topic Parsing Rule - SonicWall NGFW in Cortex XDR Discussions https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/parsing-rule-sonicwall-ngfw/m-p/1241462#M8855 <P>Your mileage may vary. Here's what I came up with&nbsp;<BR /><BR /></P> <LI-CODE lang="python">[COLLECT:vendor="SonicWall", product="NGFW", target_brokers=*, no_hit=keep] alter raw_timestamp = arrayindex(regextract(_raw_log, "time=\"([^\"]+)\""), 0), device = arrayindex(regextract(_raw_log, "id=(\w+)\s"), 0), serial_number = arrayindex(regextract(_raw_log, "sn=([A-Z0-9]+)"), 0), firewall_ip = arrayindex(regextract(_raw_log, "fw=([\d\.]+)"), 0), priority = to_integer(arrayindex(regextract(_raw_log, "pri=(\d+)"), 0)), category = arrayindex(regextract(_raw_log, "c=(\d+)"), 0), event_id = arrayindex(regextract(_raw_log, "m=(\d+)"), 0), message = arrayindex(regextract(_raw_log, "msg=\"([^\"]+)\""), 0), n = to_integer(arrayindex(regextract(_raw_log, "n=(\d+)"), 0)), action = arrayindex(regextract(_raw_log, "fw_action=\"([^\"]+)\""), 0), source_ip = arrayindex(regextract(_raw_log, "src=([\d\.]+)"), 0), destination_ip = arrayindex(regextract(_raw_log, "dst=([\d\.]+)"), 0), protocol = arrayindex(regextract(_raw_log, "proto=([^\s]+)"), 0), source_port = to_integer(arrayindex(regextract(_raw_log, "src=[\d\.]+:(\d+)"), 0)), destination_port = to_integer(arrayindex(regextract(_raw_log, "dst=[\d\.]+:(\d+)"), 0)), note = arrayindex(regextract(_raw_log, "note=\"(.*)\"\sfw"), 0), session = arrayindex(regextract(_raw_log, "sess=\"([^\"]+)\""), 0), firewall_rule = arrayindex(regextract(_raw_log, "rule=\"([^\"]+)\""), 0), src_MAC = arrayindex(regextract(_raw_log, "srcMac=([0-9a-fA-F:]+)"), 0), dst_MAC = arrayindex(regextract(_raw_log, "dstMac=([0-9a-fA-F:]+)"), 0), duration = to_integer(arrayindex(regextract(_raw_log, "dur=(\d+)"), 0)), bytes_sent = to_integer(arrayindex(regextract(_raw_log, "sent=(\d+)"), 0)), bytes_received = to_integer(arrayindex(regextract(_raw_log, "rcvd=(\d+)"), 0)), username = arrayindex(regextract(_raw_log, "usr=\"([^\"]+)\""), 0), app_name = arrayindex(regextract(_raw_log, "app=(\d+)"), 0), base_url = arrayindex(regextract(_raw_log, "dstname=([^\s]+)"), 0), url_argument = arrayindex(regextract(_raw_log, "arg=([^\s]+)"), 0), category_code = to_integer(arrayindex(regextract(_raw_log, "code=(\d+)"), 0)), category_name = arrayindex(regextract(_raw_log, "Category=\"([^\"]+)\""), 0), icmp_type = to_integer(arrayindex(regextract(_raw_log, "type=(\d+)"), 0)), icmp_code = to_integer(arrayindex(regextract(_raw_log, "icmpCode=(\d+)"), 0)), signature_id = to_integer(arrayindex(regextract(_raw_log, "sid=(\d+)"), 0)), ips_category = arrayindex(regextract(_raw_log, "ipscat=\"([^\"]+)\""), 0), ips_priority = to_integer(arrayindex(regextract(_raw_log, "ipspri=(\d+)"), 0)); [INGEST:vendor="SonicWall", product="NGFW", target_dataset="sonicwall_ngfw_raw", no_hit=keep] alter parse_rule_date = "2025-11-07";</LI-CODE> <P>&nbsp;</P> Fri, 07 Nov 2025 22:36:18 GMT Jesse_Siegrist 2025-11-07T22:36:18Z Parsing Rule - SonicWall NGFW https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/parsing-rule-sonicwall-ngfw/m-p/1241462#M8855 <P>Your mileage may vary. Here's what I came up with&nbsp;<BR /><BR /></P> <LI-CODE lang="python">[COLLECT:vendor="SonicWall", product="NGFW", target_brokers=*, no_hit=keep] alter raw_timestamp = arrayindex(regextract(_raw_log, "time=\"([^\"]+)\""), 0), device = arrayindex(regextract(_raw_log, "id=(\w+)\s"), 0), serial_number = arrayindex(regextract(_raw_log, "sn=([A-Z0-9]+)"), 0), firewall_ip = arrayindex(regextract(_raw_log, "fw=([\d\.]+)"), 0), priority = to_integer(arrayindex(regextract(_raw_log, "pri=(\d+)"), 0)), category = arrayindex(regextract(_raw_log, "c=(\d+)"), 0), event_id = arrayindex(regextract(_raw_log, "m=(\d+)"), 0), message = arrayindex(regextract(_raw_log, "msg=\"([^\"]+)\""), 0), n = to_integer(arrayindex(regextract(_raw_log, "n=(\d+)"), 0)), action = arrayindex(regextract(_raw_log, "fw_action=\"([^\"]+)\""), 0), source_ip = arrayindex(regextract(_raw_log, "src=([\d\.]+)"), 0), destination_ip = arrayindex(regextract(_raw_log, "dst=([\d\.]+)"), 0), protocol = arrayindex(regextract(_raw_log, "proto=([^\s]+)"), 0), source_port = to_integer(arrayindex(regextract(_raw_log, "src=[\d\.]+:(\d+)"), 0)), destination_port = to_integer(arrayindex(regextract(_raw_log, "dst=[\d\.]+:(\d+)"), 0)), note = arrayindex(regextract(_raw_log, "note=\"(.*)\"\sfw"), 0), session = arrayindex(regextract(_raw_log, "sess=\"([^\"]+)\""), 0), firewall_rule = arrayindex(regextract(_raw_log, "rule=\"([^\"]+)\""), 0), src_MAC = arrayindex(regextract(_raw_log, "srcMac=([0-9a-fA-F:]+)"), 0), dst_MAC = arrayindex(regextract(_raw_log, "dstMac=([0-9a-fA-F:]+)"), 0), duration = to_integer(arrayindex(regextract(_raw_log, "dur=(\d+)"), 0)), bytes_sent = to_integer(arrayindex(regextract(_raw_log, "sent=(\d+)"), 0)), bytes_received = to_integer(arrayindex(regextract(_raw_log, "rcvd=(\d+)"), 0)), username = arrayindex(regextract(_raw_log, "usr=\"([^\"]+)\""), 0), app_name = arrayindex(regextract(_raw_log, "app=(\d+)"), 0), base_url = arrayindex(regextract(_raw_log, "dstname=([^\s]+)"), 0), url_argument = arrayindex(regextract(_raw_log, "arg=([^\s]+)"), 0), category_code = to_integer(arrayindex(regextract(_raw_log, "code=(\d+)"), 0)), category_name = arrayindex(regextract(_raw_log, "Category=\"([^\"]+)\""), 0), icmp_type = to_integer(arrayindex(regextract(_raw_log, "type=(\d+)"), 0)), icmp_code = to_integer(arrayindex(regextract(_raw_log, "icmpCode=(\d+)"), 0)), signature_id = to_integer(arrayindex(regextract(_raw_log, "sid=(\d+)"), 0)), ips_category = arrayindex(regextract(_raw_log, "ipscat=\"([^\"]+)\""), 0), ips_priority = to_integer(arrayindex(regextract(_raw_log, "ipspri=(\d+)"), 0)); [INGEST:vendor="SonicWall", product="NGFW", target_dataset="sonicwall_ngfw_raw", no_hit=keep] alter parse_rule_date = "2025-11-07";</LI-CODE> <P>&nbsp;</P> Fri, 07 Nov 2025 22:36:18 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/parsing-rule-sonicwall-ngfw/m-p/1241462#M8855 Jesse_Siegrist 2025-11-07T22:36:18Z