Error in CEF format for Threat logs

Reply
Highlighted
L2 Linker

Error in CEF format for Threat logs

The following guide provides the parsing for CEF-style Log Formats for PAN-OS 9.1:

https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cef/pan-os-91-cef-configuration-gui...

 

We have been using this for a while, but because now we have a 2nd source of logs (PRISMA) aside from Panorama, we just found out the parsing suggested for "Threat" log is not correct in our opinion, and that was causing some issues on our SIEM use-cases.

 

In short, this field is wrong and should be replaced by $subtype:

 

Threat CEF:0|Palo Alto
Networks|PAN-OS|$sender_sw_version|$threatid|$type|$number-of-severity|rt=$cef-formatted-receive_time
deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc
destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app
cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to
deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset
cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport
destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action
request=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction
PanOSActionFlags=$actionflags externalId=$seqno cat=$threatid fileId=$pcap_id PanOSDGl1=$dg_hier_level_1
PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4
PanOSVsysName=$vsys_name dvchost=$device_name PanOSSrcUUID=$src_uuid PanOSDstUUID=$dst_uuid
PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag PanOSParentSessionID=$parent_session_id
PanOSParentStartTime=$parent_start_time PanOSTunnelType=$tunnel PanOSThreatCategory=$thr_category
PanOSContentVer=$contentver PanOSAssocID=$assoc_id PanOSPPID=$ppid PanOSHTTPHeader=$http_headers
PanOSURLCatList=$url_category_list PanOSRuleUUID=$rule_uuid PanOSHTTP2Con=$http2_connection
PanDynamicUsrgrp=$dynusergroup_name

 

 

  • How can we get this fixed in the document?
  • Additionally, is it possible to get the document updated with PAN-OS 10 in here?
Highlighted
Community Team Member

Hi @MarcelST ,

 

Thanks for the heads up.  I've requested a review of the DOC with your information.

 

Cheers !

-Kiwi.

 
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!