update palo alto url.original

[rombernier]

We should always parse url in url.original, the consistency is better for client search and automation. (PS I don't know the source of the registered domain field and top level domain field)

[github-actions]

Smart descriptions generated from the latest tests at 2025-01-09 13:57:11:

Test File	Smart Description
Palo Alto Networks/paloalto-ngfw/tests/User_id_1_csv.json	login:start for user1 from 1.2.3.4
Palo Alto Networks/paloalto-ngfw/tests/User_id_2_csv.json	login:start for user1 from 10.0.0.2
Palo Alto Networks/paloalto-ngfw/tests/auth_cef.json	src_mac_list-2 connected with xxxxx
Palo Alto Networks/paloalto-ngfw/tests/decryption_cef.json	Encrypted connection from 1.1.1.1 to 1.1.1.1
Palo Alto Networks/paloalto-ngfw/tests/file_cef.json	alert threat between 1.1.1.1 and 1.1.1.1
Palo Alto Networks/paloalto-ngfw/tests/fix_bug_with_int.json	Session ended between 1.2.3.4:51413 and 5.6.7.8:5985
Palo Alto Networks/paloalto-ngfw/tests/fix_bug_without_int.json	Session ended between 1.2.3.4:51413 and 5.6.7.8:5985
Palo Alto Networks/paloalto-ngfw/tests/globalprotect_cef.json	Client cert not present
Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json	user from 1.2.3.4 connected
Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json	test from 88.120.236.74 connected
Palo Alto Networks/paloalto-ngfw/tests/hip_match_cef.json	Host Information Profile from 1.1.1.1
Palo Alto Networks/paloalto-ngfw/tests/icmp_allow_csv.json	Session started between 1.2.3.4 and 4.3.2.1
Palo Alto Networks/paloalto-ngfw/tests/iptag_cef.json	Connection from 1.1.1.1 to 1.1.1.1
Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_1.json	alert threat between 1.2.3.4 and 5.6.7.8
Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json	alert threat between 1.2.3.4 and 5.6.7.8
Palo Alto Networks/paloalto-ngfw/tests/sctp_cef.json	Connection from 1.1.1.1 to 1.1.1.1
Palo Alto Networks/paloalto-ngfw/tests/system_csv.json	authenticated for user 'user1'. auth profile 'GP', vsys 'vsys123', server profile 'LDAP', server address 'srv01.entreprise.local', From: 1.2.3.4.
Palo Alto Networks/paloalto-ngfw/tests/tcp_allow_csv.json	Session started between 1.2.3.4:61000 and 4.3.2.1:80
Palo Alto Networks/paloalto-ngfw/tests/test_cloud_election_json.json	CLOUD ELECTION: serverlist2.urlcloud.paloaltonetworks.com IP: 35.244.229.101 was elected, measured alive test 143294.
Palo Alto Networks/paloalto-ngfw/tests/test_decryption_csv.json	Encrypted connection from 1.2.3.4 to 5.6.7.8
Palo Alto Networks/paloalto-ngfw/tests/test_decryption_json.json	Encrypted connection from 1.2.3.4 to 5.6.7.8
Palo Alto Networks/paloalto-ngfw/tests/test_dhcp_renew_json.json	Connection from 1.2.3.4 to 1.2.3.1
Palo Alto Networks/paloalto-ngfw/tests/test_dns_proxy_json.json	DNS Proxy object: mgmt-obj inherited following values from dynamic interface: mgmt-if: Primary DNS: 1.2.3.1 Secondary DNS: ::
Palo Alto Networks/paloalto-ngfw/tests/test_dns_response.json	5.6.7.8 send DNS query a. Resolution: 8.9.1.2. Category: benign
Palo Alto Networks/paloalto-ngfw/tests/test_event_reason.json	User-ID server monitor test05(vsystest) Access denied
Palo Alto Networks/paloalto-ngfw/tests/test_event_reason1.json	Connection from 0.0.1.1 to 5.6.7.8
Palo Alto Networks/paloalto-ngfw/tests/test_event_reason2.json	Connection from 1.2.3.4 to 5.6.7.8
Palo Alto Networks/paloalto-ngfw/tests/test_event_reason3.json	Connection from 1.2.2.7 to 1.7.4.4
Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json	alert threat between 1.2.3.4 and 5.6.7.8
Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json	JDOE from 1.2.3.4 connected through SSLVPN
Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_csv.json	Host Information Profile from 1.2.3.4
Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json	Host Information Profile from 1.2.3.4
Palo Alto Networks/paloalto-ngfw/tests/test_installed_package_json.json	Installed contents package: panupv2-all-contents-8676-7858.tgz
Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json	alert threat between 5.6.7.8 and 1.2.3.4
Palo Alto Networks/paloalto-ngfw/tests/test_new_file_type.json	alert threat between 4.3.2.1 and 5.2.1.8
Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json	client logout
Palo Alto Networks/paloalto-ngfw/tests/test_new_threat_type.json	reset-both threat between 1.2.1.3 and 2.2.1.4
Palo Alto Networks/paloalto-ngfw/tests/test_new_url_type.json	alert threat between 19.16.1.6 and 17.25.11.9
Palo Alto Networks/paloalto-ngfw/tests/test_ntp_sync_json.json	NTP sync to server de.pool.ntp.org
Palo Alto Networks/paloalto-ngfw/tests/test_port_up_json.json	Port ethernet1/2: Up 10Gb/s-full duplex
Palo Alto Networks/paloalto-ngfw/tests/test_registration_succeed_json.json	Successfully registered to Public Cloud wildfire.paloaltonetworks.com
Palo Alto Networks/paloalto-ngfw/tests/test_system.json	unknown test peer
Palo Alto Networks/paloalto-ngfw/tests/test_system_event_10_json.json	Successfully connect to address: 5.6.7.8 port: 3978, conn id: triallr-5.6.7.8-2-def
Palo Alto Networks/paloalto-ngfw/tests/test_system_event_11_json.json	PAN-DB was upgraded to version 20230203.20250.
Palo Alto Networks/paloalto-ngfw/tests/test_system_event_12_json.json	Connection from 1.2.3.4 to 1.2.3.1
Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json	Connection from 1.2.5.5 to 1.7.4.2
Palo Alto Networks/paloalto-ngfw/tests/test_system_event_14.json	Connection from 5.6.7.8 to 1.2.3.4
Palo Alto Networks/paloalto-ngfw/tests/test_system_event_1_json.json	Installed WildFire package: panupv3-all-wildfire-739610-742990.tgz
Palo Alto Networks/paloalto-ngfw/tests/test_system_event_2_json.json	WildFire update job succeeded for user Auto update agent
Palo Alto Networks/paloalto-ngfw/tests/test_system_event_3_json.json	Connection to Update server: completed successfully, initiated by 1.2.3.4
Palo Alto Networks/paloalto-ngfw/tests/test_system_event_4_json.json	WildFire job started processing. Dequeue time=2023/02/03 17:45:52. Job Id=72.
Palo Alto Networks/paloalto-ngfw/tests/test_system_event_5_json.json	WildFire package upgraded from version 739610-742990 to 739613-742993 by Auto update agent
Palo Alto Networks/paloalto-ngfw/tests/test_system_event_6_json.json	WildFire job enqueued. Enqueue time=2023/02/03 17:45:52. JobId=72. . Type: Full
Palo Alto Networks/paloalto-ngfw/tests/test_system_event_7_json.json	Connection from 1.2.3.4 to updates.paloaltonetworks.com
Palo Alto Networks/paloalto-ngfw/tests/test_system_event_8_json.json	Installed WildFire package: panupv3-all-wildfire-739613-742993.tgz
Palo Alto Networks/paloalto-ngfw/tests/test_system_event_9_json.json	WildFire version 739613-742993 downloaded by Auto update agent
Palo Alto Networks/paloalto-ngfw/tests/test_threat.json	alert threat between 1.2.3.4 and 5.6.7.8
Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json	reset-both threat between 1.2.3.4 and 5.6.7.8
Palo Alto Networks/paloalto-ngfw/tests/test_timestamp_palo.json	Request made to server "server_test.com" is successful .
Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_1_json.json	Session ended between 1.2.3.4 and 5.6.7.8
Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_2_json.json	Session ended between 1.2.3.4 and 5.6.7.8
Palo Alto Networks/paloalto-ngfw/tests/test_update_content_json.json	Content update job succeeded for user admin
Palo Alto Networks/paloalto-ngfw/tests/test_upgrade_package_json.json	Content package upgraded from version 8671-7826 to 8676-7858 by admin
Palo Alto Networks/paloalto-ngfw/tests/test_user_authentication_json.json	authenticated for user 'admin'. From: 1.2.3.4.
Palo Alto Networks/paloalto-ngfw/tests/test_userid.json	login:start for JDOE from 1.2.3.4
Palo Alto Networks/paloalto-ngfw/tests/test_web_authentication_json.json	User admin logged in via Web from 1.2.3.4 using https
Palo Alto Networks/paloalto-ngfw/tests/test_wildfire_failure_json.json	Failed to perform task resulting in connection timeout with WildFire Cloud wildfire.paloaltonetworks.com
Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json	alert threat between 10.0.0.2 and 192.168.0.1
Palo Alto Networks/paloalto-ngfw/tests/threat_cef.json	drop-all threat between 1.1.1.1 and 1.1.1.1
Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json	alert threat between 10.0.0.2 and 10.2.0.1
Palo Alto Networks/paloalto-ngfw/tests/traffic1_csv.json	Connection from 1.2.3.4 to host LF-5698-NR 5.6.7.8:443 matched the rule SO Access
Palo Alto Networks/paloalto-ngfw/tests/traffic2_csv.json	Session ended between NULL:63516 and 1.1.1.1:443
Palo Alto Networks/paloalto-ngfw/tests/traffic_cef.json	Connection from 1.1.1.1 to host xxxxx 1.1.1.1:27092 matched the rule deny-attackers
Palo Alto Networks/paloalto-ngfw/tests/traffic_with_resotimestamp.json	Session ended between 1.2.3.4:60975 and 5.6.7.8:443
Palo Alto Networks/paloalto-ngfw/tests/udp_deny_csv.json	Session denied between 10.0.0.2:130000 and 1.2.3.4:53
Palo Alto Networks/paloalto-ngfw/tests/url_cef.json	block-url threat between 1.1.1.1 and 1.1.1.1
Palo Alto Networks/paloalto-ngfw/tests/userid_cef.json	1.1.1.1 logout from xxxxx on 1.1.1.1
Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json	block threat between 1.2.3.4 and 5.6.7.8

[rombernier]

Hello @squioc, j'ai mis à jour le parser dis moi si c'est mieux :)

[squioc]

Can you add a filter that check if Filename or URL Filename is set?
It will avoid tests with https as destination.domain and https:// as url.original

[rombernier]

I try with filter None and filter null, I don't know the correct one ?