Palo Alto Firewall Template

Using the Standard Datasource Events

The following table shows the Standard Datasource Events on which the template can be used to control the information that is received and actioned in your security schema.

Action

Subaction

Condition (Line Matching)
System Activity

Threat Evidence

File Execution

.*\|(?:file|data)\|THREAT\|.*
Threat Evidence Flood Detection .*\|flood\|THREAT\|.*
Threat Evidence HTTP Request .*\|url\|THREAT\|.*
Threat Evidence Vulnerability Detection .*\|vulnerability\|THREAT\|.*
Virus Detection Malware Detection .*\|spyware\|THREAT\|.*
Virus Detection Virus Detection .*\|(?:virus|wildfire-virus)\|THREAT\|.*
Virus Scan Virus Scan .*\|(?:scan|wildfire)\|THREAT\|.*
Systems Management
Configuration Rule Modification Configuration Rule Modification .*\|CONFIG\|.*
Software Notification Software Notification .*\|SYSTEM\|.*
User Activity
Successful Login Successful Login .*\|HIP-MATCH\|.*
Network Access Network Access Accepted .*\|Start\|TRAFFIC\|.*
Network Access Network Access Ended .*\|End\|TRAFFIC\|.*
Network Access Network Access Rejected .*\|(?:Drop|Deny)\|TRAFFIC\|.*

Action

Subaction

Condition (Line Matching)
System Activity

Threat Evidence

File Execution

.*\|(?:file|data)\|THREAT\|.*
Threat Evidence Flood Detection .*\|flood\|THREAT\|.*
Threat Evidence HTTP Request .*\|url\|THREAT\|.*
Threat Evidence Vulnerability Detection .*\|vulnerability\|THREAT\|.*
Virus Detection Malware Detection .*\|spyware\|THREAT\|.*
Virus Detection Virus Detection .*\|(?:virus|wildfire-virus)\|THREAT\|.*
Virus Scan Virus Scan .*\|(?:scan|wildfire)\|THREAT\|.*
Systems Management
Configuration Rule Modification Configuration Rule Modification .*\|CONFIG\|.*
Software Notification Software Notification .*\|SYSTEM\|.*
User Activity
Successful Login Successful Login .*\|HIP-MATCH\|.*
Network Access Network Access Accepted .*\|Start\|TRAFFIC\|.*
Network Access Network Access Ended .*\|End\|TRAFFIC\|.*
Network Access Network Access Rejected .*\|(?:Drop|Deny)\|TRAFFIC\|.*

Standard Datasource Events Variable Selections and Mapping

These fields configure how the original event fields are mapped into the normalized variables using the CEF Syslog Receiver. If you want to enrich the event using default values, leave the "Value" text box empty and the configured "Default Value" will be used instead.

 
VARIABLE VALUE
Event Time (Source Timezone) [Event.Event_Time_(Source_Timezone)]
Event Timezone Offset [Event.Event_timezone_offset]
Event ID [CEF.externalId]
Source Machine Name [CEF.shost]
Source Machine IP Address [CEF.src]
Destination Machine Name [CEF.dhost]
Destination Machine IP Address [CEF.dst]
Operator Name [CEF.suser]

User Name

 [CEF.suser]
Object Name [Event.Object_Name]
Object Type [Event.Object_Type]
Application [CEF.dproc]
Action Result [CEF.outcome]
Severity [CEF.Severity]
Session ID [CEF.suid]
NetService [CEF.proto]
Protocol [CEF.app]
Additional Information 1 [CEF.msg]
Additional Information 2 [CEF.reason]
Previous Value [CEF.oldFileName]
Current Value [CEF.fname]
User Group/Role [CEF.dpriv]
Complete Message [Event.Raw_Message]
Variable 01 [CEF.cfp1Label] [CEF.cfp1]
Variable 02 [CEF.cfp2Label] [CEF.cfp2]
Variable 03 [CEF.cfp3Label] [CEF.cfp3]
Variable 04 [CEF.cfp4Label] [CEF.cfp4]
Variable 05 [CEF.cn1Label] [CEF.cn1]
Variable 06 [CEF.cn2Label] [CEF.cn2]
Variable 07 [CEF.cn3Label] [CEF.cn3]
Variable 08 Event Count: [CEF.cnt]
Variable 09 [CEF.cs1Label] [CEF.cs1]
Variable 10 [CEF.cs2Label] [CEF.cs2]
Variable 11 [CEF.cs3Label] [CEF.cs3]
Variable 12 [CEF.cs4Label] [CEF.cs4]
Variable 13 [CEF.cs5Label] [CEF.cs5]
Variable 14 [CEF.cs6Label] [CEF.cs6]
Variable 15 Nat DST: [CEF.destinationTranslatedAddress]
Variable 16 Nat destination port: [CEF.destinationtranslatedPort]
Variable 17 Device ID: [CEF.deviceExternalId]
Variable 18 Inbound Interface: [CEF.deviceInboundInterface]
Variable 19 Outbound Interface: [CEF.deviceOutboundInterface]
Variable 20 FileType: [CEF.fileType]
Variable 21 [CEF.flexNumber1Label] [CEF.flexNumber1]
Variable 22 [CEF.flexNumber2Label] [CEF.flexNumber2]
Variable 23 [CEF.flexString1Label] [CEF.flexString1]
Variable 24 [CEF.flexString2Label] [CEF.flexString2]
Variable 25 Filename: [CEF.fname]
Variable 26 Filepath: [CEF.filePath]
Variable 27 File ID: [CEF.fileId]
Variable 28 File Hash: [CEF.fileHash]
Variable 29 Bytes IN: [CEF.in]
Variable 30 Bytes OUT: [CEF.out]
Variable 31 Request: [CEF.request]
Variable 32 Request client Application: [CEF.requestClientApplication]
Variable 33 Request context: [CEF.requestContext]
Variable 34 Request method: [CEF.requestMethod]
Variable 35 NAT source: [CEF.sourceTranslatedAddress]
Variable 36 NAT source port: [CEF.sourceTranslatedPort]
Variable 37 PAN OS Action Flags: [CEF.PanOSActionFlags]
Variable 38 PAN OS Content version: [CEF.PanOSContentVer]
Variable 39 PAN OS Desc: [CEF.PanOSDesc]
Variable 40 DG meta data: [CEF.PanOSDGl1] [CEF.PanOSDGl2] [CEF.PanOSDGl3] [CEF.PanOSDGl4]
Variable 41 PAN OS Dst UUID: [CEF.PanOSDstUUID]
Variable 42 PAN OS Monitor Tag: [CEF.PanOSMonitorTag]
Variable 43 Packets Received: [CEF.PanOSPacketsReceived]
Variable 44 Packets Sent: [CEF.PanOSPacketsSent]
Variable 45 Parent session ID: [CEF.PanOSParentSessionI
Variable 46 Parent tunnel session start: [CEF.PanOSParentStartTime]
Variable 47 PAN OS Referer: [CEF.PanOSReferer]
Variable 48 PAN OS Src UUID: [CEF.PanOSSrcUUID]
Variable 49 PAN OS Threat Category: [CEF.PanOSThreatCategory]
Variable 50 PAN OS dropped packets: [CEF.PanOSTunnelFragment]
Variable 51 PAN OS Tunnel type: [CEF.PanOSTunnelType
Variable 52 PAN OS Tunnel ID: [CEF.PanOSTunnelID]
Variable 53 Full virtual system name: [CEF.PanOSVsysName]
Variable 54 PAN OS Threat Category: [CEF.PanOSThreatCategory]
Variable 55 PAN OS X-Forwarder: [CEF.PanOSXforwarderfor]