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/61fde793-b8b0-47ab-8c6b-7a4fa7a90dd4.query b/paloalto/searchlibrary/61fde793-b8b0-47ab-8c6b-7a4fa7a90dd4.query new file mode 100644 index 00000000..63893f2c --- /dev/null +++ b/paloalto/searchlibrary/61fde793-b8b0-47ab-8c6b-7a4fa7a90dd4.query @@ -0,0 +1,4 @@ +// Search - Palo Alto - NGFW - Threat - WildFire - Count by Category [numbercard] +tag=$PAN_THREAT ax subtype=="wildfire" category +| stats count by category +| numbercard (count "") \ No newline at end of file diff --git a/paloalto/searchlibrary/73263790-9a8a-43e1-b231-be2b784de192.meta b/paloalto/searchlibrary/73263790-9a8a-43e1-b231-be2b784de192.meta new file mode 100644 index 00000000..519b7f71 --- /dev/null +++ b/paloalto/searchlibrary/73263790-9a8a-43e1-b231-be2b784de192.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Config - Events - Count by Command [numbercard]", + "Description": "Displays a numbercard of configuration event counts by command executed.\n\nDependencies\n- Dashboard: Palo Alto Config Overview", + "GUID": "73263790-9a8a-43e1-b231-be2b784de192", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/73263790-9a8a-43e1-b231-be2b784de192.query b/paloalto/searchlibrary/73263790-9a8a-43e1-b231-be2b784de192.query new file mode 100644 index 00000000..6e575131 --- /dev/null +++ b/paloalto/searchlibrary/73263790-9a8a-43e1-b231-be2b784de192.query @@ -0,0 +1,4 @@ +// Search - Palo Alto - NGFW - Config - Events - Count by Command [numbercard] +tag=$PAN_CONFIG ax cmd +| stats count by cmd +| numbercard (count "") \ No newline at end of file diff --git a/paloalto/searchlibrary/741a45c8-9248-4922-97c2-a6b9b525e6d4.meta b/paloalto/searchlibrary/741a45c8-9248-4922-97c2-a6b9b525e6d4.meta new file mode 100644 index 00000000..f96c4ef4 --- /dev/null +++ b/paloalto/searchlibrary/741a45c8-9248-4922-97c2-a6b9b525e6d4.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Traffic - Bytes - Total Traffic Volume [chart]", + "Description": "Displays a chart of total traffic volume in megabytes based on summed byte counts from traffic logs.\n\nDependencies\n- Dashboard: Palo Alto User Behavior Overview", + "GUID": "741a45c8-9248-4922-97c2-a6b9b525e6d4", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/741a45c8-9248-4922-97c2-a6b9b525e6d4.query b/paloalto/searchlibrary/741a45c8-9248-4922-97c2-a6b9b525e6d4.query new file mode 100644 index 00000000..20695197 --- /dev/null +++ b/paloalto/searchlibrary/741a45c8-9248-4922-97c2-a6b9b525e6d4.query @@ -0,0 +1,5 @@ +// Search - Palo Alto - NGFW - Traffic - Bytes - Total Traffic Volume [chart] +tag=$PAN_TRAFFIC ax bytes +| stats sum(bytes) +| eval (Megabytes = sum / (1024 * 1024)) +| chart Megabytes \ No newline at end of file diff --git a/paloalto/searchlibrary/80ade539-a898-480c-b9da-c284f3da09dc.meta b/paloalto/searchlibrary/80ade539-a898-480c-b9da-c284f3da09dc.meta new file mode 100644 index 00000000..da727efa --- /dev/null +++ b/paloalto/searchlibrary/80ade539-a898-480c-b9da-c284f3da09dc.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Threat - Events - Count by Threat Source Location [chart]", + "Description": "Displays a chart of threat event counts by source location.\n\nDependencies\n- Dashboard: Palo Alto Threat Overview", + "GUID": "80ade539-a898-480c-b9da-c284f3da09dc", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/80ade539-a898-480c-b9da-c284f3da09dc.query b/paloalto/searchlibrary/80ade539-a898-480c-b9da-c284f3da09dc.query new file mode 100644 index 00000000..2e9ff927 --- /dev/null +++ b/paloalto/searchlibrary/80ade539-a898-480c-b9da-c284f3da09dc.query @@ -0,0 +1,4 @@ +// Search - Palo Alto - NGFW - Threat - Events - Count by Threat Source Location [chart] +tag=$PAN_THREAT ax subtype srcloc +| stats count by srcloc +| chart count by srcloc \ No newline at end of file diff --git a/paloalto/searchlibrary/80c5d3bb-81fb-475a-b922-f5387e023102.meta b/paloalto/searchlibrary/80c5d3bb-81fb-475a-b922-f5387e023102.meta new file mode 100644 index 00000000..25455567 --- /dev/null +++ b/paloalto/searchlibrary/80c5d3bb-81fb-475a-b922-f5387e023102.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Event Types - Count by Tag [numbercard]", + "Description": "Displays a numbercard of event counts by TAG.\n\nDependencies\n- Dashboard: Palo Alto General Overview", + "GUID": "80c5d3bb-81fb-475a-b922-f5387e023102", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/80c5d3bb-81fb-475a-b922-f5387e023102.query b/paloalto/searchlibrary/80c5d3bb-81fb-475a-b922-f5387e023102.query new file mode 100644 index 00000000..72fdf664 --- /dev/null +++ b/paloalto/searchlibrary/80c5d3bb-81fb-475a-b922-f5387e023102.query @@ -0,0 +1,4 @@ +tag=$PAN_ALL +| stats count by TAG +| alias count " " +| numbercard " " \ No newline at end of file diff --git a/paloalto/searchlibrary/847bc392-e6f0-4aa3-ba1f-db7b9608c672.meta b/paloalto/searchlibrary/847bc392-e6f0-4aa3-ba1f-db7b9608c672.meta new file mode 100644 index 00000000..4c40698b --- /dev/null +++ b/paloalto/searchlibrary/847bc392-e6f0-4aa3-ba1f-db7b9608c672.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - GlobalProtect - Authentication - Count by Status [numbercard]", + "Description": "Displays a numbercard of GlobalProtect login attempt counts by status.\n\nDependencies\n- Dashboard: Palo Alto GlobalProtect Overview", + "GUID": "847bc392-e6f0-4aa3-ba1f-db7b9608c672", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/847bc392-e6f0-4aa3-ba1f-db7b9608c672.query b/paloalto/searchlibrary/847bc392-e6f0-4aa3-ba1f-db7b9608c672.query new file mode 100644 index 00000000..1669f945 --- /dev/null +++ b/paloalto/searchlibrary/847bc392-e6f0-4aa3-ba1f-db7b9608c672.query @@ -0,0 +1,4 @@ +// Search - Palo Alto - NGFW - GlobalProtect - Authentication - Count by Status [numbercard] +tag=$PAN_GLOBALPROTECT ax stage=="login" status +| stats count by status +| numbercard (count "") \ No newline at end of file diff --git a/paloalto/searchlibrary/8b60b817-ad70-4c99-95ec-c82c43e61d64.meta b/paloalto/searchlibrary/8b60b817-ad70-4c99-95ec-c82c43e61d64.meta new file mode 100644 index 00000000..592b505a --- /dev/null +++ b/paloalto/searchlibrary/8b60b817-ad70-4c99-95ec-c82c43e61d64.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Config - Events - Count by Administrators [chart]", + "Description": "Displays a chart of configuration event counts by administrator.\n\nDependencies\n- Dashboard: Palo Alto Config Overview", + "GUID": "8b60b817-ad70-4c99-95ec-c82c43e61d64", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/8b60b817-ad70-4c99-95ec-c82c43e61d64.query b/paloalto/searchlibrary/8b60b817-ad70-4c99-95ec-c82c43e61d64.query new file mode 100644 index 00000000..8294e24a --- /dev/null +++ b/paloalto/searchlibrary/8b60b817-ad70-4c99-95ec-c82c43e61d64.query @@ -0,0 +1,4 @@ +// Search - Palo Alto - NGFW - Config - Administrator - Configuration Administrators [chart] +tag=$PAN_CONFIG ax admin +| stats count by admin +| chart count by admin \ No newline at end of file diff --git a/paloalto/searchlibrary/8fbf3919-9199-41a0-b72e-07a4aed91ab7.meta b/paloalto/searchlibrary/8fbf3919-9199-41a0-b72e-07a4aed91ab7.meta new file mode 100644 index 00000000..92eef317 --- /dev/null +++ b/paloalto/searchlibrary/8fbf3919-9199-41a0-b72e-07a4aed91ab7.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Threat - Events - Count by Threat Destination Location [chart]", + "Description": "Displays a chart of threat event counts by destination location.\n\nDependencies\n- Dashboard: Palo Alto Threat Overview", + "GUID": "8fbf3919-9199-41a0-b72e-07a4aed91ab7", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/8fbf3919-9199-41a0-b72e-07a4aed91ab7.query b/paloalto/searchlibrary/8fbf3919-9199-41a0-b72e-07a4aed91ab7.query new file mode 100644 index 00000000..aef46189 --- /dev/null +++ b/paloalto/searchlibrary/8fbf3919-9199-41a0-b72e-07a4aed91ab7.query @@ -0,0 +1,4 @@ +// Search - Palo Alto - NGFW - Threat - Events - Count by Threat Destination Location [chart] +tag=$PAN_THREAT ax subtype dstloc +| stats count by dstloc +| chart count by dstloc \ No newline at end of file diff --git a/paloalto/searchlibrary/9a538ea3-3656-4d12-a252-9b4c88487299.meta b/paloalto/searchlibrary/9a538ea3-3656-4d12-a252-9b4c88487299.meta new file mode 100644 index 00000000..1782b0fc --- /dev/null +++ b/paloalto/searchlibrary/9a538ea3-3656-4d12-a252-9b4c88487299.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Threat/Traffic - Event Type - Count by Type [numbercard]", + "Description": "Displays a numbercard of event counts by type. \n\nDependencies:\nDashboard: Palo Alto User Behavior Overview", + "GUID": "9a538ea3-3656-4d12-a252-9b4c88487299", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/9a538ea3-3656-4d12-a252-9b4c88487299.query b/paloalto/searchlibrary/9a538ea3-3656-4d12-a252-9b4c88487299.query new file mode 100644 index 00000000..c59039c0 --- /dev/null +++ b/paloalto/searchlibrary/9a538ea3-3656-4d12-a252-9b4c88487299.query @@ -0,0 +1,16 @@ +// Search - Palo Alto - NGFW - Threat/Traffic - Event Type - Count by Type [numbercard] +tag=$PAN_THREAT_TRAFFIC ax subtype +| tag=$PAN_TRAFFIC eval if (subtype == "end") { + $(type) = "Traffic Events"; +} +| tag=$PAN_THREAT eval if (subtype == "url") { + $(type) = "URL Events"; +} else if (subtype == "data") { + $(type) = "Data Events"; +} else if (subtype == "file") { + $(type) = "File Events"; +} else if (subtype == "vulnerability") { + $(type) = "Vulnerability Events"; +} +| stats count by type +| numbercard (count "") \ No newline at end of file diff --git a/paloalto/searchlibrary/9b25ad03-4189-445f-b27c-48ec3af4b0e7.meta b/paloalto/searchlibrary/9b25ad03-4189-445f-b27c-48ec3af4b0e7.meta new file mode 100644 index 00000000..043dc6cf --- /dev/null +++ b/paloalto/searchlibrary/9b25ad03-4189-445f-b27c-48ec3af4b0e7.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Traffic - SaaS - Total Bytes Transferred [numbercard]", + "Description": "Displays a numbercard of total bytes transferred for SaaS traffic sessions.\n\nDependencies\n- Dashboard: Palo Alto SaaS Overview", + "GUID": "9b25ad03-4189-445f-b27c-48ec3af4b0e7", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/9b25ad03-4189-445f-b27c-48ec3af4b0e7.query b/paloalto/searchlibrary/9b25ad03-4189-445f-b27c-48ec3af4b0e7.query new file mode 100644 index 00000000..4519415e --- /dev/null +++ b/paloalto/searchlibrary/9b25ad03-4189-445f-b27c-48ec3af4b0e7.query @@ -0,0 +1,4 @@ +// Search - Palo Alto - NGFW - Traffic - SaaS - Total Bytes Transferred [numbercard] +tag=$PAN_TRAFFIC ax subtype=="end" is_saas_of_app=="yes" bytes +| stats sum(bytes) +| numbercard (sum "SaaS bytes transferred") \ No newline at end of file diff --git a/paloalto/searchlibrary/9ed28079-5408-43b7-8d44-c1b9c9dfbfed.meta b/paloalto/searchlibrary/9ed28079-5408-43b7-8d44-c1b9c9dfbfed.meta new file mode 100644 index 00000000..7f93e988 --- /dev/null +++ b/paloalto/searchlibrary/9ed28079-5408-43b7-8d44-c1b9c9dfbfed.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - Threat - WildFire - Recent Wildfire Submissions [table]", + "Description": "Displays a table of recent non-benign WildFire file submissions including source, destination, and file details.\n\nDependencies\n- Dashboard: Palo Alto Wildfire Overview", + "GUID": "9ed28079-5408-43b7-8d44-c1b9c9dfbfed", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/9ed28079-5408-43b7-8d44-c1b9c9dfbfed.query b/paloalto/searchlibrary/9ed28079-5408-43b7-8d44-c1b9c9dfbfed.query new file mode 100644 index 00000000..29ad581c --- /dev/null +++ b/paloalto/searchlibrary/9ed28079-5408-43b7-8d44-c1b9c9dfbfed.query @@ -0,0 +1,4 @@ +// Search - Palo Alto - NGFW - Threat - WildFire - Recent Wildfire Submissions [table] +tag=$PAN_THREAT ax subtype=="wildfire" category!="benign" +| alias misc filename +| table category rule app src dst filename filetype filedigest \ No newline at end of file diff --git a/paloalto/searchlibrary/a787167f-da7d-4c92-b2fd-09698f21e49b.meta b/paloalto/searchlibrary/a787167f-da7d-4c92-b2fd-09698f21e49b.meta new file mode 100644 index 00000000..15077c37 --- /dev/null +++ b/paloalto/searchlibrary/a787167f-da7d-4c92-b2fd-09698f21e49b.meta @@ -0,0 +1,11 @@ +{ + "Name": "Search - Palo Alto - NGFW - GlobalProtect - Diagnostics - Average Latency [chart]", + "Description": "Displays a chart of average pre-tunnel and post-tunnel latency for GlobalProtect gateway connections.\n\nDependencies\n- Dashboard: Palo Alto GlobalProtect Overview", + "GUID": "a787167f-da7d-4c92-b2fd-09698f21e49b", + "Labels": [ + "palo" + ], + "Metadata": { + "timeframe": null + } +} \ No newline at end of file diff --git a/paloalto/searchlibrary/a787167f-da7d-4c92-b2fd-09698f21e49b.query b/paloalto/searchlibrary/a787167f-da7d-4c92-b2fd-09698f21e49b.query new file mode 100644 index 00000000..266a6c9b --- /dev/null +++ b/paloalto/searchlibrary/a787167f-da7d-4c92-b2fd-09698f21e49b.query @@ -0,0 +1,10 @@ +// Search - Palo Alto - NGFW - GlobalProtect - Diagnostics - Average Latency [chart] +tag=$PAN_GLOBALPROTECT ax eventid=="gateway-tunnel-latency" description +| regex -e description "Pre-tunnel latency: (?P
[^,]+), Post-tunnel latency: (?P[^,]+)"
+/* We use toDuration to go from a string to a Duration */
+| eval pre = duration(pre);
+ post = duration(post);
+| stats mean(pre) as pre mean(post) as post
+/* At this point, pre and post are in nanoseconds. Let's convert them to milliseconds */
+| eval $(Pre-tunnel Latency) = pre / 1000000; $(Post-tunnel Latency) = post / 1000000;
+| chart "Pre-tunnel Latency" "Post-tunnel Latency"
\ No newline at end of file
diff --git a/paloalto/searchlibrary/bc005eda-32cf-4a11-accf-6684a2fb9af2.meta b/paloalto/searchlibrary/bc005eda-32cf-4a11-accf-6684a2fb9af2.meta
new file mode 100644
index 00000000..923626e0
--- /dev/null
+++ b/paloalto/searchlibrary/bc005eda-32cf-4a11-accf-6684a2fb9af2.meta
@@ -0,0 +1,11 @@
+{
+	"Name": "Search - Palo Alto - NGFW - Traffic - SaaS - Sanctioned Applications [table]",
+	"Description": "Displays a table of sanctioned SaaS applications with session counts and total traffic volume.\n\nDependencies\n- Dashboard: Palo Alto SaaS Overview",
+	"GUID": "bc005eda-32cf-4a11-accf-6684a2fb9af2",
+	"Labels": [
+		"palo"
+	],
+	"Metadata": {
+		"timeframe": null
+	}
+}
\ No newline at end of file
diff --git a/paloalto/searchlibrary/bc005eda-32cf-4a11-accf-6684a2fb9af2.query b/paloalto/searchlibrary/bc005eda-32cf-4a11-accf-6684a2fb9af2.query
new file mode 100644
index 00000000..e1b1b637
--- /dev/null
+++ b/paloalto/searchlibrary/bc005eda-32cf-4a11-accf-6684a2fb9af2.query
@@ -0,0 +1,7 @@
+// Search - Palo Alto - NGFW - Traffic - SaaS - Sanctioned Applications [table]
+tag=$PAN_TRAFFIC ax app category_of_app subcategory_of_app bytes is_saas_of_app=="yes" sanctioned_state_of_app=="yes"
+| alias app App category_of_app Category subcategory_of_app Subcategory
+| stats sum(bytes) count as Sessions by App Category Subcategory
+| eval Volume = sum;
+| sort by sum desc
+| table App Category Subcategory Sessions Volume
\ No newline at end of file
diff --git a/paloalto/searchlibrary/ce08d927-0617-41e5-9b44-22f8568c5ff0.meta b/paloalto/searchlibrary/ce08d927-0617-41e5-9b44-22f8568c5ff0.meta
new file mode 100644
index 00000000..1aa31927
--- /dev/null
+++ b/paloalto/searchlibrary/ce08d927-0617-41e5-9b44-22f8568c5ff0.meta
@@ -0,0 +1,11 @@
+{
+	"Name": "Search - Palo Alto - NGFW - Traffic - SaaS - Count by Action [chart]",
+	"Description": "Displays a chart of SaaS traffic event counts by action.\n\nDependencies\n- Dashboard: Palo Alto SaaS Overview",
+	"GUID": "ce08d927-0617-41e5-9b44-22f8568c5ff0",
+	"Labels": [
+		"palo"
+	],
+	"Metadata": {
+		"timeframe": null
+	}
+}
\ No newline at end of file
diff --git a/paloalto/searchlibrary/ce08d927-0617-41e5-9b44-22f8568c5ff0.query b/paloalto/searchlibrary/ce08d927-0617-41e5-9b44-22f8568c5ff0.query
new file mode 100644
index 00000000..b8a61cd4
--- /dev/null
+++ b/paloalto/searchlibrary/ce08d927-0617-41e5-9b44-22f8568c5ff0.query
@@ -0,0 +1,4 @@
+// Search - Palo Alto - NGFW - Traffic - SaaS - Count by Action [chart]
+tag=$PAN_TRAFFIC ax is_saas_of_app=="yes" action
+| stats count by action
+| chart count by action
\ No newline at end of file
diff --git a/paloalto/searchlibrary/d625b9af-4e63-40df-9392-62cbd04c8213.meta b/paloalto/searchlibrary/d625b9af-4e63-40df-9392-62cbd04c8213.meta
new file mode 100644
index 00000000..abe70988
--- /dev/null
+++ b/paloalto/searchlibrary/d625b9af-4e63-40df-9392-62cbd04c8213.meta
@@ -0,0 +1,11 @@
+{
+	"Name": "Search - Palo Alto - NGFW - GlobalProtect - Authentication - Count by Status [chart]",
+	"Description": "Displays a chart of GlobalProtect login attempt counts by status.\n\nDependencies\n- Dashboard: Palo Alto GlobalProtect Overview",
+	"GUID": "d625b9af-4e63-40df-9392-62cbd04c8213",
+	"Labels": [
+		"palo"
+	],
+	"Metadata": {
+		"timeframe": null
+	}
+}
\ No newline at end of file
diff --git a/paloalto/searchlibrary/d625b9af-4e63-40df-9392-62cbd04c8213.query b/paloalto/searchlibrary/d625b9af-4e63-40df-9392-62cbd04c8213.query
new file mode 100644
index 00000000..e4be0e91
--- /dev/null
+++ b/paloalto/searchlibrary/d625b9af-4e63-40df-9392-62cbd04c8213.query
@@ -0,0 +1,4 @@
+// Search - Palo Alto - NGFW - GlobalProtect - Authentication - Count by Status [chart]
+tag=$PAN_GLOBALPROTECT ax stage=="login" status
+| stats count by status
+| chart count by status
\ No newline at end of file
diff --git a/paloalto/searchlibrary/dfec2b9b-5466-4ec5-9ce6-5a23b42488f7.meta b/paloalto/searchlibrary/dfec2b9b-5466-4ec5-9ce6-5a23b42488f7.meta
new file mode 100644
index 00000000..59002b85
--- /dev/null
+++ b/paloalto/searchlibrary/dfec2b9b-5466-4ec5-9ce6-5a23b42488f7.meta
@@ -0,0 +1,11 @@
+{
+	"Name": "Search - Palo Alto - NGFW - Threat - WildFire - Count by Category [chart]",
+	"Description": "Displays a chart of WildFire verdict counts by category.\n\nDependencies\n- Dashboard: Palo Alto Wildfire Overview",
+	"GUID": "dfec2b9b-5466-4ec5-9ce6-5a23b42488f7",
+	"Labels": [
+		"palo"
+	],
+	"Metadata": {
+		"timeframe": null
+	}
+}
\ No newline at end of file
diff --git a/paloalto/searchlibrary/dfec2b9b-5466-4ec5-9ce6-5a23b42488f7.query b/paloalto/searchlibrary/dfec2b9b-5466-4ec5-9ce6-5a23b42488f7.query
new file mode 100644
index 00000000..68d8feb5
--- /dev/null
+++ b/paloalto/searchlibrary/dfec2b9b-5466-4ec5-9ce6-5a23b42488f7.query
@@ -0,0 +1,4 @@
+// Search - Palo Alto - NGFW - Threat - WildFire - Count by Category [chart]
+tag=$PAN_THREAT ax subtype=="wildfire" category
+| stats count by category
+| chart count by category
\ No newline at end of file
diff --git a/paloalto/searchlibrary/e442e808-5c6e-4509-a66b-cb744a26aff6.meta b/paloalto/searchlibrary/e442e808-5c6e-4509-a66b-cb744a26aff6.meta
new file mode 100644
index 00000000..be23b125
--- /dev/null
+++ b/paloalto/searchlibrary/e442e808-5c6e-4509-a66b-cb744a26aff6.meta
@@ -0,0 +1,11 @@
+{
+	"Name": "Search - Palo Alto - NGFW - Traffic - SaaS - Count by Unsanctioned Category [chart]",
+	"Description": "Displays a chart of the least frequently observed sanctioned SaaS application categories.\n\nDependencies\n- Dashboard: Palo Alto SaaS Overview",
+	"GUID": "e442e808-5c6e-4509-a66b-cb744a26aff6",
+	"Labels": [
+		"palo"
+	],
+	"Metadata": {
+		"timeframe": null
+	}
+}
\ No newline at end of file
diff --git a/paloalto/searchlibrary/e442e808-5c6e-4509-a66b-cb744a26aff6.query b/paloalto/searchlibrary/e442e808-5c6e-4509-a66b-cb744a26aff6.query
new file mode 100644
index 00000000..dbb592af
--- /dev/null
+++ b/paloalto/searchlibrary/e442e808-5c6e-4509-a66b-cb744a26aff6.query
@@ -0,0 +1,4 @@
+// Search - Palo Alto - NGFW - Traffic - SaaS - Count by Unsanctioned Category [chart]
+tag=$PAN_TRAFFIC ax sanctioned_state_of_app=="no" is_saas_of_app=="yes" subcategory_of_app
+| stats count by subcategory_of_app
+| chart count by subcategory_of_app limit 6
\ No newline at end of file
diff --git a/paloalto/searchlibrary/eb5f3a03-f3fc-479e-a4fb-babff92baf97.meta b/paloalto/searchlibrary/eb5f3a03-f3fc-479e-a4fb-babff92baf97.meta
new file mode 100644
index 00000000..3c5ad076
--- /dev/null
+++ b/paloalto/searchlibrary/eb5f3a03-f3fc-479e-a4fb-babff92baf97.meta
@@ -0,0 +1,11 @@
+{
+	"Name": "Search - Palo Alto - NGFW - Threat - WildFire - Count by File Type [chart]",
+	"Description": "Displays a chart of WildFire submission counts by file type.\n\nDependencies\n- Dashboard: Palo Alto Wildfire Overview",
+	"GUID": "eb5f3a03-f3fc-479e-a4fb-babff92baf97",
+	"Labels": [
+		"palo"
+	],
+	"Metadata": {
+		"timeframe": null
+	}
+}
\ No newline at end of file
diff --git a/paloalto/searchlibrary/eb5f3a03-f3fc-479e-a4fb-babff92baf97.query b/paloalto/searchlibrary/eb5f3a03-f3fc-479e-a4fb-babff92baf97.query
new file mode 100644
index 00000000..a4571013
--- /dev/null
+++ b/paloalto/searchlibrary/eb5f3a03-f3fc-479e-a4fb-babff92baf97.query
@@ -0,0 +1,4 @@
+// Search - Palo Alto - NGFW - Threat - WildFire - Count by File Type [chart]
+tag=$PAN_THREAT ax subtype=="wildfire" filetype
+| stats count by filetype
+| chart count by filetype
\ No newline at end of file
diff --git a/paloalto/searchlibrary/ed30530c-b91b-4e37-aa5a-c9c3c889832c.meta b/paloalto/searchlibrary/ed30530c-b91b-4e37-aa5a-c9c3c889832c.meta
new file mode 100644
index 00000000..92ad6535
--- /dev/null
+++ b/paloalto/searchlibrary/ed30530c-b91b-4e37-aa5a-c9c3c889832c.meta
@@ -0,0 +1,11 @@
+{
+	"Name": "Search - Palo Alto - NGFW - Traffic - Application - Rare Applications [table]",
+	"Description": "Displays a table of the least frequently observed applications in traffic logs.\n\nDependencies\n- Dashboard: Palo Alto User Behavior Overview",
+	"GUID": "ed30530c-b91b-4e37-aa5a-c9c3c889832c",
+	"Labels": [
+		"palo"
+	],
+	"Metadata": {
+		"timeframe": null
+	}
+}
\ No newline at end of file
diff --git a/paloalto/searchlibrary/ed30530c-b91b-4e37-aa5a-c9c3c889832c.query b/paloalto/searchlibrary/ed30530c-b91b-4e37-aa5a-c9c3c889832c.query
new file mode 100644
index 00000000..b8120f93
--- /dev/null
+++ b/paloalto/searchlibrary/ed30530c-b91b-4e37-aa5a-c9c3c889832c.query
@@ -0,0 +1,6 @@
+// Search - Palo Alto - NGFW - Traffic - Application - Rare Applications [table]
+tag=$PAN_TRAFFIC ax subtype=="end" app 
+| stats count by app 
+| sort by count asc 
+| limit 10 
+| table app count
\ No newline at end of file
diff --git a/paloalto/searchlibrary/f04b1ebf-96d1-4220-97da-291ab125f4d4.meta b/paloalto/searchlibrary/f04b1ebf-96d1-4220-97da-291ab125f4d4.meta
new file mode 100644
index 00000000..92389423
--- /dev/null
+++ b/paloalto/searchlibrary/f04b1ebf-96d1-4220-97da-291ab125f4d4.meta
@@ -0,0 +1,11 @@
+{
+	"Name": "Search - Palo Alto - NGFW - Threat - URL - Count by Top Hostnames [table]",
+	"Description": "Displays a table of hostname counts extracted from URL threat events.\n\nDependencies\n- Dashboard: Palo Alto User Behavior Overview",
+	"GUID": "f04b1ebf-96d1-4220-97da-291ab125f4d4",
+	"Labels": [
+		"palo"
+	],
+	"Metadata": {
+		"timeframe": null
+	}
+}
\ No newline at end of file
diff --git a/paloalto/searchlibrary/f04b1ebf-96d1-4220-97da-291ab125f4d4.query b/paloalto/searchlibrary/f04b1ebf-96d1-4220-97da-291ab125f4d4.query
new file mode 100644
index 00000000..e2694f39
--- /dev/null
+++ b/paloalto/searchlibrary/f04b1ebf-96d1-4220-97da-291ab125f4d4.query
@@ -0,0 +1,5 @@
+// Search - Palo Alto - NGFW - Threat - URL - Top Hostnames [table]
+tag=$PAN_THREAT ax subtype=="url" misc 
+| regex -e misc "(?P[^/]+)/" 
+| stats count by hostname 
+| table hostname count
\ No newline at end of file
diff --git a/paloalto/searchlibrary/fd4e2509-d685-49d4-b9c8-cdb8d1c0d153.meta b/paloalto/searchlibrary/fd4e2509-d685-49d4-b9c8-cdb8d1c0d153.meta
new file mode 100644
index 00000000..f28b4d8c
--- /dev/null
+++ b/paloalto/searchlibrary/fd4e2509-d685-49d4-b9c8-cdb8d1c0d153.meta
@@ -0,0 +1,11 @@
+{
+	"Name": "Search - Palo Alto - NGFW - Threat - Events - Count by Scan Types [chart]",
+	"Description": "Displays a chart of scan event counts by threat ID.\n\nDependencies\n- Dashboard: Palo Alto Threat Overview",
+	"GUID": "fd4e2509-d685-49d4-b9c8-cdb8d1c0d153",
+	"Labels": [
+		"palo"
+	],
+	"Metadata": {
+		"timeframe": null
+	}
+}
\ No newline at end of file
diff --git a/paloalto/searchlibrary/fd4e2509-d685-49d4-b9c8-cdb8d1c0d153.query b/paloalto/searchlibrary/fd4e2509-d685-49d4-b9c8-cdb8d1c0d153.query
new file mode 100644
index 00000000..a2ab0fea
--- /dev/null
+++ b/paloalto/searchlibrary/fd4e2509-d685-49d4-b9c8-cdb8d1c0d153.query
@@ -0,0 +1,4 @@
+// Search - Palo Alto - NGFW - Threat - Events - Count by Scan Types [chart]
+tag=$PAN_THREAT ax subtype=="scan" threatid
+| stats count by threatid
+| chart count by threatid
\ No newline at end of file
diff --git a/paloalto/searchlibrary/fe4898de-8dd2-46dc-a3bc-3263bdaae33a.meta b/paloalto/searchlibrary/fe4898de-8dd2-46dc-a3bc-3263bdaae33a.meta
new file mode 100644
index 00000000..d6d89971
--- /dev/null
+++ b/paloalto/searchlibrary/fe4898de-8dd2-46dc-a3bc-3263bdaae33a.meta
@@ -0,0 +1,11 @@
+{
+	"Name": "Search - Palo Alto - NGFW - Traffic - SaaS - Count by Application [chart]",
+	"Description": "Displays a chart of SaaS traffic session counts by application.\n\nDependencies\n- Dashboard: Palo Alto SaaS Overview",
+	"GUID": "fe4898de-8dd2-46dc-a3bc-3263bdaae33a",
+	"Labels": [
+		"palo"
+	],
+	"Metadata": {
+		"timeframe": null
+	}
+}
\ No newline at end of file
diff --git a/paloalto/searchlibrary/fe4898de-8dd2-46dc-a3bc-3263bdaae33a.query b/paloalto/searchlibrary/fe4898de-8dd2-46dc-a3bc-3263bdaae33a.query
new file mode 100644
index 00000000..b8a1cdac
--- /dev/null
+++ b/paloalto/searchlibrary/fe4898de-8dd2-46dc-a3bc-3263bdaae33a.query
@@ -0,0 +1,4 @@
+// Search - Palo Alto - NGFW - Traffic - SaaS - Count by Application [chart]
+tag=$PAN_TRAFFIC ax subtype=="end" is_saas_of_app=="yes" app
+| stats count by app
+| chart count by app
\ No newline at end of file
diff --git a/paloalto/template/10e2589a-08f8-4665-857d-3e6092c9500a.meta b/paloalto/template/10e2589a-08f8-4665-857d-3e6092c9500a.meta
new file mode 100644
index 00000000..0f6f0068
--- /dev/null
+++ b/paloalto/template/10e2589a-08f8-4665-857d-3e6092c9500a.meta
@@ -0,0 +1,28 @@
+{
+	"UUID": "10e2589a-08f8-4665-857d-3e6092c9500a",
+	"Name": "Template - Palo Alto - NGFW - Threat - WildFire - All Submissions for User \u0026 IP [table]",
+	"Description": "Displays a table of WildFire file submissions associated with the specified IP address.\n\nDependencies\n- Dashboard: Palo Alto Investigations",
+	"Data": {
+		"variables": [
+			{
+				"name": "%%user%%",
+				"label": "User",
+				"description": "This variable for the User allows you to query the relevant EVs such as srcuser and dstuser (if applicable).",
+				"required": true,
+				"defaultValue": ".",
+				"previewValue": "."
+			},
+			{
+				"name": "%%ip%%",
+				"label": "IP Address",
+				"description": "This variable for the IP Address allows you to query the relevant EVs such as src, natsrc, dst, natdst, xff_ip, private_ip, and public_ip (if applicable).",
+				"required": true,
+				"defaultValue": ".",
+				"previewValue": "."
+			}
+		]
+	},
+	"Labels": [
+		"palo"
+	]
+}
\ No newline at end of file
diff --git a/paloalto/template/10e2589a-08f8-4665-857d-3e6092c9500a.query b/paloalto/template/10e2589a-08f8-4665-857d-3e6092c9500a.query
new file mode 100644
index 00000000..d74b5a6b
--- /dev/null
+++ b/paloalto/template/10e2589a-08f8-4665-857d-3e6092c9500a.query
@@ -0,0 +1,18 @@
+// Template - Palo Alto - NGFW - Threat - WildFire - All Submissions for User & IP [table]
+tag=$PAN_THREAT ax subtype=="wildfire" 
+| alias 
+    misc Filename
+    filetype Filetype
+    filedigest "File Digest"
+    category Category
+    rule Rule
+    app App
+    src "Source" 
+    natsrc "NAT Source" 
+    srcuser "Source User" 
+    dst "Destination" 
+    natdst "NAT Destination" 
+    dstuser "Destination User"
+    xff_ip "XFF Address"
+| eval (srcuser~"%%user%%" || dstuser~"%%user%%") && (src~"%%ip%%" || natsrc~"%%ip%%" || dst~"%%ip%%" || natdst~"%%ip%%" || xff_ip~"%%ip%%")
+| table Category Rule App "Source" "NAT Source" "Source User" "Destination" "NAT Destination" "Destination User" "XFF Address" Filename Filetype "File Digest"
\ No newline at end of file
diff --git a/paloalto/template/15e8e4fd-763e-4043-97f0-162778ec859c.meta b/paloalto/template/15e8e4fd-763e-4043-97f0-162778ec859c.meta
new file mode 100644
index 00000000..dca3c7bc
--- /dev/null
+++ b/paloalto/template/15e8e4fd-763e-4043-97f0-162778ec859c.meta
@@ -0,0 +1,28 @@
+{
+	"UUID": "15e8e4fd-763e-4043-97f0-162778ec859c",
+	"Name": "Template - Palo Alto - NGFW - Threat - Events - All Threat Events for User \u0026 IP [table]",
+	"Description": "Displays a table of threat events associated with the specified IP address including source, destination, and threat ID.\n\nDependencies\n- Dashboard: Palo Alto Investigations",
+	"Data": {
+		"variables": [
+			{
+				"name": "%%user%%",
+				"label": "User",
+				"description": "This variable for the User allows you to query the relevant EVs such as srcuser and dstuser (if applicable).",
+				"required": true,
+				"defaultValue": ".",
+				"previewValue": "."
+			},
+			{
+				"name": "%%ip%%",
+				"label": "IP Address",
+				"description": "This variable for the IP Address allows you to query the relevant EVs such as src, natsrc, dst, natdst, xff_ip, private_ip, and public_ip (if applicable).",
+				"required": true,
+				"defaultValue": ".",
+				"previewValue": "."
+			}
+		]
+	},
+	"Labels": [
+		"palo"
+	]
+}
\ No newline at end of file
diff --git a/paloalto/template/15e8e4fd-763e-4043-97f0-162778ec859c.query b/paloalto/template/15e8e4fd-763e-4043-97f0-162778ec859c.query
new file mode 100644
index 00000000..14497c29
--- /dev/null
+++ b/paloalto/template/15e8e4fd-763e-4043-97f0-162778ec859c.query
@@ -0,0 +1,5 @@
+// Template - Palo Alto - NGFW - Threat - Events - All Threat Events for User & IP [table]
+tag=$PAN_THREAT ax src natsrc srcuser dst natdst dstuser threatid xff_ip category_of_app subcategory_of_app
+| alias threatid "Threat ID" src "Source" srcuser "Source User" dst "Destination" dstuser "Destination User" category_of_app "Category"
+| eval (srcuser~"%%user%%" || dstuser~"%%user%%") && (src~"%%ip%%" || natsrc~"%%ip%%" || dst~"%%ip%%" || natdst~"%%ip%%" || xff_ip~"%%ip%%")
+| table Source natsrc "Source User" Destination natdst "Destination User" xff_ip "Threat ID" "Category"
\ No newline at end of file
diff --git a/paloalto/template/182e5db7-4513-4056-a8a8-987fbf570599.meta b/paloalto/template/182e5db7-4513-4056-a8a8-987fbf570599.meta
deleted file mode 100644
index 039fc808..00000000
--- a/paloalto/template/182e5db7-4513-4056-a8a8-987fbf570599.meta
+++ /dev/null
@@ -1,20 +0,0 @@
-{
-	"UUID": "182e5db7-4513-4056-a8a8-987fbf570599",
-	"Name": "Traffic categories for IP",
-	"Description": "Categories of traffic seen by Palo Alto related to given IP address.",
-	"Data": {
-		"variables": [
-			{
-				"name": "%%IP%%",
-				"label": "",
-				"description": "",
-				"required": true,
-				"defaultValue": "",
-				"previewValue": ""
-			}
-		]
-	},
-	"Labels": [
-		"palo"
-	]
-}
\ No newline at end of file
diff --git a/paloalto/template/182e5db7-4513-4056-a8a8-987fbf570599.query b/paloalto/template/182e5db7-4513-4056-a8a8-987fbf570599.query
deleted file mode 100644
index 0af71520..00000000
--- a/paloalto/template/182e5db7-4513-4056-a8a8-987fbf570599.query
+++ /dev/null
@@ -1,5 +0,0 @@
-tag=$PAN_TRAFFIC words "%%IP%%" 
-| ax src dst category_of_app subcategory_of_app 
-| alias src "Source" dst "Destination" category_of_app "Category" 
-| stats count by Category
-| chart count by Category
\ No newline at end of file
diff --git a/paloalto/template/21c85c02-8c7a-42fd-9cba-005d36c2cce1.meta b/paloalto/template/21c85c02-8c7a-42fd-9cba-005d36c2cce1.meta
deleted file mode 100644
index cfc32500..00000000
--- a/paloalto/template/21c85c02-8c7a-42fd-9cba-005d36c2cce1.meta
+++ /dev/null
@@ -1,20 +0,0 @@
-{
-	"UUID": "21c85c02-8c7a-42fd-9cba-005d36c2cce1",
-	"Name": "Threat subtypes for IP",
-	"Description": "Generate a numbercard showing counts of threat subtypes related to a given IP.",
-	"Data": {
-		"variables": [
-			{
-				"name": "%%IP%%",
-				"label": "",
-				"description": "",
-				"required": true,
-				"defaultValue": "",
-				"previewValue": ""
-			}
-		]
-	},
-	"Labels": [
-		"palo"
-	]
-}
\ No newline at end of file
diff --git a/paloalto/template/21c85c02-8c7a-42fd-9cba-005d36c2cce1.query b/paloalto/template/21c85c02-8c7a-42fd-9cba-005d36c2cce1.query
deleted file mode 100644
index ec369dba..00000000
--- a/paloalto/template/21c85c02-8c7a-42fd-9cba-005d36c2cce1.query
+++ /dev/null
@@ -1 +0,0 @@
-tag=$PAN_THREAT words "%%IP%%" | ax subtype | stats count by subtype | numbercard (count "")
\ No newline at end of file
diff --git a/paloalto/template/278a59ad-0113-42d1-8cf5-3c8bd2bc921c.meta b/paloalto/template/278a59ad-0113-42d1-8cf5-3c8bd2bc921c.meta
new file mode 100644
index 00000000..26042705
--- /dev/null
+++ b/paloalto/template/278a59ad-0113-42d1-8cf5-3c8bd2bc921c.meta
@@ -0,0 +1,28 @@
+{
+	"UUID": "278a59ad-0113-42d1-8cf5-3c8bd2bc921c",
+	"Name": "Template - Palo Alto - NGFW - Traffic - Category - Count by Category [chart]",
+	"Description": "Displays a chart of traffic event counts by application category for the specified IP address.\n\nDependencies\n- Dashboard: Palo Alto Investigations",
+	"Data": {
+		"variables": [
+			{
+				"name": "%%user%%",
+				"label": "User",
+				"description": "This variable for the User allows you to query the relevant EVs such as srcuser and dstuser (if applicable).",
+				"required": true,
+				"defaultValue": ".",
+				"previewValue": "."
+			},
+			{
+				"name": "%%ip%%",
+				"label": "IP Address",
+				"description": "This variable for the IP Address allows you to query the relevant EVs such as src, natsrc, dst, natdst, xff_ip, private_ip, and public_ip (if applicable).",
+				"required": true,
+				"defaultValue": ".",
+				"previewValue": "."
+			}
+		]
+	},
+	"Labels": [
+		"palo"
+	]
+}
\ No newline at end of file
diff --git a/paloalto/template/278a59ad-0113-42d1-8cf5-3c8bd2bc921c.query b/paloalto/template/278a59ad-0113-42d1-8cf5-3c8bd2bc921c.query
new file mode 100644
index 00000000..6c359e2a
--- /dev/null
+++ b/paloalto/template/278a59ad-0113-42d1-8cf5-3c8bd2bc921c.query
@@ -0,0 +1,6 @@
+// Template - Palo Alto - NGFW - Traffic - Category - Count by Category [chart]
+tag=$PAN_TRAFFIC ax 
+| eval (srcuser~"%%user%%" || dstuser~"%%user%%") && (src~"%%ip%%" || natsrc~"%%ip%%" || dst~"%%ip%%" || natdst~"%%ip%%" || xff_ip~"%%ip%%")
+| alias src "Source" dst "Destination" category_of_app "Category"
+| stats count by Category
+| chart count by Category
\ No newline at end of file
diff --git a/paloalto/template/8ff368b5-1d29-422a-89a7-7eb20c50d224.meta b/paloalto/template/8ff368b5-1d29-422a-89a7-7eb20c50d224.meta
deleted file mode 100644
index b472bbd1..00000000
--- a/paloalto/template/8ff368b5-1d29-422a-89a7-7eb20c50d224.meta
+++ /dev/null
@@ -1,20 +0,0 @@
-{
-	"UUID": "8ff368b5-1d29-422a-89a7-7eb20c50d224",
-	"Name": "Threat Table for IP",
-	"Description": "Table of threats related to a given IP.",
-	"Data": {
-		"variables": [
-			{
-				"name": "%%IP%%",
-				"label": "",
-				"description": "",
-				"required": true,
-				"defaultValue": "",
-				"previewValue": ""
-			}
-		]
-	},
-	"Labels": [
-		"palo"
-	]
-}
\ No newline at end of file
diff --git a/paloalto/template/8ff368b5-1d29-422a-89a7-7eb20c50d224.query b/paloalto/template/8ff368b5-1d29-422a-89a7-7eb20c50d224.query
deleted file mode 100644
index d2227ca4..00000000
--- a/paloalto/template/8ff368b5-1d29-422a-89a7-7eb20c50d224.query
+++ /dev/null
@@ -1,4 +0,0 @@
-tag=$PAN_THREAT words "%%IP%%" 
-| ax src dst threatid category_of_app subcategory_of_app 
-| alias threatid "Threat ID" src "Source" dst "Destination" category_of_app "Category" 
-| table Source Destination "Threat ID" "Category"
\ No newline at end of file
diff --git a/paloalto/template/c9e19be7-3673-4d7e-8303-352a1a3ce0bc.meta b/paloalto/template/c9e19be7-3673-4d7e-8303-352a1a3ce0bc.meta
new file mode 100644
index 00000000..65352954
--- /dev/null
+++ b/paloalto/template/c9e19be7-3673-4d7e-8303-352a1a3ce0bc.meta
@@ -0,0 +1,28 @@
+{
+	"UUID": "c9e19be7-3673-4d7e-8303-352a1a3ce0bc",
+	"Name": "Template - Palo Alto - NGFW - Threat - Subtype - Count by Subtypes for User \u0026 IP [numbercard]",
+	"Description": "Displays a numbercard of threat event counts by subtype for the specified IP address.\n\nDependencies\n- Dashboard: Palo Alto Investigations",
+	"Data": {
+		"variables": [
+			{
+				"name": "%%ip%%",
+				"label": "IP Address",
+				"description": "This variable for the IP Address allows you to query the relevant EVs such as src, natsrc, dst, natdst, xff_ip, private_ip, and public_ip (if applicable).",
+				"required": true,
+				"defaultValue": ".",
+				"previewValue": "."
+			},
+			{
+				"name": "%%user%%",
+				"label": "User",
+				"description": "This variable for the User allows you to query the relevant EVs such as srcuser and dstuser (if applicable).",
+				"required": true,
+				"defaultValue": ".",
+				"previewValue": "."
+			}
+		]
+	},
+	"Labels": [
+		"palo"
+	]
+}
\ No newline at end of file
diff --git a/paloalto/template/c9e19be7-3673-4d7e-8303-352a1a3ce0bc.query b/paloalto/template/c9e19be7-3673-4d7e-8303-352a1a3ce0bc.query
new file mode 100644
index 00000000..b48d0981
--- /dev/null
+++ b/paloalto/template/c9e19be7-3673-4d7e-8303-352a1a3ce0bc.query
@@ -0,0 +1,5 @@
+// Template - Palo Alto - NGFW - Threat - Subtype - Count by Subtypes for User & IP [numbercard]
+tag=$PAN_THREAT ax
+| eval (srcuser~"%%user%%" || dstuser~"%%user%%") && (src~"%%ip%%" || natsrc~"%%ip%%" || dst~"%%ip%%" || natdst~"%%ip%%" || xff_ip~"%%ip%%")
+| stats count by subtype
+| numbercard (count "")
\ No newline at end of file
diff --git a/paloalto/template/e06715fe-29f6-4d29-bdf2-df6ef933fc72.meta b/paloalto/template/e06715fe-29f6-4d29-bdf2-df6ef933fc72.meta
deleted file mode 100644
index 2d896970..00000000
--- a/paloalto/template/e06715fe-29f6-4d29-bdf2-df6ef933fc72.meta
+++ /dev/null
@@ -1,20 +0,0 @@
-{
-	"UUID": "e06715fe-29f6-4d29-bdf2-df6ef933fc72",
-	"Name": "Wildfire Submissions for IP",
-	"Description": "Table of Wildfire submissions related to a given IP.",
-	"Data": {
-		"variables": [
-			{
-				"name": "%%IP%%",
-				"label": "",
-				"description": "",
-				"required": true,
-				"defaultValue": "",
-				"previewValue": ""
-			}
-		]
-	},
-	"Labels": [
-		"palo"
-	]
-}
\ No newline at end of file
diff --git a/paloalto/template/e06715fe-29f6-4d29-bdf2-df6ef933fc72.query b/paloalto/template/e06715fe-29f6-4d29-bdf2-df6ef933fc72.query
deleted file mode 100644
index 2fbe37f3..00000000
--- a/paloalto/template/e06715fe-29f6-4d29-bdf2-df6ef933fc72.query
+++ /dev/null
@@ -1,3 +0,0 @@
-tag=$PAN_THREAT words "%%IP%%" | ax subtype=="wildfire" category misc app rule src dst filetype filedigest 
-| alias misc filename 
-| table category rule app src dst filename filetype filedigest
\ No newline at end of file
diff --git a/paloalto/template/ecd856f4-ee40-4cc9-a327-5f85ed518a13.meta b/paloalto/template/ecd856f4-ee40-4cc9-a327-5f85ed518a13.meta
new file mode 100644
index 00000000..46414071
--- /dev/null
+++ b/paloalto/template/ecd856f4-ee40-4cc9-a327-5f85ed518a13.meta
@@ -0,0 +1,28 @@
+{
+	"UUID": "ecd856f4-ee40-4cc9-a327-5f85ed518a13",
+	"Name": "Template - Palo Alto - NGFW - GlobalProtect - Events - All VPN Events for User \u0026 IP [table]",
+	"Description": "Displays a table of GlobalProtect sessions associated with the specified IP address including user and machine information.\n\nDependencies\n- Dashboard: Palo Alto Investigations",
+	"Data": {
+		"variables": [
+			{
+				"name": "%%user%%",
+				"label": "User",
+				"description": "This variable for the User allows you to query the relevant EVs such as srcuser and dstuser (if applicable).",
+				"required": true,
+				"defaultValue": ".",
+				"previewValue": "."
+			},
+			{
+				"name": "%%ip%%",
+				"label": "IP Address",
+				"description": "This variable for the IP Address allows you to query the relevant EVs such as src, natsrc, dst, natdst, xff_ip, private_ip, and public_ip (if applicable).",
+				"required": true,
+				"defaultValue": ".",
+				"previewValue": "."
+			}
+		]
+	},
+	"Labels": [
+		"palo"
+	]
+}
\ No newline at end of file
diff --git a/paloalto/template/ecd856f4-ee40-4cc9-a327-5f85ed518a13.query b/paloalto/template/ecd856f4-ee40-4cc9-a327-5f85ed518a13.query
new file mode 100644
index 00000000..55971255
--- /dev/null
+++ b/paloalto/template/ecd856f4-ee40-4cc9-a327-5f85ed518a13.query
@@ -0,0 +1,6 @@
+// Template - Palo Alto - NGFW - GlobalProtect - Events - All VPN Events for User & IP [table]
+tag=$PAN_GLOBALPROTECT ax 
+| alias srcuser User machinename Machine private_ip "GlobalProtect Private IP" public_ip "GlobalProtect Public IP"
+| unique "GlobalProtect Private IP" User Machine
+| eval (srcuser~"%%user%%") && (public_ip~"%%ip%%" || private_ip~"%%ip%%")
+| table "GlobalProtect Public IP" "GlobalProtect Private IP" User Machine
\ No newline at end of file
diff --git a/paloalto/template/f451f8b7-cf3d-423b-95c6-3738852bd9ea.meta b/paloalto/template/f451f8b7-cf3d-423b-95c6-3738852bd9ea.meta
deleted file mode 100644
index 3327f7e7..00000000
--- a/paloalto/template/f451f8b7-cf3d-423b-95c6-3738852bd9ea.meta
+++ /dev/null
@@ -1,20 +0,0 @@
-{
-	"UUID": "f451f8b7-cf3d-423b-95c6-3738852bd9ea",
-	"Name": "GlobalProtect Info for IP",
-	"Description": "If IP is a GlobalProtect private IP, show information about the user \u0026 machine associated with the IP.",
-	"Data": {
-		"variables": [
-			{
-				"name": "%%IP%%",
-				"label": "",
-				"description": "",
-				"required": true,
-				"defaultValue": "",
-				"previewValue": ""
-			}
-		]
-	},
-	"Labels": [
-		"palo"
-	]
-}
\ No newline at end of file
diff --git a/paloalto/template/f451f8b7-cf3d-423b-95c6-3738852bd9ea.query b/paloalto/template/f451f8b7-cf3d-423b-95c6-3738852bd9ea.query
deleted file mode 100644
index 77c81f17..00000000
--- a/paloalto/template/f451f8b7-cf3d-423b-95c6-3738852bd9ea.query
+++ /dev/null
@@ -1,3 +0,0 @@
-tag=$PAN_GLOBALPROTECT ax private_ip=="%%IP%%" srcuser machinename | alias srcuser User machinename Machine private_ip "GlobalProtect IP" 
-| unique "GlobalProtect IP" User Machine 
-| table "GlobalProtect IP" User Machine
\ No newline at end of file