-
Notifications
You must be signed in to change notification settings - Fork 30
/
Copy pathwildfire1_json.json
111 lines (111 loc) · 7.55 KB
/
wildfire1_json.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
{
"input": {
"message": "{\"TimeReceived\":\"2023-05-30T06:54:42.000000Z\",\"DeviceSN\":\"111111111111\",\"LogType\":\"THREAT\",\"Subtype\":\"wildfire\",\"ConfigVersion\":\"10.1\",\"TimeGenerated\":\"2023-05-30T06:52:13.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"Normal Internet Access browser\",\"SourceUser\":\"john.doe@example.org\",\"DestinationUser\":null,\"Application\":\"web-browsing\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"Trust\",\"ToZone\":\"Untrust\",\"InboundInterface\":\"ethernet1/20\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Panorama_CDL\",\"SessionID\":444444,\"RepeatCount\":1,\"SourcePort\":55555,\"DestinationPort\":80,\"NATSourcePort\":40114,\"NATDestinationPort\":80,\"Protocol\":\"tcp\",\"Action\":\"block\",\"FileName\":\"mp3.exe\",\"ThreatID\":\"Windows Executable (EXE)(52020)\",\"VendorSeverity\":\"Informational\",\"DirectionOfAttack\":\"server to client\",\"SequenceNo\":7117268851537282868,\"SourceLocation\":\"10.0.0.0-10.255.255.255\",\"DestinationLocation\":\"CN\",\"PacketID\":0,\"FileHash\":\"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\",\"ApplianceOrCloud\":\"wildfire.paloaltonetworks.com\\u0000\",\"URLCounter\":1,\"FileType\":\"pe\",\"SenderEmail\":null,\"EmailSubject\":null,\"RecipientEmail\":null,\"ReportID\":33333333333,\"DGHierarchyLevel1\":997,\"DGHierarchyLevel2\":738,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"MyDevice\",\"SourceUUID\":null,\"DestinationUUID\":null,\"IMSI\":0,\"IMEI\":null,\"ParentSessionID\":0,\"ParentStarttime\":\"1970-01-01T00:00:00.000000Z\",\"Tunnel\":\"N/A\",\"ThreatCategory\":\"unknown\",\"ContentVersion\":\"0\",\"SigFlags\":\"0x0\",\"RuleUUID\":\"50afdf91-0d37-4729-8052-1382912d9895\",\"HTTP2Connection\":0,\"DynamicUserGroupName\":null,\"X-Forwarded-ForIP\":null,\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"HostID\":null,\"EndpointSerialNumber\":\"xxxxxxxxxxx\",\"DomainEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"PartialHash\":0,\"TimeGeneratedHighResolution\":\"2023-05-30T06:52:14.052000Z\",\"NSSAINetworkSliceType\":null}\n"
},
"expected": {
"message": "{\"TimeReceived\":\"2023-05-30T06:54:42.000000Z\",\"DeviceSN\":\"111111111111\",\"LogType\":\"THREAT\",\"Subtype\":\"wildfire\",\"ConfigVersion\":\"10.1\",\"TimeGenerated\":\"2023-05-30T06:52:13.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"Normal Internet Access browser\",\"SourceUser\":\"john.doe@example.org\",\"DestinationUser\":null,\"Application\":\"web-browsing\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"Trust\",\"ToZone\":\"Untrust\",\"InboundInterface\":\"ethernet1/20\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Panorama_CDL\",\"SessionID\":444444,\"RepeatCount\":1,\"SourcePort\":55555,\"DestinationPort\":80,\"NATSourcePort\":40114,\"NATDestinationPort\":80,\"Protocol\":\"tcp\",\"Action\":\"block\",\"FileName\":\"mp3.exe\",\"ThreatID\":\"Windows Executable (EXE)(52020)\",\"VendorSeverity\":\"Informational\",\"DirectionOfAttack\":\"server to client\",\"SequenceNo\":7117268851537282868,\"SourceLocation\":\"10.0.0.0-10.255.255.255\",\"DestinationLocation\":\"CN\",\"PacketID\":0,\"FileHash\":\"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\",\"ApplianceOrCloud\":\"wildfire.paloaltonetworks.com\\u0000\",\"URLCounter\":1,\"FileType\":\"pe\",\"SenderEmail\":null,\"EmailSubject\":null,\"RecipientEmail\":null,\"ReportID\":33333333333,\"DGHierarchyLevel1\":997,\"DGHierarchyLevel2\":738,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"MyDevice\",\"SourceUUID\":null,\"DestinationUUID\":null,\"IMSI\":0,\"IMEI\":null,\"ParentSessionID\":0,\"ParentStarttime\":\"1970-01-01T00:00:00.000000Z\",\"Tunnel\":\"N/A\",\"ThreatCategory\":\"unknown\",\"ContentVersion\":\"0\",\"SigFlags\":\"0x0\",\"RuleUUID\":\"50afdf91-0d37-4729-8052-1382912d9895\",\"HTTP2Connection\":0,\"DynamicUserGroupName\":null,\"X-Forwarded-ForIP\":null,\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"HostID\":null,\"EndpointSerialNumber\":\"xxxxxxxxxxx\",\"DomainEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"PartialHash\":0,\"TimeGeneratedHighResolution\":\"2023-05-30T06:52:14.052000Z\",\"NSSAINetworkSliceType\":null}\n",
"event": {
"action": "block",
"category": [
"malware"
],
"dataset": "threat",
"outcome": "success",
"type": [
"info"
]
},
"@timestamp": "2023-05-30T06:52:13Z",
"action": {
"name": "block",
"outcome": "success",
"type": "wildfire"
},
"destination": {
"address": "5.6.7.8",
"geo": {
"country_iso_code": "CN"
},
"ip": "5.6.7.8",
"nat": {
"ip": "8.7.6.5",
"port": 80
},
"port": 80
},
"file": {
"name": "mp3.exe"
},
"log": {
"hostname": "MyDevice",
"level": "Informational",
"logger": "threat"
},
"network": {
"application": "web-browsing"
},
"observer": {
"egress": {
"interface": {
"alias": "Untrust"
}
},
"ingress": {
"interface": {
"alias": "Trust"
}
},
"name": "MyDevice",
"product": "PAN-OS",
"serial_number": "111111111111"
},
"paloalto": {
"DGHierarchyLevel1": "997",
"DGHierarchyLevel2": "738",
"DGHierarchyLevel3": "0",
"DGHierarchyLevel4": "0",
"DirectionOfAttack": "server to client",
"Threat_ContentType": "wildfire",
"VirtualLocation": "vsys1",
"endpoint": {
"serial_number": "xxxxxxxxxxx"
},
"threat": {
"id": "Windows Executable (EXE)(52020)"
}
},
"related": {
"ip": [
"1.2.3.4",
"4.3.2.1",
"5.6.7.8",
"8.7.6.5"
],
"user": [
"john.doe",
"john.doe@example.org"
]
},
"rule": {
"name": "Normal Internet Access browser",
"uuid": "50afdf91-0d37-4729-8052-1382912d9895"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"nat": {
"ip": "4.3.2.1",
"port": 40114
},
"port": 55555,
"user": {
"name": "john.doe@example.org"
}
},
"user": {
"domain": "example.org",
"email": "john.doe@example.org",
"name": "john.doe"
}
}
}