10-08-2025 08:23 AM
I'm troubleshooting an issue with Rapid7 ingestion of our logs from our Palo Alto firewalls into what they call an "IDS log." We need to write a custom parser to properly parse the source data, but that means we need the headers for all of the fields so that we can translate them into Rapid7's lingo. It seems like this "IDS log" is a combination of several logs we have on the Palo Alto side, like threat, data filtering, etc.
Here is an example:
"source_data": "<11>Oct 7 12:36:53 fwl-msn-01.internal.unityhealth.com 1,2025/10/07 12:36:52,026701021417,THREAT,vulnerability,2818,2025/10/07 12:36:52,10.190.112.25,10.190.2.15,0.0.0.0,0.0.0.0,TEMP VPN Access catch-all-inbound,gina.young@quartzbenefits.com,,ms-ds-smbv3,vsys1,msn-gp-vpn,msn-inside,tunnel.1,ae5,default,2025/10/07 12:36:53,710977,1,61797,445,0,0,0x80002000,tcp,reset-both,,SMB: User Password Brute Force Attempt(40004),any,high,client-to-server,7553832199328033667,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,,,1152921504606891123,,,0,,,,,,,,0,0,0,0,0,,fwl-msn-01,,,,,0,,0,,N/A,brute-force,AppThreat-9027-9675,0x0,0,4294967295,,,311967b4-3f80-4811-9817-336dc84dd2df,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2025-10-07T12:36:53.080-05:00,,,,storage-backup,business-systems,client-server,3,"able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",ms-ds-smb,untunneled,no,no,,,NonProxyTraffic,,false,0,0,,,,0",
Has anyone else run into this or knows where I might find documentation so that I can match up each of these fields to what it is?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
