Paloalto UTM Threat Log Formats

Paloalto 방화벽 장비 Threat 로그 포맷 순서입니다.

ESM <-> Paloalto 방화벽 연동 시 파싱 검출 식에 참고 하시면 좋을 것 같습니다.

 

1	FUTURE_USE
2	Receive Time
3	Serial Number
4	Type
5	Threat/Content Type
6	FUTURE_USE
7	Generated Time
8	Source IP
9	Destination IP
10	NAT Source IP
11	NAT Destination IP
12	Rule Name
13	Source User
14	Destination User
15	Application
16	Virtual System
17	Source Zone
18	Destination Zone
19	Inbound Interface
20	Outbound Interface
21	Log Action
22	FUTURE_USE
23	Session ID
24	Repeat Count
25	Source Port
26	Destination Port
27	NAT Source Port
28	NAT Destination Port
29	Flags
30	Protocol
31	Action
32	URL/Filename
33	Threat ID
34	Category
35	Severity
36	Direction
37	Sequence Number
38	Action Flags
39	Source Location
40	Destination Location
41	FUTURE_USE
42	Content Type
43	PCAP_ID
44	File Digest
45	Cloud
46	URL Index
47	User Agent
48	File Type
49	X-Forwarded-For
50	Referer
51	Sender
52	Subject
53	Recipient
54	Report ID
55	Device Group Hierarchy Level 1
56	Device Group Hierarchy Level 2
57	Device Group Hierarchy Level 3
58	Device Group Hierarchy Level 4
59	Virtual System Name
60	Device Name
61	FUTURE_USE
62	Source VM UUID
63	Destination VM UUID
64	HTTP Method
65	Tunnel ID/IMSI
66	Monitor Tag/IMEI
67	Parent Session ID
68	Parent Start Time
69	Tunnel Type
70	Threat Category
71	Content Version
72	FUTURE_USE
73	SCTP Association ID
74	Payload Protocol ID
75	HTTP Headers

 

출처 : https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields.html#id83052cb2-4798-4f9c-abf8-e0b929ce7a3b