-
Notifications
You must be signed in to change notification settings - Fork 4.9k
/
Copy pathfields.yml
333 lines (287 loc) · 11.2 KB
/
fields.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
- name: panos
type: group
description: >
Fields for the Palo Alto Networks PAN-OS logs.
fields:
- name: ruleset
type: keyword
description: >
Name of the rule that matched this session.
- name: source
type: group
description: >
Fields to extend the top-level source object.
fields:
- name: zone
type: keyword
description: >
Source zone for this session.
- name: interface
type: keyword
description: >
Source interface for this session.
- name: nat
type: group
description: >
Post-NAT source address, if source NAT is performed.
fields:
- name: ip
type: ip
description: >
Post-NAT source IP.
- name: port
type: long
description: >
Post-NAT source port.
- name: destination
type: group
description: >
Fields to extend the top-level destination object.
fields:
- name: zone
type: keyword
description: >
Destination zone for this session.
- name: interface
type: keyword
description: >
Destination interface for this session.
- name: nat
type: group
description: >
Post-NAT destination address, if destination NAT is performed.
fields:
- name: ip
type: ip
description: >
Post-NAT destination IP.
- name: port
type: long
description: >
Post-NAT destination port.
- name: endreason
type: keyword
description: >
The reason a session terminated.
- name: network
type: group
description: >
Fields to extend the top-level network object.
fields:
- name: pcap_id
type: keyword
description: >
Packet capture ID for a threat.
- name: nat
type: group
fields:
- name: community_id
type: keyword
description: >
Community ID flow-hash for the NAT 5-tuple.
- name: file
type: group
description: >
Fields to extend the top-level file object.
fields:
- name: hash
description: >
Binary hash for a threat file sent to be analyzed
by the WildFire service.
type: keyword
- name: url
type: group
description: >
Fields to extend the top-level url object.
fields:
- name: category
type: keyword
description: >
For threat URLs, it's the URL category.
For WildFire, the verdict on the file and is
either 'malicious', 'grayware', or 'benign'.
- name: flow_id
type: keyword
description: >
Internal numeric identifier for each session.
- name: sequence_number
type: long
description: >
Log entry identifier that is incremented sequentially.
Unique for each log type.
- name: threat.resource
type: keyword
description: >
URL or file name for a threat.
- name: threat.id
type: keyword
description: >
Palo Alto Networks identifier for the threat.
- name: threat.name
type: keyword
description: >
Palo Alto Networks name for the threat.
- name: action
type: keyword
description: >-
Action taken for the session.
- name: type
description: >-
Specifies the type of the log
- name: sub_type
description: >-
Specifies the sub type of the log
- name: virtual_sys
type: keyword
description: >
Virtual system instance
- name: client_os_ver
type: keyword
description: >
The client device’s OS version.
- name: client_os
type: keyword
description: >
The client device’s OS version.
- name: client_ver
type: keyword
description: >
The client’s GlobalProtect app version.
- name: stage
type: keyword
example: before-login
description: >
A string showing the stage of the connection
- name: actionflags
type: keyword
description: >
A bit field indicating if the log was forwarded to Panorama.
- name: error
type: keyword
description: >
A string showing that error that has occurred in any event.
- name: error_code
type: integer
description: >
An integer associated with any errors that occurred.
- name: repeatcnt
type: integer
description: >
The number of sessions with the same source IP address, destination IP address, application, and subtype that GlobalProtect has detected within the last five seconds.An integer associated with any errors that occurred.
- name: serial_number
type: keyword
description: >
The serial number of the user’s machine or device.
- name: auth_method
type: keyword
example: LDAP
description: >
A string showing the authentication type
- name: datasource
type: keyword
description: >
Source from which mapping information is collected.
- name: datasourcetype
type: keyword
description: >
Mechanism used to identify the IP/User mappings within a data source.
- name: datasourcename
type: keyword
description: >
User-ID source that sends the IP (Port)-User Mapping.
- name: factorno
type: integer
description: >
Indicates the use of primary authentication (1) or additional factors (2, 3).
- name: factortype
type: keyword
description: >
Vendor used to authenticate a user when Multi Factor authentication is present.
- name: factorcompletiontime
type: date
description: >
Time the authentication was completed.
- name: ugflags
type: keyword
description: |
Displays whether the user group that was found during user group mapping. Supported values are:
User Group Found—Indicates whether the user could be mapped to a group.
Duplicate User—Indicates whether duplicate users were found in a user group. Displays N/A if no user group is found.
- name: device_group_hierarchy
type: group
description: >
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
fields:
- name: level_1
type: keyword
description: >
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
- name: level_2
type: keyword
description: >
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
- name: level_3
type: keyword
description: >
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
- name: level_4
type: keyword
description: >
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
- name: timeout
type: integer
description: >
Timeout after which the IP/User Mappings are cleared.
- name: vsys_id
type: keyword
description: >
A unique identifier for a virtual system on a Palo Alto Networks firewall.
- name: vsys_name
type: keyword
description: >
The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
- name: description
type: keyword
description: >
Additional information for any event that has occurred.
- name: tunnel_type
type: keyword
description: >
The type of tunnel (either SSLVPN or IPSec).
- name: connect_method
type: keyword
description: >
A string showing the how the GlobalProtect app connects to Gateway
- name: matchname
type: keyword
description: >
Name of the HIP object or profile.
- name: matchtype
type: keyword
description: >
Whether the hip field represents a HIP object or a HIP profile.
- name: priority
type: keyword
description: >
The priority order of the gateway that is based on highest (1), high (2), medium (3), low (4), or lowest (5) to which the GlobalProtect app can connect.
- name: response_time
type: keyword
description: >
The SSL response time of the selected gateway that is measured in milliseconds on the endpoint during tunnel setup.
- name: attempted_gateways
type: keyword
description: >
The fields that are collected for each gateway connection attempt with the gateway name, SSL response time, and priority
- name: gateway
type: keyword
description: >
The name of the gateway that is specified on the portal configuration.
- name: selection_type
type: keyword
description: >
The connection method that is selected to connect to the gateway.