From 51ee434736031efc2ae9fe64d4feff8725814b9f Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Thu, 14 May 2020 19:39:07 +0200 Subject: [PATCH] Fix PANW bad mapping of client/source and server/dest packets and bytes (#18525) PANW pipeline was mapping: Bytes sent to client/destination bytes. Bytes received to server/source bytes. Packets sent to server/destination packets. Packets received to client/source packets. All of these mappings are wrong. The correct is: Bytes sent to client/source bytes. Bytes received to server/destination bytes. Packets sent to client/source packets. Packets received to server/destination packets. Also adding some missing ECS mappings in the process. Fixes #18522 (cherry picked from commit 463a52a3bf65d63457117bbf9a6a27afa489e677) --- CHANGELOG.next.asciidoc | 1 + .../module/panw/panos/config/input.yml | 28 +- .../module/panw/panos/ingest/pipeline.yml | 18 + .../test/pan_inc_other.log-expected.json | 20 +- .../test/pan_inc_threat.log-expected.json | 800 +++---- .../test/pan_inc_traffic.log-expected.json | 1884 ++++++++--------- .../panw/panos/test/threat.log-expected.json | 608 ++++++ .../panw/panos/test/traffic.log-expected.json | 1434 ++++++++++--- 8 files changed, 3117 insertions(+), 1676 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 22525ff9fb5..b635f26ed43 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -160,6 +160,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fixed typo in log message. {pull}17897[17897] - Unescape file name from SQS message. {pull}18370[18370] - Improve cisco asa and ftd pipelines' failure handler to avoid mapping temporary fields. {issue}18391[18391] {pull}18392[18392] +- Fix PANW module wrong mappings for bytes and packets counters. {issue}18522[18522] {pull}18525[18525] *Heartbeat* diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml index 01c83a6f789..2ce806d6b4c 100644 --- a/x-pack/filebeat/module/panw/panos/config/input.yml +++ b/x-pack/filebeat/module/panw/panos/config/input.yml @@ -50,7 +50,9 @@ processors: destination.ip: 8 destination.address: 8 source.nat.ip: 9 + client.nat.ip: 9 destination.nat.ip: 10 + server.nat.ip: 10 panw.panos.ruleset: 11 client.user.name: 12 source.user.name: 12 @@ -58,33 +60,39 @@ processors: destination.user.name: 13 network.application: 14 panw.panos.source.zone: 16 + observer.ingress.zone: 16 panw.panos.destination.zone: 17 + observer.egress.zone: 17 panw.panos.source.interface: 18 + observer.ingress.interface.name: 18 panw.panos.destination.interface: 19 + observer.egress.interface.name: 19 panw.panos.flow_id: 22 client.port: 24 source.port: 24 destination.port: 25 server.port: 25 source.nat.port: 26 + client.nat.port: 26 destination.nat.port: 27 + server.nat.port: 27 _temp_.labels: 28 network.transport: 29 panw.panos.action: 30 network.bytes: 31 client.bytes: 32 - destination.bytes: 32 + source.bytes: 32 server.bytes: 33 - source.bytes: 33 + destination.bytes: 33 network.packets: 34 event.start: 35 event.duration: 36 panw.panos.url.category: 37 panw.panos.sequence_number: 39 - server.packets: 44 - destination.packets: 44 - client.packets: 45 - source.packets: 45 + client.packets: 44 + source.packets: 44 + server.packets: 45 + destination.packets: 45 observer.hostname: 52 - extract_array: @@ -103,7 +111,9 @@ processors: destination.ip: 8 destination.address: 8 source.nat.ip: 9 + client.nat.ip: 9 destination.nat.ip: 10 + server.nat.ip: 10 panw.panos.ruleset: 11 client.user.name: 12 source.user.name: 12 @@ -111,16 +121,22 @@ processors: destination.user.name: 13 network.application: 14 panw.panos.source.zone: 16 + observer.ingress.zone: 16 panw.panos.destination.zone: 17 + observer.egress.zone: 17 panw.panos.source.interface: 18 + observer.ingress.interface.name: 18 panw.panos.destination.interface: 19 + observer.egress.interface.name: 19 panw.panos.flow_id: 22 client.port: 24 source.port: 24 destination.port: 25 server.port: 25 source.nat.port: 26 + client.nat.port: 26 destination.nat.port: 27 + server.nat.port: 27 _temp_.labels: 28 network.transport: 29 panw.panos.action: 30 diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml index 1c2c912bd87..d0e04f4ac2a 100644 --- a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml @@ -75,6 +75,8 @@ processors: - convert: { type: long, ignore_missing: true, field: panw.panos.sequence_number } - convert: { type: long, ignore_missing: true, field: source.nat.port } - convert: { type: long, ignore_missing: true, field: destination.nat.port } + - convert: { type: long, ignore_missing: true, field: client.nat.port } + - convert: { type: long, ignore_missing: true, field: server.nat.port } # Remove PCAP ID when zero (no packet capture). - remove: @@ -475,6 +477,22 @@ processors: - _temp_ ignore_missing: true +# Remove NAT fields when translation was not done. + - remove: + field: + - source.nat.ip + - source.nat.port + - client.nat.ip + - client.nat.port + if: 'ctx?.source?.nat?.ip == "0.0.0.0" && ctx?.source?.nat?.port == 0' + - remove: + field: + - destination.nat.ip + - destination.nat.port + - server.nat.ip + - server.nat.port + if: 'ctx?.destination?.nat?.ip == "0.0.0.0" && ctx?.destination?.nat?.port == 0' + on_failure: - set: field: "error.message" diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json index 5b43295399c..7e4de9af8ca 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json @@ -3,13 +3,13 @@ "@timestamp": "2012-04-10T04:39:56.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59309, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -18,9 +18,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -52,6 +50,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -79,15 +81,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59309, "source.user.name": "crusher", "tags": [ diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json index f6ca00ac200..83f4b832745 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json @@ -16,8 +16,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -45,6 +43,10 @@ "network.community_id": "1:mY2EPMYo0US42k87/2uTzjo/rGA=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -78,8 +80,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59309, "source.user.name": "crusher", "tags": [ @@ -104,8 +104,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -133,6 +131,10 @@ "network.community_id": "1:0fIOSC1t62T9ExNKvZaxl657EVc=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -166,8 +168,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59313, "source.user.name": "crusher", "tags": [ @@ -192,8 +192,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -221,6 +219,10 @@ "network.community_id": "1:bZl1JgwyPgfsbSrD+z8I/hpbdc4=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -254,8 +256,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59314, "source.user.name": "crusher", "tags": [ @@ -280,8 +280,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -309,6 +307,10 @@ "network.community_id": "1:ghLw4NDj0JmAhH9lVtlhdQpqEQ0=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -342,8 +344,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59315, "source.user.name": "crusher", "tags": [ @@ -368,8 +368,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -397,6 +395,10 @@ "network.community_id": "1:aiB5YppFUGX0pM/1Xtp3qOSFXJw=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -430,8 +432,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59316, "source.user.name": "crusher", "tags": [ @@ -456,8 +456,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -485,6 +483,10 @@ "network.community_id": "1:GOqfpUTezPkpm6axBI22kY90kU4=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -518,8 +520,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59317, "source.user.name": "crusher", "tags": [ @@ -544,8 +544,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -573,6 +571,10 @@ "network.community_id": "1:22ouAyA1O0KgUQOEKP20E7gNa2U=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -606,8 +608,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59302, "source.user.name": "crusher", "tags": [ @@ -632,8 +632,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -661,6 +659,10 @@ "network.community_id": "1:phQpgsVhj3YxNYzeNkqdzDgcMCg=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -694,8 +696,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59301, "source.user.name": "crusher", "tags": [ @@ -720,8 +720,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -749,6 +747,10 @@ "network.community_id": "1:6kV576B7jMsBLC62npA6Dgi/zMI=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -782,8 +784,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59303, "source.user.name": "crusher", "tags": [ @@ -808,8 +808,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -837,6 +835,10 @@ "network.community_id": "1:h+XKHvMK2Oz7QQvaJdhsJWE2c9E=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -870,8 +872,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59304, "source.user.name": "crusher", "tags": [ @@ -896,8 +896,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -925,6 +923,10 @@ "network.community_id": "1:Sa+u435/AIAAeEelFduJmiGLOv0=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -958,8 +960,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59297, "source.user.name": "crusher", "tags": [ @@ -984,8 +984,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -1013,6 +1011,10 @@ "network.community_id": "1:C9009xCOuCuGvMPT4caMCizoYr0=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -1046,8 +1048,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59299, "source.user.name": "crusher", "tags": [ @@ -1072,8 +1072,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -1101,6 +1099,10 @@ "network.community_id": "1:BG6Rk6e+H9jRcZHXqRPFG4iA3uU=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -1134,8 +1136,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59298, "source.user.name": "crusher", "tags": [ @@ -1160,8 +1160,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -1188,6 +1186,10 @@ "network.community_id": "1:YDMNSbru670DK5EMT3E28WFJPz4=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -1221,8 +1223,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59300, "source.user.name": "crusher", "tags": [ @@ -1247,8 +1247,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -1276,6 +1274,10 @@ "network.community_id": "1:AEtFqIuwxZ9TQ3w9m74nOrboCXE=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -1309,8 +1311,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59295, "source.user.name": "crusher", "tags": [ @@ -1335,8 +1335,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -1364,6 +1362,10 @@ "network.community_id": "1:AuQEAPptnfXLW8oL/ac3CM4Gnnw=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -1397,8 +1399,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59291, "source.user.name": "crusher", "tags": [ @@ -1420,8 +1420,6 @@ "destination.geo.location.lon": 9.491, "destination.geo.name": "Germany", "destination.ip": "78.159.99.224", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -1448,6 +1446,10 @@ "network.community_id": "1:v73LbTZDPLO+1dzNRixeZAmolJ0=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -1481,8 +1483,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59296, "source.user.name": "crusher", "tags": [ @@ -1507,8 +1507,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -1536,6 +1534,10 @@ "network.community_id": "1:IRI0j5xLyLhwaONpy7gVZdl/Qow=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -1569,8 +1571,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59280, "source.user.name": "crusher", "tags": [ @@ -1595,8 +1595,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -1624,6 +1622,10 @@ "network.community_id": "1:/tG+YfZ8qFKrUDfQ7EThCBXci9Y=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -1657,8 +1659,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59281, "source.user.name": "crusher", "tags": [ @@ -1683,8 +1683,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -1712,6 +1710,10 @@ "network.community_id": "1:Vfi4CxQayypb3DoxclNfeNjXdjo=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -1745,8 +1747,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59282, "source.user.name": "crusher", "tags": [ @@ -1771,8 +1771,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -1800,6 +1798,10 @@ "network.community_id": "1:2UbFMV1DsXMB0b/AUotNCCsHm0s=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -1833,8 +1835,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59290, "source.user.name": "crusher", "tags": [ @@ -1859,8 +1859,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -1888,6 +1886,10 @@ "network.community_id": "1:M8DHGZjrHyuCRpC9MNNfDUke5g4=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -1921,8 +1923,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59286, "source.user.name": "crusher", "tags": [ @@ -1947,8 +1947,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -1976,6 +1974,10 @@ "network.community_id": "1:AVMiOufq2owuhWpcu/TfRJ38tv4=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -2009,8 +2011,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59275, "source.user.name": "crusher", "tags": [ @@ -2035,8 +2035,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -2064,6 +2062,10 @@ "network.community_id": "1:/+Opb16c1ye6uLeu1/TNC+SGnYs=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -2097,8 +2099,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59277, "source.user.name": "crusher", "tags": [ @@ -2123,8 +2123,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -2152,6 +2150,10 @@ "network.community_id": "1:uslltTePy/m8Gxhk/MgPbZfk6Rg=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -2185,8 +2187,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59276, "source.user.name": "crusher", "tags": [ @@ -2211,8 +2211,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -2240,6 +2238,10 @@ "network.community_id": "1:WiUImNtgjkeNDi1Qigg7+Y6pDAg=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -2273,8 +2275,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59278, "source.user.name": "crusher", "tags": [ @@ -2299,8 +2299,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -2328,6 +2326,10 @@ "network.community_id": "1:FmIwID3HJ4Q0574SjlhMHApz/Hs=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -2361,8 +2363,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59279, "source.user.name": "crusher", "tags": [ @@ -2387,8 +2387,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -2416,6 +2414,10 @@ "network.community_id": "1:6AuZBrHKsUJjLNgm/mJ5QToaPo8=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -2449,8 +2451,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59271, "source.user.name": "crusher", "tags": [ @@ -2475,8 +2475,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -2504,6 +2502,10 @@ "network.community_id": "1:NwAT+gtzMjRwKS71Tn+YaKwyOvI=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -2537,8 +2539,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59269, "source.user.name": "crusher", "tags": [ @@ -2563,8 +2563,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -2592,6 +2590,10 @@ "network.community_id": "1:mTTbk9h6Dgx6lH3l4aEHguufZVE=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -2625,8 +2627,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59270, "source.user.name": "crusher", "tags": [ @@ -2651,8 +2651,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -2680,6 +2678,10 @@ "network.community_id": "1:/0xM0KlMLwieymkDApfqS3/WWiQ=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -2713,8 +2715,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59274, "source.user.name": "crusher", "tags": [ @@ -2739,8 +2739,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -2768,6 +2766,10 @@ "network.community_id": "1:VLKKVfau50s2qjTDcucU+VKCAqY=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -2801,8 +2803,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59273, "source.user.name": "crusher", "tags": [ @@ -2827,8 +2827,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -2856,6 +2854,10 @@ "network.community_id": "1:jAvA0C85T0GFKryKA312lLEtKIM=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -2889,8 +2891,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59272, "source.user.name": "crusher", "tags": [ @@ -2912,8 +2912,6 @@ "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", "destination.ip": "69.43.161.167", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -2940,6 +2938,10 @@ "network.community_id": "1:Jqiwb/u74kolY3Y1yGkp+oMAxT4=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -2973,8 +2975,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59261, "source.user.name": "crusher", "tags": [ @@ -2996,8 +2996,6 @@ "destination.geo.location.lon": 126.9741, "destination.geo.name": "Korea Republic Of", "destination.ip": "202.31.187.154", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -3024,6 +3022,10 @@ "network.community_id": "1:q84mXt2kLt843wk0Y5vtvJwq+bc=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -3057,8 +3059,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59248, "source.user.name": "crusher", "tags": [ @@ -3080,8 +3080,6 @@ "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", "destination.ip": "89.111.176.67", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -3108,6 +3106,10 @@ "network.community_id": "1:1jDSU+BTdTOAQSrWGRbSjxehwNg=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -3141,8 +3143,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59251, "source.user.name": "crusher", "tags": [ @@ -3167,8 +3167,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -3195,6 +3193,10 @@ "network.community_id": "1:vGp9HpobYZmzzLGyDAG6oVAe4dg=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -3228,8 +3230,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59244, "source.user.name": "crusher", "tags": [ @@ -3251,8 +3251,6 @@ "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", "destination.ip": "208.73.210.29", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -3279,6 +3277,10 @@ "network.community_id": "1:8JiI5Ka3Oyz6yaLm3xObTqAo/Jw=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -3312,8 +3314,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59237, "source.user.name": "crusher", "tags": [ @@ -3335,8 +3335,6 @@ "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", "destination.ip": "208.73.210.29", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -3363,6 +3361,10 @@ "network.community_id": "1:lOdKYo+aMIHRMMJPawuXy8Bk2I0=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -3396,8 +3398,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59238, "source.user.name": "crusher", "tags": [ @@ -3422,8 +3422,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -3450,6 +3448,10 @@ "network.community_id": "1:rDRkkTH2aHta89i52OraqG5WcDI=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -3483,8 +3485,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59010, "source.user.name": "crusher", "tags": [ @@ -3506,8 +3506,6 @@ "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", "destination.ip": "208.73.210.29", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -3534,6 +3532,10 @@ "network.community_id": "1:00fHGTkjtblnJQ9P4Wiw9QuDEpI=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -3567,8 +3569,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58969, "source.user.name": "crusher", "tags": [ @@ -3590,8 +3590,6 @@ "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", "destination.ip": "89.108.64.156", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -3618,6 +3616,10 @@ "network.community_id": "1:sQ6YL9T0OZftMg71BK+1IHpXIRM=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -3651,8 +3653,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58941, "source.user.name": "crusher", "tags": [ @@ -3674,8 +3674,6 @@ "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", "destination.ip": "89.108.64.156", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -3702,6 +3700,10 @@ "network.community_id": "1:a3rlKRtYt43mps+uHBznJUtG3Qg=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -3735,8 +3737,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58942, "source.user.name": "crusher", "tags": [ @@ -3751,8 +3751,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 58849, "destination.user.name": "crusher", "event.action": "spyware_detected", @@ -3777,6 +3775,10 @@ "network.community_id": "1:gfZAOGdC3xAoPZCFZCwHJJ7Iin4=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "drop-all-packets", "panw.panos.destination.interface": "ethernet1/1", @@ -3820,8 +3822,6 @@ "source.geo.region_iso_code": "US-FL", "source.geo.region_name": "Florida", "source.ip": "204.232.231.46", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -3845,8 +3845,6 @@ "destination.geo.region_iso_code": "CA-ON", "destination.geo.region_name": "Ontario", "destination.ip": "216.8.179.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -3873,6 +3871,10 @@ "network.community_id": "1:VeoAydUSFUdh8ZddIqbsMY32sBU=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -3906,8 +3908,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58856, "source.user.name": "crusher", "tags": [ @@ -3929,8 +3929,6 @@ "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", "destination.ip": "69.43.161.154", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -3957,6 +3955,10 @@ "network.community_id": "1:ZsFVG8FJVifp8WmzI9Zj/lo+dB4=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -3990,8 +3992,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58847, "source.user.name": "crusher", "tags": [ @@ -4013,8 +4013,6 @@ "destination.geo.location.lon": -64.5, "destination.geo.name": "Virgin Islands British", "destination.ip": "208.91.196.252", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -4041,6 +4039,10 @@ "network.community_id": "1:NAfQ33YdKJSvbcxpFK8HIhI39lk=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -4074,8 +4076,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58841, "source.user.name": "crusher", "tags": [ @@ -4097,8 +4097,6 @@ "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", "destination.ip": "208.73.210.29", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -4125,6 +4123,10 @@ "network.community_id": "1:AMcTUl91PN0z8TJr2QwdEOP+Fmo=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -4158,8 +4160,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58795, "source.user.name": "crusher", "tags": [ @@ -4184,8 +4184,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -4212,6 +4210,10 @@ "network.community_id": "1:7Tdwe73AJMSdJL4hxpQDyl5Lwn4=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -4245,8 +4247,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58753, "source.user.name": "crusher", "tags": [ @@ -4271,8 +4271,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -4299,6 +4297,10 @@ "network.community_id": "1:q7ERSuCoAPSiI8xLXZCI+1M9B8I=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -4332,8 +4334,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58708, "source.user.name": "crusher", "tags": [ @@ -4358,8 +4358,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -4386,6 +4384,10 @@ "network.community_id": "1:AsPpOgQhhKdBtPhY4zahdBuNcTc=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -4419,8 +4421,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58707, "source.user.name": "crusher", "tags": [ @@ -4445,8 +4445,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -4473,6 +4471,10 @@ "network.community_id": "1:Inta5pHrKZ+nIMo9QJjgmv1raGE=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "1606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -4506,8 +4508,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58603, "source.user.name": "crusher", "tags": [ @@ -4532,8 +4532,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -4560,6 +4558,10 @@ "network.community_id": "1:Inta5pHrKZ+nIMo9QJjgmv1raGE=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "1606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -4593,8 +4595,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58603, "source.user.name": "crusher", "tags": [ @@ -4609,8 +4609,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 54431, "destination.user.name": "crusher", "event.action": "file_match", @@ -4638,6 +4636,10 @@ "network.community_id": "1:to6WA2KM9vqO74DfMPJ8+v0cKPs=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "1606001116", "panw.panos.action": "deny", "panw.panos.destination.interface": "ethernet1/1", @@ -4681,8 +4683,6 @@ "source.geo.region_iso_code": "US-CA", "source.geo.region_name": "California", "source.ip": "173.236.179.57", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -4706,8 +4706,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -4734,6 +4732,10 @@ "network.community_id": "1:Inta5pHrKZ+nIMo9QJjgmv1raGE=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "1606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -4767,8 +4769,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58603, "source.user.name": "crusher", "tags": [ @@ -4783,8 +4783,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 61220, "destination.user.name": "crusher", "event.action": "file_match", @@ -4812,6 +4810,10 @@ "network.community_id": "1:dHpseryW+AZk/t5IUvlyhaLSGI0=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "deny", "panw.panos.destination.interface": "ethernet1/1", @@ -4855,8 +4857,6 @@ "source.geo.region_iso_code": "CA-QC", "source.geo.region_name": "Quebec", "source.ip": "91.209.163.202", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -4870,8 +4870,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 61726, "destination.user.name": "crusher", "event.action": "file_match", @@ -4899,6 +4897,10 @@ "network.community_id": "1:lIp7rPLlF21gCwZ63WafZ2HbNKA=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "deny", "panw.panos.destination.interface": "ethernet1/1", @@ -4941,8 +4943,6 @@ "source.geo.region_iso_code": "CN-ZJ", "source.geo.region_name": "Zhejiang", "source.ip": "122.226.169.183", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -4966,8 +4966,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -4994,6 +4992,10 @@ "network.community_id": "1:n39Q6RPkLwPiDU/pfHT7uRZGkXY=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -5027,8 +5029,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 63007, "source.user.name": "crusher", "tags": [ @@ -5043,8 +5043,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 60212, "destination.user.name": "crusher", "event.action": "file_match", @@ -5072,6 +5070,10 @@ "network.community_id": "1:69YGwS9/vtp36Khj80nU/Q0TTfM=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "deny", "panw.panos.destination.interface": "ethernet1/1", @@ -5112,8 +5114,6 @@ "source.geo.location.lon": 4.8995, "source.geo.name": "Netherlands", "source.ip": "109.201.131.15", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -5127,8 +5127,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 60392, "destination.user.name": "crusher", "event.action": "file_match", @@ -5156,6 +5154,10 @@ "network.community_id": "1:MKMWzixtfYaSoShU7T3wN6MLk5g=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "deny", "panw.panos.destination.interface": "ethernet1/1", @@ -5199,8 +5201,6 @@ "source.geo.region_iso_code": "CA-QC", "source.geo.region_name": "Quebec", "source.ip": "91.209.163.202", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -5221,8 +5221,6 @@ "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", "destination.ip": "213.180.199.61", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -5249,6 +5247,10 @@ "network.community_id": "1:J4hfLZVy8UJEkW68RkW2hMu84Wk=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -5282,8 +5284,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59709, "source.user.name": "crusher", "tags": [ @@ -5305,8 +5305,6 @@ "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", "destination.ip": "213.180.199.61", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -5333,6 +5331,10 @@ "network.community_id": "1:1211QM61Juawz4PBXLQBL9Q2FNA=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -5366,8 +5368,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59721, "source.user.name": "crusher", "tags": [ @@ -5389,8 +5389,6 @@ "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", "destination.ip": "213.180.199.61", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -5417,6 +5415,10 @@ "network.community_id": "1:MQfJlERz16LAn6Hn1YhCNKLOjjA=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -5450,8 +5452,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59752, "source.user.name": "crusher", "tags": [ @@ -5466,8 +5466,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 54431, "destination.user.name": "crusher", "event.action": "file_match", @@ -5495,6 +5493,10 @@ "network.community_id": "1:to6WA2KM9vqO74DfMPJ8+v0cKPs=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "deny", "panw.panos.destination.interface": "ethernet1/1", @@ -5538,8 +5540,6 @@ "source.geo.region_iso_code": "US-CA", "source.geo.region_name": "California", "source.ip": "173.236.179.57", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -5563,8 +5563,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": [ @@ -5591,6 +5589,10 @@ "network.community_id": "1:uO6RhHsqSUg1LHv5h+n+FE4cqrE=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -5624,8 +5626,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 63183, "source.user.name": "crusher", "tags": [ @@ -5650,8 +5650,6 @@ "destination.geo.region_iso_code": "HK-HCW", "destination.geo.region_name": "Central and Western District", "destination.ip": "207.46.140.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "data_match", "event.category": [ @@ -5678,6 +5676,10 @@ "network.community_id": "1:KC3xpBK9CdouZqamG9S6Mjl6LIo=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -5711,8 +5713,6 @@ "source.address": "192.168.0.6", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.6", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 1047, "source.user.name": "jordy", "tags": [ @@ -5727,8 +5727,6 @@ "destination.address": "192.168.0.6", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.6", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 1039, "destination.user.name": "jordy", "event.action": "data_match", @@ -5756,6 +5754,10 @@ "network.community_id": "1:qtNTXnMjHLAldLWQ5/jdyuCV6Yk=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -5799,8 +5801,6 @@ "source.geo.region_iso_code": "US-WA", "source.geo.region_name": "Washington", "source.ip": "65.54.161.34", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -5814,8 +5814,6 @@ "destination.address": "192.168.0.6", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.6", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 1064, "destination.user.name": "jordy", "event.action": "data_match", @@ -5843,6 +5841,10 @@ "network.community_id": "1:OSQCnxYE2CqKztyfnzJHya/llPw=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -5886,8 +5888,6 @@ "source.geo.region_iso_code": "US-WA", "source.geo.region_name": "Washington", "source.ip": "65.55.5.231", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -5911,8 +5911,6 @@ "destination.geo.region_iso_code": "US-CA", "destination.geo.region_name": "California", "destination.ip": "65.54.71.11", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "data_match", "event.category": [ @@ -5939,6 +5937,10 @@ "network.community_id": "1:MeB0cefg5kMN7f+LW+cirwH2nA8=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -5972,8 +5974,6 @@ "source.address": "192.168.0.6", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.6", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 1048, "source.user.name": "jordy", "tags": [ @@ -5988,8 +5988,6 @@ "destination.address": "192.168.0.6", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.6", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 1071, "destination.user.name": "jordy", "event.action": "data_match", @@ -6017,6 +6015,10 @@ "network.community_id": "1:iDmf9CnG+CdUuHWmwVsmhee3/Qs=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -6057,8 +6059,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.239.17", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -6079,8 +6079,6 @@ "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", "destination.ip": "208.85.40.48", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "data_match", "event.category": [ @@ -6107,6 +6105,10 @@ "network.community_id": "1:c67I85z1uJV7VW6M9MR5Q8fjHQM=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -6140,8 +6142,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 57502, "source.user.name": "picard", "tags": [ @@ -6156,8 +6156,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 57876, "destination.user.name": "picard", "event.action": "data_match", @@ -6185,6 +6183,10 @@ "network.community_id": "1:w5GKumufuJCv3Gw8bvP3vTxap24=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", @@ -6225,8 +6227,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.198", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -6240,8 +6240,6 @@ "destination.address": "192.168.0.6", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.6", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 1082, "destination.user.name": "jordy", "event.action": "file_match", @@ -6269,6 +6267,10 @@ "network.community_id": "1:a7oyQr47OdJP8ZnG9SCELvH8aco=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "deny", "panw.panos.destination.interface": "ethernet1/1", @@ -6312,8 +6314,6 @@ "source.geo.region_iso_code": "ES-V", "source.geo.region_name": "Valencia", "source.ip": "188.190.124.75", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -6327,8 +6327,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 50986, "destination.user.name": "picard", "event.action": "data_match", @@ -6356,6 +6354,10 @@ "network.community_id": "1:yyAK8WOE46l0/k8dVOECI6qa2zQ=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", @@ -6396,8 +6398,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.200", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -6411,8 +6411,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 51716, "destination.user.name": "picard", "event.action": "data_match", @@ -6440,6 +6438,10 @@ "network.community_id": "1:15fj8zz0nlNi/Fnz8ibhS9Ihqdg=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", @@ -6480,8 +6482,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.239.3", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -6495,8 +6495,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 52119, "destination.user.name": "picard", "event.action": "data_match", @@ -6524,6 +6522,10 @@ "network.community_id": "1:fl9AVyrQeXPX/eoeKOy+6/UoR8M=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", @@ -6564,8 +6566,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.239.3", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -6579,8 +6579,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 52411, "destination.user.name": "picard", "event.action": "data_match", @@ -6608,6 +6606,10 @@ "network.community_id": "1:cHzYL+SCc86AntedL6fbRx+2wzE=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", @@ -6648,8 +6650,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.200", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -6670,8 +6670,6 @@ "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", "destination.ip": "74.125.239.6", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "data_match", "event.category": [ @@ -6698,6 +6696,10 @@ "network.community_id": "1:pRuFj5DzdmtFceU+OTawbYPhbJg=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -6731,8 +6733,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 52366, "source.user.name": "picard", "tags": [ @@ -6747,8 +6747,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 53026, "destination.user.name": "picard", "event.action": "data_match", @@ -6776,6 +6774,10 @@ "network.community_id": "1:e27i7C6aBac+TOOJNFkXsvos7v0=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", @@ -6816,8 +6818,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.193", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -6831,8 +6831,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 53809, "destination.user.name": "picard", "event.action": "data_match", @@ -6860,6 +6858,10 @@ "network.community_id": "1:I0nRW7fXHKg0He8sWEMh90mqrd8=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -6900,8 +6902,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.239.20", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -6915,8 +6915,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 55912, "destination.user.name": "picard", "event.action": "data_match", @@ -6944,6 +6942,10 @@ "network.community_id": "1:W08oA4XVHxagaCryNLen9OoTnPk=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -6984,8 +6986,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "208.80.154.225", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -6999,8 +6999,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 55916, "destination.user.name": "picard", "event.action": "data_match", @@ -7028,6 +7026,10 @@ "network.community_id": "1:tvB7u/5+rW38IXXGXjbdYYdzJ5s=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -7068,8 +7070,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "208.80.154.234", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -7083,8 +7083,6 @@ "destination.address": "192.168.0.6", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.6", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 1046, "destination.user.name": "jordy", "event.action": "data_match", @@ -7112,6 +7110,10 @@ "network.community_id": "1:LvKTW1EWi7nem/oAlX14Sg2W9kU=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", @@ -7155,8 +7157,6 @@ "source.geo.region_iso_code": "US-CA", "source.geo.region_name": "California", "source.ip": "65.54.75.25", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -7170,8 +7170,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 61734, "destination.user.name": "jordy", "event.action": "data_match", @@ -7199,6 +7197,10 @@ "network.community_id": "1:Iur0h7DmmxbVfmJ8EKqn0v73b88=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", @@ -7239,8 +7241,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.206", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -7254,8 +7254,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 62292, "destination.user.name": "jordy", "event.action": "data_match", @@ -7283,6 +7281,10 @@ "network.community_id": "1:n3f9RX9U3DOM57vpn8aB1QSo2Yw=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", @@ -7323,8 +7325,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.195", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -7338,8 +7338,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 64669, "destination.user.name": "jordy", "event.action": "data_match", @@ -7367,6 +7365,10 @@ "network.community_id": "1:K6mY9EnrwYs1/a01d++OZ3kna2g=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -7410,8 +7412,6 @@ "source.geo.region_iso_code": "US-KS", "source.geo.region_name": "Kansas", "source.ip": "207.178.96.34", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -7425,8 +7425,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 65265, "destination.user.name": "picard", "event.action": "data_match", @@ -7454,6 +7452,10 @@ "network.community_id": "1:u89cWOeFF4sWlYYJHVB+nr6g6Qg=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", @@ -7494,8 +7496,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.195", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -7509,8 +7509,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 64979, "destination.user.name": "picard", "event.action": "data_match", @@ -7538,6 +7536,10 @@ "network.community_id": "1:QmMWJ0pdk04yRgDj9m6OAKnXpDY=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -7578,8 +7580,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.239.20", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -7593,8 +7593,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 49432, "destination.user.name": "picard", "event.action": "data_match", @@ -7622,6 +7620,10 @@ "network.community_id": "1:d3Kvg96HWrCNAfAK3vx2Uqglkdo=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -7665,8 +7667,6 @@ "source.geo.region_iso_code": "US-NY", "source.geo.region_name": "New York", "source.ip": "66.152.109.24", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -7680,8 +7680,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 49722, "destination.user.name": "picard", "event.action": "data_match", @@ -7709,6 +7707,10 @@ "network.community_id": "1:+c2DVc+anjtRZ3iRsjbG51UM+JA=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", @@ -7749,8 +7751,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.200", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -7771,8 +7771,6 @@ "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", "destination.ip": "74.125.224.201", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "data_match", "event.category": [ @@ -7799,6 +7797,10 @@ "network.community_id": "1:5z6QdMj01RaYM1NdZtQSRQgE9gk=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -7832,8 +7834,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 49681, "source.user.name": "picard", "tags": [ @@ -7848,8 +7848,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 50108, "destination.user.name": "picard", "event.action": "data_match", @@ -7877,6 +7875,10 @@ "network.community_id": "1:Ut9W+vlgpMAH7M4p87nZ/gF7zO8=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", @@ -7917,8 +7919,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.200", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -7932,8 +7932,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 50387, "destination.user.name": "picard", "event.action": "data_match", @@ -7961,6 +7959,10 @@ "network.community_id": "1:MNjszUBgbVupAxKdr7W7OIvU2lo=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", @@ -8001,8 +8003,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.200", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -8023,8 +8023,6 @@ "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", "destination.ip": "208.85.40.48", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "data_match", "event.category": [ @@ -8051,6 +8049,10 @@ "network.community_id": "1:PzMJQoALQDxnDaqwOEEz4zxyhHU=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -8084,8 +8086,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59781, "source.user.name": "jordy", "tags": [ @@ -8100,8 +8100,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 60005, "destination.user.name": "jordy", "event.action": "data_match", @@ -8129,6 +8127,10 @@ "network.community_id": "1:ThkQfWduH5PZoI7qa/R4rWqT2VM=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", @@ -8169,8 +8171,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.201", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -8184,8 +8184,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 60443, "destination.user.name": "jordy", "event.action": "data_match", @@ -8213,6 +8211,10 @@ "network.community_id": "1:Fd/TWc6RIS9q2bsgzztXrAAL4Ek=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", @@ -8253,8 +8255,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.201", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -8268,8 +8268,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 60822, "destination.user.name": "jordy", "event.action": "data_match", @@ -8297,6 +8295,10 @@ "network.community_id": "1:7gqxhjxtnxyQnsvGukcI+WZWzAY=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", @@ -8337,8 +8339,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.200", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -8352,8 +8352,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 61105, "destination.user.name": "jordy", "event.action": "data_match", @@ -8381,6 +8379,10 @@ "network.community_id": "1:ZzHOd7AFzjbGqVCj9S3bTNHFX4Q=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", @@ -8421,8 +8423,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.200", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -8436,8 +8436,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 60782, "destination.user.name": "jordy", "event.action": "data_match", @@ -8465,6 +8463,10 @@ "network.community_id": "1:uH37XIov0Sgv5kARW8dP9vrOs7w=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", @@ -8505,8 +8507,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.198", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -8520,8 +8520,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 61470, "destination.user.name": "jordy", "event.action": "data_match", @@ -8549,6 +8547,10 @@ "network.community_id": "1:9jnjFXERN6VFakI1U/qwzyqifzg=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", @@ -8589,8 +8591,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.200", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json index c285f88d43d..12149128bf6 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json @@ -3,13 +3,13 @@ "@timestamp": "2012-04-10T04:39:58.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59324, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -18,9 +18,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -52,6 +50,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -79,15 +81,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59324, "source.user.name": "crusher", "tags": [ @@ -98,21 +98,19 @@ "@timestamp": "2012-04-10T04:39:58.000-02:00", "client.bytes": 76, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 54448, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 76, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -144,6 +142,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -171,15 +173,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 76, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 54448, "source.user.name": "crusher", "tags": [ @@ -190,21 +190,19 @@ "@timestamp": "2012-04-10T04:39:58.000-02:00", "client.bytes": 76, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 53121, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 76, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -236,6 +234,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -263,15 +265,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 76, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 53121, "source.user.name": "crusher", "tags": [ @@ -282,13 +282,13 @@ "@timestamp": "2012-04-10T04:39:58.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59323, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -297,9 +297,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -331,6 +329,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -358,15 +360,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59323, "source.user.name": "crusher", "tags": [ @@ -377,13 +377,13 @@ "@timestamp": "2012-04-10T04:39:58.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59322, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -392,9 +392,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -426,6 +424,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -453,15 +455,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59322, "source.user.name": "crusher", "tags": [ @@ -472,21 +472,19 @@ "@timestamp": "2012-04-10T04:39:58.000-02:00", "client.bytes": 74, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 55766, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 74, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -518,6 +516,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -545,15 +547,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 74, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 55766, "source.user.name": "crusher", "tags": [ @@ -564,21 +564,19 @@ "@timestamp": "2012-04-10T04:39:58.000-02:00", "client.bytes": 74, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 55072, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 74, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -610,6 +608,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -637,15 +639,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 74, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 55072, "source.user.name": "crusher", "tags": [ @@ -656,13 +656,13 @@ "@timestamp": "2012-04-10T04:39:58.000-02:00", "client.bytes": 549, "client.ip": "192.168.0.2", - "client.packets": 4, + "client.packets": 6, "client.port": 59207, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 549, + "destination.bytes": 806, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -671,9 +671,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 6, + "destination.packets": 4, "destination.port": 80, "event.action": "flow_terminated", "event.category": [ @@ -705,6 +703,10 @@ "network.packets": 10, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -732,15 +734,13 @@ "rule.name": "rule1", "server.bytes": 806, "server.ip": "204.232.231.46", - "server.packets": 6, + "server.packets": 4, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 806, + "source.bytes": 549, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 4, + "source.packets": 6, "source.port": 59207, "source.user.name": "crusher", "tags": [ @@ -751,13 +751,13 @@ "@timestamp": "2012-04-10T04:39:58.000-02:00", "client.bytes": 549, "client.ip": "192.168.0.2", - "client.packets": 4, + "client.packets": 6, "client.port": 59209, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 549, + "destination.bytes": 806, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -766,9 +766,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 6, + "destination.packets": 4, "destination.port": 80, "event.action": "flow_terminated", "event.category": [ @@ -800,6 +798,10 @@ "network.packets": 10, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -827,15 +829,13 @@ "rule.name": "rule1", "server.bytes": 806, "server.ip": "204.232.231.46", - "server.packets": 6, + "server.packets": 4, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 806, + "source.bytes": 549, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 4, + "source.packets": 6, "source.port": 59209, "source.user.name": "crusher", "tags": [ @@ -846,13 +846,13 @@ "@timestamp": "2012-04-10T04:39:58.000-02:00", "client.bytes": 549, "client.ip": "192.168.0.2", - "client.packets": 4, + "client.packets": 6, "client.port": 59208, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 549, + "destination.bytes": 806, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -861,9 +861,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 6, + "destination.packets": 4, "destination.port": 80, "event.action": "flow_terminated", "event.category": [ @@ -895,6 +893,10 @@ "network.packets": 10, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -922,15 +924,13 @@ "rule.name": "rule1", "server.bytes": 806, "server.ip": "204.232.231.46", - "server.packets": 6, + "server.packets": 4, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 806, + "source.bytes": 549, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 4, + "source.packets": 6, "source.port": 59208, "source.user.name": "crusher", "tags": [ @@ -941,13 +941,13 @@ "@timestamp": "2012-04-10T04:39:57.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59318, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -956,9 +956,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -990,6 +988,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -1017,15 +1019,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59318, "source.user.name": "crusher", "tags": [ @@ -1036,13 +1036,13 @@ "@timestamp": "2012-04-10T04:39:57.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59317, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1051,9 +1051,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -1085,6 +1083,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -1112,15 +1114,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59317, "source.user.name": "crusher", "tags": [ @@ -1131,13 +1131,13 @@ "@timestamp": "2012-04-10T04:39:57.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59316, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1146,9 +1146,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -1180,6 +1178,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -1207,15 +1209,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59316, "source.user.name": "crusher", "tags": [ @@ -1226,13 +1226,13 @@ "@timestamp": "2012-04-10T04:39:57.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59315, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1241,9 +1241,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -1275,6 +1273,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -1302,15 +1304,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59315, "source.user.name": "crusher", "tags": [ @@ -1321,13 +1321,13 @@ "@timestamp": "2012-04-10T04:39:57.000-02:00", "client.bytes": 549, "client.ip": "192.168.0.2", - "client.packets": 4, + "client.packets": 6, "client.port": 59206, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 549, + "destination.bytes": 806, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1336,9 +1336,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 6, + "destination.packets": 4, "destination.port": 80, "event.action": "flow_terminated", "event.category": [ @@ -1370,6 +1368,10 @@ "network.packets": 10, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -1397,15 +1399,13 @@ "rule.name": "rule1", "server.bytes": 806, "server.ip": "204.232.231.46", - "server.packets": 6, + "server.packets": 4, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 806, + "source.bytes": 549, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 4, + "source.packets": 6, "source.port": 59206, "source.user.name": "crusher", "tags": [ @@ -1416,13 +1416,13 @@ "@timestamp": "2012-04-10T04:39:57.000-02:00", "client.bytes": 549, "client.ip": "192.168.0.2", - "client.packets": 4, + "client.packets": 6, "client.port": 59205, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 549, + "destination.bytes": 806, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1431,9 +1431,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 6, + "destination.packets": 4, "destination.port": 80, "event.action": "flow_terminated", "event.category": [ @@ -1465,6 +1463,10 @@ "network.packets": 10, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -1492,15 +1494,13 @@ "rule.name": "rule1", "server.bytes": 806, "server.ip": "204.232.231.46", - "server.packets": 6, + "server.packets": 4, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 806, + "source.bytes": 549, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 4, + "source.packets": 6, "source.port": 59205, "source.user.name": "crusher", "tags": [ @@ -1511,13 +1511,13 @@ "@timestamp": "2012-04-10T04:39:56.000-02:00", "client.bytes": 1359, "client.ip": "192.168.0.2", - "client.packets": 3, + "client.packets": 18, "client.port": 56858, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 1359, + "destination.bytes": 551, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1526,9 +1526,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 18, + "destination.packets": 3, "destination.port": 80, "event.action": "flow_terminated", "event.category": [ @@ -1560,6 +1558,10 @@ "network.packets": 21, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -1587,15 +1589,13 @@ "rule.name": "rule1", "server.bytes": 551, "server.ip": "204.232.231.46", - "server.packets": 18, + "server.packets": 3, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 551, + "source.bytes": 1359, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 3, + "source.packets": 18, "source.port": 56858, "source.user.name": "crusher", "tags": [ @@ -1606,13 +1606,13 @@ "@timestamp": "2012-04-10T04:39:56.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59314, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1621,9 +1621,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -1655,6 +1653,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -1682,15 +1684,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59314, "source.user.name": "crusher", "tags": [ @@ -1701,13 +1701,13 @@ "@timestamp": "2012-04-10T04:39:56.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59313, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1716,9 +1716,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -1750,6 +1748,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -1777,15 +1779,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59313, "source.user.name": "crusher", "tags": [ @@ -1796,21 +1796,19 @@ "@timestamp": "2012-04-10T04:39:56.000-02:00", "client.bytes": 69, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 52139, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 69, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -1842,6 +1840,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -1869,15 +1871,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 69, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 52139, "source.user.name": "crusher", "tags": [ @@ -1888,21 +1888,19 @@ "@timestamp": "2012-04-10T04:39:56.000-02:00", "client.bytes": 69, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 60592, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 69, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -1934,6 +1932,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -1961,15 +1963,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 69, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 60592, "source.user.name": "crusher", "tags": [ @@ -1980,13 +1980,13 @@ "@timestamp": "2012-04-10T04:39:56.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59309, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1995,9 +1995,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -2029,6 +2027,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -2056,15 +2058,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59309, "source.user.name": "crusher", "tags": [ @@ -2081,14 +2081,12 @@ "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 66, + "destination.bytes": 98, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 1, "destination.port": 53, "event.action": "flow_terminated", @@ -2121,6 +2119,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -2152,10 +2154,8 @@ "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 98, + "source.bytes": 66, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 1, "source.port": 57322, "source.user.name": "crusher", @@ -2167,13 +2167,13 @@ "@timestamp": "2012-04-10T04:39:56.000-02:00", "client.bytes": 549, "client.ip": "192.168.0.2", - "client.packets": 4, + "client.packets": 6, "client.port": 59204, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 549, + "destination.bytes": 806, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2182,9 +2182,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 6, + "destination.packets": 4, "destination.port": 80, "event.action": "flow_terminated", "event.category": [ @@ -2216,6 +2214,10 @@ "network.packets": 10, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -2243,15 +2245,13 @@ "rule.name": "rule1", "server.bytes": 806, "server.ip": "204.232.231.46", - "server.packets": 6, + "server.packets": 4, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 806, + "source.bytes": 549, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 4, + "source.packets": 6, "source.port": 59204, "source.user.name": "crusher", "tags": [ @@ -2262,13 +2262,13 @@ "@timestamp": "2012-04-10T04:39:56.000-02:00", "client.bytes": 549, "client.ip": "192.168.0.2", - "client.packets": 4, + "client.packets": 6, "client.port": 59203, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 549, + "destination.bytes": 806, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2277,9 +2277,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 6, + "destination.packets": 4, "destination.port": 80, "event.action": "flow_terminated", "event.category": [ @@ -2311,6 +2309,10 @@ "network.packets": 10, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -2338,15 +2340,13 @@ "rule.name": "rule1", "server.bytes": 806, "server.ip": "204.232.231.46", - "server.packets": 6, + "server.packets": 4, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 806, + "source.bytes": 549, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 4, + "source.packets": 6, "source.port": 59203, "source.user.name": "crusher", "tags": [ @@ -2357,13 +2357,13 @@ "@timestamp": "2012-04-10T04:39:55.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59305, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2372,9 +2372,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -2406,6 +2404,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -2433,15 +2435,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59305, "source.user.name": "crusher", "tags": [ @@ -2452,21 +2452,19 @@ "@timestamp": "2012-04-10T04:39:55.000-02:00", "client.bytes": 69, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 64005, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 69, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -2498,6 +2496,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -2525,15 +2527,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 69, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 64005, "source.user.name": "crusher", "tags": [ @@ -2544,21 +2544,19 @@ "@timestamp": "2012-04-10T04:39:55.000-02:00", "client.bytes": 69, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 58768, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 69, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -2590,6 +2588,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -2617,15 +2619,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 69, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 58768, "source.user.name": "crusher", "tags": [ @@ -2651,8 +2651,6 @@ "destination.geo.region_iso_code": "US-CA", "destination.geo.region_name": "California", "destination.ip": "98.149.55.63", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 8, "destination.port": 13069, "event.action": "flow_started", @@ -2685,6 +2683,10 @@ "network.packets": 16, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -2718,8 +2720,6 @@ "source.address": "192.168.0.2", "source.bytes": 504, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 8, "source.port": 47752, "source.user.name": "crusher", @@ -2731,13 +2731,13 @@ "@timestamp": "2012-04-10T04:39:55.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59304, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2746,9 +2746,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -2780,6 +2778,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -2807,15 +2809,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59304, "source.user.name": "crusher", "tags": [ @@ -2826,21 +2826,19 @@ "@timestamp": "2012-04-10T04:39:55.000-02:00", "client.bytes": 71, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 54533, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 71, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -2872,6 +2870,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -2899,15 +2901,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 71, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 54533, "source.user.name": "crusher", "tags": [ @@ -2924,7 +2924,7 @@ "destination.address": "212.48.10.58", "destination.as.number": 8660, "destination.as.organization.name": "Italiaonline S.p.A.", - "destination.bytes": 837, + "destination.bytes": 9130, "destination.geo.city_name": "Assago", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", @@ -2933,8 +2933,6 @@ "destination.geo.region_iso_code": "IT-MI", "destination.geo.region_name": "Milan", "destination.ip": "212.48.10.58", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 10, "destination.port": 80, "event.action": "flow_terminated", @@ -2967,6 +2965,10 @@ "network.packets": 20, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -2998,10 +3000,8 @@ "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 9130, + "source.bytes": 837, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 10, "source.port": 59201, "source.user.name": "crusher", @@ -3013,13 +3013,13 @@ "@timestamp": "2012-04-10T04:39:54.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59303, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3028,9 +3028,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -3062,6 +3060,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -3089,15 +3091,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59303, "source.user.name": "crusher", "tags": [ @@ -3108,21 +3108,19 @@ "@timestamp": "2012-04-10T04:39:54.000-02:00", "client.bytes": 76, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 50876, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 76, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -3154,6 +3152,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -3181,15 +3183,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 76, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 50876, "source.user.name": "crusher", "tags": [ @@ -3200,21 +3200,19 @@ "@timestamp": "2012-04-10T04:39:54.000-02:00", "client.bytes": 76, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 57657, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 76, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -3246,6 +3244,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -3273,15 +3275,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 76, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 57657, "source.user.name": "crusher", "tags": [ @@ -3292,13 +3292,13 @@ "@timestamp": "2012-04-10T04:39:54.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59302, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3307,9 +3307,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -3341,6 +3339,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -3368,15 +3370,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59302, "source.user.name": "crusher", "tags": [ @@ -3387,13 +3387,13 @@ "@timestamp": "2012-04-10T04:39:54.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59301, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3402,9 +3402,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -3436,6 +3434,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -3463,15 +3465,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59301, "source.user.name": "crusher", "tags": [ @@ -3482,21 +3482,19 @@ "@timestamp": "2012-04-10T04:39:54.000-02:00", "client.bytes": 80, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 64844, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 80, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -3528,6 +3526,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -3555,15 +3557,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 80, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 64844, "source.user.name": "crusher", "tags": [ @@ -3574,21 +3574,19 @@ "@timestamp": "2012-04-10T04:39:54.000-02:00", "client.bytes": 80, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 52257, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 80, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -3620,6 +3618,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -3647,15 +3649,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 80, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 52257, "source.user.name": "crusher", "tags": [ @@ -3671,14 +3671,12 @@ "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 95, + "destination.bytes": 111, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 1, "destination.port": 53, "event.action": "flow_terminated", @@ -3710,6 +3708,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -3737,10 +3739,8 @@ "server.port": 53, "service.type": "panw", "source.address": "192.168.0.100", - "source.bytes": 111, + "source.bytes": 95, "source.ip": "192.168.0.100", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 1, "source.port": 38796, "tags": [ @@ -3751,21 +3751,19 @@ "@timestamp": "2012-04-10T04:39:54.000-02:00", "client.bytes": 597, "client.ip": "192.168.0.2", - "client.packets": 7, + "client.packets": 6, "client.port": 59200, "client.user.name": "crusher", "destination.address": "62.211.68.12", "destination.as.number": 3269, "destination.as.organization.name": "Telecom Italia", - "destination.bytes": 597, + "destination.bytes": 906, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 6, + "destination.packets": 7, "destination.port": 80, "event.action": "flow_terminated", "event.category": [ @@ -3797,6 +3795,10 @@ "network.packets": 13, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -3824,15 +3826,13 @@ "rule.name": "rule1", "server.bytes": 906, "server.ip": "62.211.68.12", - "server.packets": 6, + "server.packets": 7, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 906, + "source.bytes": 597, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 7, + "source.packets": 6, "source.port": 59200, "source.user.name": "crusher", "tags": [ @@ -3843,12 +3843,12 @@ "@timestamp": "2012-04-10T04:39:54.000-02:00", "client.bytes": 804, "client.ip": "192.168.0.100", - "client.packets": 7, + "client.packets": 10, "client.port": 48412, "destination.address": "50.19.102.116", "destination.as.number": 14618, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 804, + "destination.bytes": 5013, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3857,9 +3857,7 @@ "destination.geo.region_iso_code": "US-VA", "destination.geo.region_name": "Virginia", "destination.ip": "50.19.102.116", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 10, + "destination.packets": 7, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -3890,6 +3888,10 @@ "network.packets": 17, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -3913,15 +3915,13 @@ "rule.name": "rule1", "server.bytes": 5013, "server.ip": "50.19.102.116", - "server.packets": 10, + "server.packets": 7, "server.port": 443, "service.type": "panw", "source.address": "192.168.0.100", - "source.bytes": 5013, + "source.bytes": 804, "source.ip": "192.168.0.100", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 7, + "source.packets": 10, "source.port": 48412, "tags": [ "pan-os" @@ -3937,7 +3937,7 @@ "destination.address": "65.55.223.19", "destination.as.number": 8075, "destination.as.organization.name": "Microsoft Corporation", - "destination.bytes": 187, + "destination.bytes": 99, "destination.geo.city_name": "Washington", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3946,8 +3946,6 @@ "destination.geo.region_iso_code": "US-VA", "destination.geo.region_name": "Virginia", "destination.ip": "65.55.223.19", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 1, "destination.port": 40026, "event.action": "flow_terminated", @@ -3980,6 +3978,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -4011,10 +4013,8 @@ "server.port": 40026, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 99, + "source.bytes": 187, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 1, "source.port": 47752, "source.user.name": "crusher", @@ -4032,7 +4032,7 @@ "destination.address": "65.55.223.24", "destination.as.number": 8075, "destination.as.organization.name": "Microsoft Corporation", - "destination.bytes": 76, + "destination.bytes": 902, "destination.geo.city_name": "Washington", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4041,8 +4041,6 @@ "destination.geo.region_iso_code": "US-VA", "destination.geo.region_name": "Virginia", "destination.ip": "65.55.223.24", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 1, "destination.port": 40029, "event.action": "flow_terminated", @@ -4075,6 +4073,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -4106,10 +4108,8 @@ "server.port": 40029, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 902, + "source.bytes": 76, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 1, "source.port": 47752, "source.user.name": "crusher", @@ -4126,14 +4126,12 @@ "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 86, + "destination.bytes": 141, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 1, "destination.port": 53, "event.action": "flow_terminated", @@ -4165,6 +4163,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -4192,10 +4194,8 @@ "server.port": 53, "service.type": "panw", "source.address": "192.168.0.100", - "source.bytes": 141, + "source.bytes": 86, "source.ip": "192.168.0.100", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 1, "source.port": 52189, "tags": [ @@ -4206,13 +4206,13 @@ "@timestamp": "2012-04-10T04:39:53.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59300, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4221,9 +4221,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -4255,6 +4253,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -4282,15 +4284,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59300, "source.user.name": "crusher", "tags": [ @@ -4301,21 +4301,19 @@ "@timestamp": "2012-04-10T04:39:53.000-02:00", "client.bytes": 73, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 54414, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 73, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -4347,6 +4345,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -4374,15 +4376,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 73, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 54414, "source.user.name": "crusher", "tags": [ @@ -4393,13 +4393,13 @@ "@timestamp": "2012-04-10T04:39:53.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59299, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4408,9 +4408,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -4442,6 +4440,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -4469,15 +4471,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59299, "source.user.name": "crusher", "tags": [ @@ -4488,21 +4488,19 @@ "@timestamp": "2012-04-10T04:39:53.000-02:00", "client.bytes": 80, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 60399, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 80, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -4534,6 +4532,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -4561,15 +4563,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 80, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 60399, "source.user.name": "crusher", "tags": [ @@ -4586,14 +4586,12 @@ "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 166, + "destination.bytes": 316, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 2, "destination.port": 53, "event.action": "flow_terminated", @@ -4626,6 +4624,10 @@ "network.packets": 4, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -4657,10 +4659,8 @@ "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 316, + "source.bytes": 166, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 2, "source.port": 59626, "source.user.name": "crusher", @@ -4678,14 +4678,12 @@ "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 75, + "destination.bytes": 121, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 1, "destination.port": 53, "event.action": "flow_terminated", @@ -4718,6 +4716,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -4749,10 +4751,8 @@ "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 121, + "source.bytes": 75, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 1, "source.port": 51542, "source.user.name": "crusher", @@ -4770,14 +4770,12 @@ "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 75, + "destination.bytes": 169, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 1, "destination.port": 53, "event.action": "flow_terminated", @@ -4810,6 +4808,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -4841,10 +4843,8 @@ "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 169, + "source.bytes": 75, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 1, "source.port": 54182, "source.user.name": "crusher", @@ -4856,21 +4856,19 @@ "@timestamp": "2012-04-10T04:39:53.000-02:00", "client.bytes": 594, "client.ip": "192.168.0.2", - "client.packets": 7, + "client.packets": 6, "client.port": 59199, "client.user.name": "crusher", "destination.address": "62.211.68.12", "destination.as.number": 3269, "destination.as.organization.name": "Telecom Italia", - "destination.bytes": 594, + "destination.bytes": 954, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 6, + "destination.packets": 7, "destination.port": 80, "event.action": "flow_terminated", "event.category": [ @@ -4902,6 +4900,10 @@ "network.packets": 13, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -4929,15 +4931,13 @@ "rule.name": "rule1", "server.bytes": 954, "server.ip": "62.211.68.12", - "server.packets": 6, + "server.packets": 7, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 954, + "source.bytes": 594, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 7, + "source.packets": 6, "source.port": 59199, "source.user.name": "crusher", "tags": [ @@ -4948,13 +4948,13 @@ "@timestamp": "2012-04-10T04:39:53.000-02:00", "client.bytes": 1005, "client.ip": "192.168.0.2", - "client.packets": 10, + "client.packets": 12, "client.port": 59198, "client.user.name": "crusher", "destination.address": "212.48.10.58", "destination.as.number": 8660, "destination.as.organization.name": "Italiaonline S.p.A.", - "destination.bytes": 1005, + "destination.bytes": 9130, "destination.geo.city_name": "Assago", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", @@ -4963,9 +4963,7 @@ "destination.geo.region_iso_code": "IT-MI", "destination.geo.region_name": "Milan", "destination.ip": "212.48.10.58", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 12, + "destination.packets": 10, "destination.port": 80, "event.action": "flow_terminated", "event.category": [ @@ -4997,6 +4995,10 @@ "network.packets": 22, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -5024,15 +5026,13 @@ "rule.name": "rule1", "server.bytes": 9130, "server.ip": "212.48.10.58", - "server.packets": 12, + "server.packets": 10, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 9130, + "source.bytes": 1005, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 10, + "source.packets": 12, "source.port": 59198, "source.user.name": "crusher", "tags": [ @@ -5043,13 +5043,13 @@ "@timestamp": "2012-04-10T04:39:53.000-02:00", "client.bytes": 1363, "client.ip": "192.168.0.2", - "client.packets": 3, + "client.packets": 18, "client.port": 56856, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 1363, + "destination.bytes": 555, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5058,9 +5058,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 18, + "destination.packets": 3, "destination.port": 80, "event.action": "flow_terminated", "event.category": [ @@ -5092,6 +5090,10 @@ "network.packets": 21, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -5119,15 +5121,13 @@ "rule.name": "rule1", "server.bytes": 555, "server.ip": "204.232.231.46", - "server.packets": 18, + "server.packets": 3, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 555, + "source.bytes": 1363, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 3, + "source.packets": 18, "source.port": 56856, "source.user.name": "crusher", "tags": [ @@ -5138,21 +5138,19 @@ "@timestamp": "2012-04-10T04:39:53.000-02:00", "client.bytes": 80, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 52489, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 80, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -5184,6 +5182,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -5211,15 +5213,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 80, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 52489, "source.user.name": "crusher", "tags": [ @@ -5230,13 +5230,13 @@ "@timestamp": "2012-04-10T04:39:52.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59298, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5245,9 +5245,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -5279,6 +5277,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -5306,15 +5308,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59298, "source.user.name": "crusher", "tags": [ @@ -5325,21 +5325,19 @@ "@timestamp": "2012-04-10T04:39:52.000-02:00", "client.bytes": 76, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 60185, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 76, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -5371,6 +5369,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -5398,15 +5400,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 76, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 60185, "source.user.name": "crusher", "tags": [ @@ -5417,21 +5417,19 @@ "@timestamp": "2012-04-10T04:39:52.000-02:00", "client.bytes": 76, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 51817, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 76, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -5463,6 +5461,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -5490,15 +5492,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 76, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 51817, "source.user.name": "crusher", "tags": [ @@ -5509,13 +5509,13 @@ "@timestamp": "2012-04-10T04:39:52.000-02:00", "client.bytes": 186, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 47752, "client.user.name": "crusher", "destination.address": "65.55.223.31", "destination.as.number": 8075, "destination.as.organization.name": "Microsoft Corporation", - "destination.bytes": 186, + "destination.bytes": 0, "destination.geo.city_name": "Washington", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5524,9 +5524,7 @@ "destination.geo.region_iso_code": "US-VA", "destination.geo.region_name": "Virginia", "destination.ip": "65.55.223.31", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 40043, "event.action": "flow_started", "event.category": [ @@ -5558,6 +5556,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -5585,15 +5587,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "65.55.223.31", - "server.packets": 1, + "server.packets": 0, "server.port": 40043, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 186, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 47752, "source.user.name": "crusher", "tags": [ @@ -5604,13 +5604,13 @@ "@timestamp": "2012-04-10T04:39:52.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59297, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5619,9 +5619,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -5653,6 +5651,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -5680,15 +5682,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59297, "source.user.name": "crusher", "tags": [ @@ -5699,21 +5699,19 @@ "@timestamp": "2012-04-10T04:39:52.000-02:00", "client.bytes": 82, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 52537, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 82, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -5745,6 +5743,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -5772,15 +5774,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 82, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 52537, "source.user.name": "crusher", "tags": [ @@ -5791,21 +5791,19 @@ "@timestamp": "2012-04-10T04:39:52.000-02:00", "client.bytes": 82, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 53155, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 82, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -5837,6 +5835,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -5864,15 +5866,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 82, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 53155, "source.user.name": "crusher", "tags": [ @@ -5883,21 +5883,19 @@ "@timestamp": "2012-04-10T04:39:52.000-02:00", "client.bytes": 581, "client.ip": "192.168.0.2", - "client.packets": 7, + "client.packets": 6, "client.port": 59197, "client.user.name": "crusher", "destination.address": "62.211.68.12", "destination.as.number": 3269, "destination.as.organization.name": "Telecom Italia", - "destination.bytes": 581, + "destination.bytes": 906, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 6, + "destination.packets": 7, "destination.port": 80, "event.action": "flow_terminated", "event.category": [ @@ -5929,6 +5927,10 @@ "network.packets": 13, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -5956,15 +5958,13 @@ "rule.name": "rule1", "server.bytes": 906, "server.ip": "62.211.68.12", - "server.packets": 6, + "server.packets": 7, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 906, + "source.bytes": 581, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 7, + "source.packets": 6, "source.port": 59197, "source.user.name": "crusher", "tags": [ @@ -5981,14 +5981,12 @@ "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 88, + "destination.bytes": 163, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 1, "destination.port": 53, "event.action": "flow_terminated", @@ -6021,6 +6019,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -6052,10 +6054,8 @@ "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 163, + "source.bytes": 88, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 1, "source.port": 56995, "source.user.name": "crusher", @@ -6067,21 +6067,19 @@ "@timestamp": "2012-04-10T04:39:51.000-02:00", "client.bytes": 76, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59069, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 76, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -6113,6 +6111,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -6140,15 +6142,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 76, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59069, "source.user.name": "crusher", "tags": [ @@ -6159,21 +6159,19 @@ "@timestamp": "2012-04-10T04:39:51.000-02:00", "client.bytes": 76, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 55697, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 76, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -6205,6 +6203,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -6232,15 +6234,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 76, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 55697, "source.user.name": "crusher", "tags": [ @@ -6251,13 +6251,13 @@ "@timestamp": "2012-04-10T04:39:51.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59295, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -6266,9 +6266,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -6300,6 +6298,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -6327,15 +6329,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59295, "source.user.name": "crusher", "tags": [ @@ -6346,21 +6346,19 @@ "@timestamp": "2012-04-10T04:39:51.000-02:00", "client.bytes": 578, "client.ip": "192.168.0.2", - "client.packets": 7, + "client.packets": 6, "client.port": 59196, "client.user.name": "crusher", "destination.address": "62.211.68.12", "destination.as.number": 3269, "destination.as.organization.name": "Telecom Italia", - "destination.bytes": 578, + "destination.bytes": 922, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 6, + "destination.packets": 7, "destination.port": 80, "event.action": "flow_terminated", "event.category": [ @@ -6392,6 +6390,10 @@ "network.packets": 13, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -6419,15 +6421,13 @@ "rule.name": "rule1", "server.bytes": 922, "server.ip": "62.211.68.12", - "server.packets": 6, + "server.packets": 7, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 922, + "source.bytes": 578, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 7, + "source.packets": 6, "source.port": 59196, "source.user.name": "crusher", "tags": [ @@ -6438,13 +6438,13 @@ "@timestamp": "2012-04-10T04:39:50.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59291, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -6453,9 +6453,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -6487,6 +6485,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -6514,15 +6516,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59291, "source.user.name": "crusher", "tags": [ @@ -6533,21 +6533,19 @@ "@timestamp": "2012-04-10T04:39:50.000-02:00", "client.bytes": 77, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 52858, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 77, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -6579,6 +6577,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -6606,15 +6608,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 77, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 52858, "source.user.name": "crusher", "tags": [ @@ -6625,21 +6625,19 @@ "@timestamp": "2012-04-10T04:39:50.000-02:00", "client.bytes": 77, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 61383, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 77, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -6671,6 +6669,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -6698,15 +6700,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 77, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 61383, "source.user.name": "crusher", "tags": [ @@ -6717,13 +6717,13 @@ "@timestamp": "2012-04-10T04:39:50.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59290, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -6732,9 +6732,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -6766,6 +6764,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -6793,15 +6795,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59290, "source.user.name": "crusher", "tags": [ @@ -6812,21 +6812,19 @@ "@timestamp": "2012-04-10T04:39:50.000-02:00", "client.bytes": 1310, "client.ip": "192.168.0.2", - "client.packets": 22, + "client.packets": 17, "client.port": 59195, "client.user.name": "crusher", "destination.address": "8.5.1.1", "destination.as.number": 3356, "destination.as.organization.name": "Level 3 Parent, LLC", - "destination.bytes": 1310, + "destination.bytes": 26786, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.5.1.1", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 17, + "destination.packets": 22, "destination.port": 80, "event.action": "flow_terminated", "event.category": [ @@ -6858,6 +6856,10 @@ "network.packets": 39, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -6885,15 +6887,13 @@ "rule.name": "rule1", "server.bytes": 26786, "server.ip": "8.5.1.1", - "server.packets": 17, + "server.packets": 22, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 26786, + "source.bytes": 1310, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 22, + "source.packets": 17, "source.port": 59195, "source.user.name": "crusher", "tags": [ @@ -6904,21 +6904,19 @@ "@timestamp": "2012-04-10T04:39:50.000-02:00", "client.bytes": 83, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 49812, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 83, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -6950,6 +6948,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -6977,15 +6979,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 83, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 49812, "source.user.name": "crusher", "tags": [ @@ -6996,21 +6996,19 @@ "@timestamp": "2012-04-10T04:39:50.000-02:00", "client.bytes": 83, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 50185, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 83, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -7042,6 +7040,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -7069,15 +7071,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 83, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 50185, "source.user.name": "crusher", "tags": [ @@ -7088,13 +7088,13 @@ "@timestamp": "2012-04-10T04:39:50.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59286, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -7103,9 +7103,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -7137,6 +7135,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -7164,15 +7166,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59286, "source.user.name": "crusher", "tags": [ @@ -7187,10 +7187,8 @@ "client.port": 52531, "client.user.name": "crusher", "destination.address": "192.168.0.1", - "destination.bytes": 75, + "destination.bytes": 169, "destination.ip": "192.168.0.1", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 1, "destination.port": 53, "event.action": "flow_terminated", @@ -7223,6 +7221,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -7254,10 +7256,8 @@ "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 169, + "source.bytes": 75, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 1, "source.port": 52531, "source.user.name": "crusher", @@ -7269,13 +7269,13 @@ "@timestamp": "2012-04-10T04:39:50.000-02:00", "client.bytes": 1033, "client.ip": "192.168.0.2", - "client.packets": 9, + "client.packets": 12, "client.port": 59194, "client.user.name": "crusher", "destination.address": "212.48.10.58", "destination.as.number": 8660, "destination.as.organization.name": "Italiaonline S.p.A.", - "destination.bytes": 1033, + "destination.bytes": 9064, "destination.geo.city_name": "Assago", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", @@ -7284,9 +7284,7 @@ "destination.geo.region_iso_code": "IT-MI", "destination.geo.region_name": "Milan", "destination.ip": "212.48.10.58", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 12, + "destination.packets": 9, "destination.port": 80, "event.action": "flow_terminated", "event.category": [ @@ -7318,6 +7316,10 @@ "network.packets": 21, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -7345,15 +7347,13 @@ "rule.name": "rule1", "server.bytes": 9064, "server.ip": "212.48.10.58", - "server.packets": 12, + "server.packets": 9, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 9064, + "source.bytes": 1033, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 9, + "source.packets": 12, "source.port": 59194, "source.user.name": "crusher", "tags": [ @@ -7364,13 +7364,13 @@ "@timestamp": "2012-04-10T04:39:50.000-02:00", "client.bytes": 981, "client.ip": "192.168.0.2", - "client.packets": 10, + "client.packets": 12, "client.port": 59192, "client.user.name": "crusher", "destination.address": "212.48.10.58", "destination.as.number": 8660, "destination.as.organization.name": "Italiaonline S.p.A.", - "destination.bytes": 981, + "destination.bytes": 9124, "destination.geo.city_name": "Assago", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", @@ -7379,9 +7379,7 @@ "destination.geo.region_iso_code": "IT-MI", "destination.geo.region_name": "Milan", "destination.ip": "212.48.10.58", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 12, + "destination.packets": 10, "destination.port": 80, "event.action": "flow_terminated", "event.category": [ @@ -7413,6 +7411,10 @@ "network.packets": 22, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -7440,15 +7442,13 @@ "rule.name": "rule1", "server.bytes": 9124, "server.ip": "212.48.10.58", - "server.packets": 12, + "server.packets": 10, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 9124, + "source.bytes": 981, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 10, + "source.packets": 12, "source.port": 59192, "source.user.name": "crusher", "tags": [ @@ -7463,10 +7463,8 @@ "client.port": 56463, "client.user.name": "crusher", "destination.address": "192.168.0.1", - "destination.bytes": 77, + "destination.bytes": 137, "destination.ip": "192.168.0.1", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 1, "destination.port": 53, "event.action": "flow_terminated", @@ -7499,6 +7497,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -7530,10 +7532,8 @@ "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 137, + "source.bytes": 77, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 1, "source.port": 56463, "source.user.name": "crusher", @@ -7549,10 +7549,8 @@ "client.port": 55849, "client.user.name": "crusher", "destination.address": "192.168.0.1", - "destination.bytes": 77, + "destination.bytes": 93, "destination.ip": "192.168.0.1", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 1, "destination.port": 53, "event.action": "flow_terminated", @@ -7585,6 +7583,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -7616,10 +7618,8 @@ "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 93, + "source.bytes": 77, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 1, "source.port": 55849, "source.user.name": "crusher", @@ -7631,13 +7631,13 @@ "@timestamp": "2012-04-10T04:39:49.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59282, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -7646,9 +7646,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -7680,6 +7678,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -7707,15 +7709,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59282, "source.user.name": "crusher", "tags": [ @@ -7726,21 +7726,19 @@ "@timestamp": "2012-04-10T04:39:49.000-02:00", "client.bytes": 71, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 57846, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 71, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -7772,6 +7770,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -7799,15 +7801,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 71, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 57846, "source.user.name": "crusher", "tags": [ @@ -7818,21 +7818,19 @@ "@timestamp": "2012-04-10T04:39:49.000-02:00", "client.bytes": 71, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 51008, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 71, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -7864,6 +7862,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -7891,15 +7893,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 71, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 51008, "source.user.name": "crusher", "tags": [ @@ -7910,13 +7910,13 @@ "@timestamp": "2012-04-10T04:39:49.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59281, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -7925,9 +7925,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -7959,6 +7957,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -7986,15 +7988,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59281, "source.user.name": "crusher", "tags": [ @@ -8005,21 +8005,19 @@ "@timestamp": "2012-04-10T04:39:49.000-02:00", "client.bytes": 80, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 55252, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 80, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -8051,6 +8049,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -8078,15 +8080,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 80, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 55252, "source.user.name": "crusher", "tags": [ @@ -8097,15 +8097,13 @@ "@timestamp": "2012-04-10T04:39:49.000-02:00", "client.bytes": 176, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 2, "client.port": 56995, "client.user.name": "crusher", "destination.address": "192.168.0.1", - "destination.bytes": 176, + "destination.bytes": 0, "destination.ip": "192.168.0.1", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 2, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_terminated", "event.category": [ @@ -8137,6 +8135,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -8164,15 +8166,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "192.168.0.1", - "server.packets": 2, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 176, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 2, "source.port": 56995, "source.user.name": "crusher", "tags": [ @@ -8183,21 +8183,19 @@ "@timestamp": "2012-04-10T04:39:49.000-02:00", "client.bytes": 80, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 60989, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 80, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -8229,6 +8227,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -8256,15 +8258,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 80, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 60989, "source.user.name": "crusher", "tags": [ @@ -8275,13 +8275,13 @@ "@timestamp": "2012-04-10T04:39:48.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59280, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -8290,9 +8290,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -8324,6 +8322,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -8351,15 +8353,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59280, "source.user.name": "crusher", "tags": [ @@ -8370,21 +8370,19 @@ "@timestamp": "2012-04-10T04:39:48.000-02:00", "client.bytes": 81, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 53766, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 81, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -8416,6 +8414,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -8443,15 +8445,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 81, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 53766, "source.user.name": "crusher", "tags": [ @@ -8462,21 +8462,19 @@ "@timestamp": "2012-04-10T04:39:48.000-02:00", "client.bytes": 81, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 56032, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 81, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": [ @@ -8508,6 +8506,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -8535,15 +8537,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 81, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 56032, "source.user.name": "crusher", "tags": [ @@ -8554,21 +8554,19 @@ "@timestamp": "2012-04-10T04:39:48.000-02:00", "client.bytes": 581, "client.ip": "192.168.0.2", - "client.packets": 7, + "client.packets": 6, "client.port": 59193, "client.user.name": "crusher", "destination.address": "62.211.68.12", "destination.as.number": 3269, "destination.as.organization.name": "Telecom Italia", - "destination.bytes": 581, + "destination.bytes": 906, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 6, + "destination.packets": 7, "destination.port": 80, "event.action": "flow_terminated", "event.category": [ @@ -8600,6 +8598,10 @@ "network.packets": 13, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -8627,15 +8629,13 @@ "rule.name": "rule1", "server.bytes": 906, "server.ip": "62.211.68.12", - "server.packets": 6, + "server.packets": 7, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 906, + "source.bytes": 581, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 7, + "source.packets": 6, "source.port": 59193, "source.user.name": "crusher", "tags": [ @@ -8646,13 +8646,13 @@ "@timestamp": "2012-04-10T04:39:48.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59279, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -8661,9 +8661,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -8695,6 +8693,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -8722,15 +8724,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59279, "source.user.name": "crusher", "tags": [ @@ -8741,13 +8741,13 @@ "@timestamp": "2012-04-10T04:39:47.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59278, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -8756,9 +8756,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -8790,6 +8788,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -8817,15 +8819,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59278, "source.user.name": "crusher", "tags": [ @@ -8836,13 +8836,13 @@ "@timestamp": "2012-04-10T04:39:47.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59277, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -8851,9 +8851,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -8885,6 +8883,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -8912,15 +8914,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59277, "source.user.name": "crusher", "tags": [ @@ -8931,15 +8931,13 @@ "@timestamp": "2012-04-10T04:39:47.000-02:00", "client.bytes": 166, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 2, "client.port": 60026, "client.user.name": "crusher", "destination.address": "192.168.0.1", - "destination.bytes": 166, + "destination.bytes": 0, "destination.ip": "192.168.0.1", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 2, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_terminated", "event.category": [ @@ -8971,6 +8969,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -8998,15 +9000,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "192.168.0.1", - "server.packets": 2, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 166, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 2, "source.port": 60026, "source.user.name": "crusher", "tags": [ @@ -9017,13 +9017,13 @@ "@timestamp": "2012-04-10T04:39:47.000-02:00", "client.bytes": 351, "client.ip": "192.168.0.2", - "client.packets": 1, + "client.packets": 3, "client.port": 59276, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 351, + "destination.bytes": 78, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -9032,9 +9032,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 3, + "destination.packets": 1, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -9066,6 +9064,10 @@ "network.packets": 4, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -9093,15 +9095,13 @@ "rule.name": "rule1", "server.bytes": 78, "server.ip": "204.232.231.46", - "server.packets": 3, + "server.packets": 1, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 78, + "source.bytes": 351, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 1, + "source.packets": 3, "source.port": 59276, "source.user.name": "crusher", "tags": [ @@ -9112,13 +9112,13 @@ "@timestamp": "2012-04-10T04:39:47.000-02:00", "client.bytes": 351, "client.ip": "192.168.0.2", - "client.packets": 1, + "client.packets": 3, "client.port": 59275, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 351, + "destination.bytes": 78, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -9127,9 +9127,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 3, + "destination.packets": 1, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -9161,6 +9159,10 @@ "network.packets": 4, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -9188,15 +9190,13 @@ "rule.name": "rule1", "server.bytes": 78, "server.ip": "204.232.231.46", - "server.packets": 3, + "server.packets": 1, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 78, + "source.bytes": 351, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 1, + "source.packets": 3, "source.port": 59275, "source.user.name": "crusher", "tags": [ @@ -9207,13 +9207,13 @@ "@timestamp": "2012-04-10T04:39:46.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59274, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -9222,9 +9222,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": [ @@ -9256,6 +9254,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -9283,15 +9285,13 @@ "rule.name": "rule1", "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59274, "source.user.name": "crusher", "tags": [ diff --git a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json index c17fcbee131..dea8a330cad 100644 --- a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json @@ -2,6 +2,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 37679, "client.port": 52984, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -44,7 +46,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -70,6 +76,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -86,6 +94,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 28249, "client.port": 52983, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -128,7 +138,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -154,6 +168,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -170,6 +186,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 63898, "client.port": 52986, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -212,7 +230,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -238,6 +260,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -254,6 +278,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 7515, "client.port": 52985, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -296,7 +322,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -322,6 +352,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -338,6 +370,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 3225, "client.port": 52987, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -380,7 +414,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -406,6 +444,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -422,6 +462,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 60449, "client.port": 52988, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -464,7 +506,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -490,6 +536,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -506,6 +554,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 60559, "client.port": 52990, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -548,7 +598,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -574,6 +628,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -590,6 +646,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 47414, "client.port": 52989, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -632,7 +690,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -658,6 +720,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -674,6 +738,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 37673, "client.port": 52992, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -716,7 +782,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -742,6 +812,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -758,6 +830,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 8232, "client.port": 52991, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -800,7 +874,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -826,6 +904,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -842,6 +922,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 32982, "client.port": 52994, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -884,7 +966,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -910,6 +996,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -926,6 +1014,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 10473, "client.port": 52993, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -968,7 +1058,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -994,6 +1088,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1010,6 +1106,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 20446, "client.port": 52995, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -1052,7 +1150,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -1078,6 +1180,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1094,6 +1198,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 34699, "client.port": 52996, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -1136,7 +1242,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -1162,6 +1272,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1178,6 +1290,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 22820, "client.port": 52997, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -1220,7 +1334,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -1246,6 +1364,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1262,6 +1382,8 @@ { "@timestamp": "2018-11-30T16:44:37.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 41060, "client.port": 52998, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -1304,7 +1426,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -1330,6 +1456,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1346,6 +1474,8 @@ { "@timestamp": "2018-11-30T16:44:37.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 9058, "client.port": 52999, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -1388,7 +1518,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -1414,6 +1548,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1430,6 +1566,8 @@ { "@timestamp": "2018-11-30T16:44:37.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 54846, "client.port": 53001, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -1472,7 +1610,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -1498,6 +1640,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1514,6 +1658,8 @@ { "@timestamp": "2018-11-30T16:44:37.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 52731, "client.port": 53002, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -1556,7 +1702,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -1582,6 +1732,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1598,6 +1750,8 @@ { "@timestamp": "2018-11-30T16:44:38.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 15165, "client.port": 53003, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -1640,7 +1794,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -1666,6 +1824,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1682,6 +1842,8 @@ { "@timestamp": "2018-11-30T16:44:38.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 53918, "client.port": 53004, "destination.address": "23.72.137.131", "destination.as.number": 20940, @@ -1724,7 +1886,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -1750,6 +1916,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.137.131", + "server.nat.ip": "23.72.137.131", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1766,6 +1934,8 @@ { "@timestamp": "2018-11-30T16:44:38.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 40792, "client.port": 53000, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -1808,7 +1978,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -1834,6 +2008,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1850,6 +2026,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 54044, "client.port": 53006, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -1892,7 +2070,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -1918,6 +2100,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1934,6 +2118,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 19544, "client.port": 53007, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -1976,7 +2162,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -2002,6 +2192,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2018,6 +2210,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 13462, "client.port": 53008, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -2060,7 +2254,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -2086,6 +2284,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2102,6 +2302,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 44892, "client.port": 53010, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -2144,7 +2346,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -2170,6 +2376,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2186,6 +2394,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 16487, "client.port": 53011, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -2228,7 +2438,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -2254,6 +2468,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2270,6 +2486,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 23952, "client.port": 53012, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -2312,7 +2530,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -2338,6 +2560,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2354,6 +2578,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 2810, "client.port": 53013, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -2396,7 +2622,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -2422,6 +2652,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2438,6 +2670,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 13272, "client.port": 53014, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -2480,7 +2714,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -2506,6 +2744,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2522,6 +2762,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 8663, "client.port": 53022, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -2564,7 +2806,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -2590,6 +2836,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2606,6 +2854,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 55738, "client.port": 53023, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -2648,7 +2898,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -2674,6 +2928,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2690,6 +2946,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 10650, "client.port": 53024, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -2732,7 +2990,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -2758,6 +3020,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2774,6 +3038,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 44087, "client.port": 53025, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -2816,7 +3082,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -2842,6 +3112,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2858,6 +3130,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 15915, "client.port": 53026, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -2900,7 +3174,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -2926,6 +3204,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2942,6 +3222,8 @@ { "@timestamp": "2018-11-30T16:44:53.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 41165, "client.port": 53041, "destination.address": "151.101.2.2", "destination.as.number": 54113, @@ -2984,7 +3266,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -3010,6 +3296,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "151.101.2.2", + "server.nat.ip": "151.101.2.2", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3026,6 +3314,8 @@ { "@timestamp": "2018-11-30T16:44:54.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 54133, "client.port": 53040, "destination.address": "54.192.7.152", "destination.as.number": 16509, @@ -3071,7 +3361,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -3097,6 +3391,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "54.192.7.152", + "server.nat.ip": "54.192.7.152", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3113,6 +3409,8 @@ { "@timestamp": "2018-11-30T16:44:58.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 8485, "client.port": 53093, "destination.address": "52.4.120.175", "destination.as.number": 14618, @@ -3158,7 +3456,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -3184,6 +3486,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", + "server.nat.ip": "52.4.120.175", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3200,6 +3504,8 @@ { "@timestamp": "2018-11-30T16:44:58.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 12496, "client.port": 53094, "destination.address": "52.4.120.175", "destination.as.number": 14618, @@ -3245,7 +3551,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -3271,6 +3581,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", + "server.nat.ip": "52.4.120.175", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3287,6 +3599,8 @@ { "@timestamp": "2018-11-30T16:44:58.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 17029, "client.port": 53095, "destination.address": "52.4.120.175", "destination.as.number": 14618, @@ -3332,7 +3646,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -3358,6 +3676,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", + "server.nat.ip": "52.4.120.175", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3374,6 +3694,8 @@ { "@timestamp": "2018-11-30T16:44:58.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 23696, "client.port": 53096, "destination.address": "52.4.120.175", "destination.as.number": 14618, @@ -3419,7 +3741,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -3445,6 +3771,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", + "server.nat.ip": "52.4.120.175", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3461,6 +3789,8 @@ { "@timestamp": "2018-11-30T16:44:59.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 34769, "client.port": 53097, "destination.address": "52.4.120.175", "destination.as.number": 14618, @@ -3506,7 +3836,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -3532,6 +3866,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", + "server.nat.ip": "52.4.120.175", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3548,6 +3884,8 @@ { "@timestamp": "2018-11-30T16:44:59.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 22486, "client.port": 53099, "destination.address": "52.4.120.175", "destination.as.number": 14618, @@ -3593,7 +3931,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -3619,6 +3961,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", + "server.nat.ip": "52.4.120.175", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3635,6 +3979,8 @@ { "@timestamp": "2018-11-30T16:44:59.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 12894, "client.port": 53100, "destination.address": "52.4.120.175", "destination.as.number": 14618, @@ -3680,7 +4026,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -3706,6 +4056,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", + "server.nat.ip": "52.4.120.175", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3722,6 +4074,8 @@ { "@timestamp": "2018-11-30T16:45:00.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 62348, "client.port": 53101, "destination.address": "52.4.120.175", "destination.as.number": 14618, @@ -3767,7 +4121,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -3793,6 +4151,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", + "server.nat.ip": "52.4.120.175", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3809,6 +4169,8 @@ { "@timestamp": "2018-11-30T16:45:00.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 6224, "client.port": 53104, "destination.address": "52.4.120.175", "destination.as.number": 14618, @@ -3854,7 +4216,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -3880,6 +4246,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", + "server.nat.ip": "52.4.120.175", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3896,6 +4264,8 @@ { "@timestamp": "2018-11-30T16:45:00.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 44120, "client.port": 53107, "destination.address": "52.4.120.175", "destination.as.number": 14618, @@ -3941,7 +4311,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -3967,6 +4341,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", + "server.nat.ip": "52.4.120.175", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3983,6 +4359,8 @@ { "@timestamp": "2018-11-30T16:45:00.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 44228, "client.port": 53108, "destination.address": "52.4.120.175", "destination.as.number": 14618, @@ -4028,7 +4406,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -4054,6 +4436,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", + "server.nat.ip": "52.4.120.175", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -4070,6 +4454,8 @@ { "@timestamp": "2018-11-30T16:45:00.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 31322, "client.port": 53109, "destination.address": "52.4.120.175", "destination.as.number": 14618, @@ -4115,7 +4501,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -4141,6 +4531,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", + "server.nat.ip": "52.4.120.175", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -4157,6 +4549,8 @@ { "@timestamp": "2018-11-30T16:45:13.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 1672, "client.port": 53118, "destination.address": "216.58.194.98", "destination.as.number": 15169, @@ -4202,7 +4596,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -4228,6 +4626,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "216.58.194.98", + "server.nat.ip": "216.58.194.98", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -4244,6 +4644,8 @@ { "@timestamp": "2018-11-30T16:45:15.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 20801, "client.port": 53126, "destination.address": "23.72.145.245", "destination.as.number": 16625, @@ -4286,7 +4688,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -4312,6 +4718,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", + "server.nat.ip": "23.72.145.245", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -4328,6 +4736,8 @@ { "@timestamp": "2018-11-30T16:45:15.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 24533, "client.port": 53127, "destination.address": "23.72.145.245", "destination.as.number": 16625, @@ -4370,7 +4780,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -4396,6 +4810,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", + "server.nat.ip": "23.72.145.245", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -4412,6 +4828,8 @@ { "@timestamp": "2018-11-30T16:45:15.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 30150, "client.port": 53128, "destination.address": "23.72.145.245", "destination.as.number": 16625, @@ -4454,7 +4872,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -4480,6 +4902,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", + "server.nat.ip": "23.72.145.245", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -4496,6 +4920,8 @@ { "@timestamp": "2018-11-30T16:45:15.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 36305, "client.port": 53129, "destination.address": "23.72.145.245", "destination.as.number": 16625, @@ -4538,7 +4964,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -4564,6 +4994,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", + "server.nat.ip": "23.72.145.245", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -4580,6 +5012,8 @@ { "@timestamp": "2018-11-30T16:45:16.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 42682, "client.port": 53130, "destination.address": "23.72.145.245", "destination.as.number": 16625, @@ -4622,7 +5056,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -4648,6 +5086,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", + "server.nat.ip": "23.72.145.245", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -4664,6 +5104,8 @@ { "@timestamp": "2018-11-30T16:45:16.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 22530, "client.port": 53131, "destination.address": "23.72.145.245", "destination.as.number": 16625, @@ -4706,7 +5148,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -4732,6 +5178,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", + "server.nat.ip": "23.72.145.245", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -4748,6 +5196,8 @@ { "@timestamp": "2018-11-30T16:45:16.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 43713, "client.port": 53132, "destination.address": "23.72.145.245", "destination.as.number": 16625, @@ -4790,7 +5240,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -4816,6 +5270,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", + "server.nat.ip": "23.72.145.245", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -4832,6 +5288,8 @@ { "@timestamp": "2018-11-30T16:45:16.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 60608, "client.port": 53133, "destination.address": "23.72.145.245", "destination.as.number": 16625, @@ -4874,7 +5332,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -4900,6 +5362,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", + "server.nat.ip": "23.72.145.245", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -4916,6 +5380,8 @@ { "@timestamp": "2018-11-30T16:45:16.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 9302, "client.port": 53134, "destination.address": "23.72.145.245", "destination.as.number": 16625, @@ -4958,7 +5424,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -4984,6 +5454,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", + "server.nat.ip": "23.72.145.245", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -5000,6 +5472,8 @@ { "@timestamp": "2018-11-30T16:45:16.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 11634, "client.port": 53135, "destination.address": "23.72.145.245", "destination.as.number": 16625, @@ -5042,7 +5516,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -5068,6 +5546,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", + "server.nat.ip": "23.72.145.245", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -5084,6 +5564,8 @@ { "@timestamp": "2018-11-30T16:45:26.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 30818, "client.port": 53152, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -5129,7 +5611,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -5155,6 +5641,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -5171,6 +5659,8 @@ { "@timestamp": "2018-11-30T16:45:26.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 64260, "client.port": 53155, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -5216,7 +5706,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -5242,6 +5736,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -5258,6 +5754,8 @@ { "@timestamp": "2018-11-30T16:45:26.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 7071, "client.port": 53158, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -5303,7 +5801,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -5329,6 +5831,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -5345,6 +5849,8 @@ { "@timestamp": "2018-11-30T16:45:26.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 4512, "client.port": 53160, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -5390,7 +5896,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -5416,6 +5926,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -5432,6 +5944,8 @@ { "@timestamp": "2018-11-30T16:45:26.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 3422, "client.port": 53161, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -5477,7 +5991,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -5503,6 +6021,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -5519,6 +6039,8 @@ { "@timestamp": "2018-11-30T16:45:27.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 4651, "client.port": 53162, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -5564,7 +6086,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -5590,6 +6116,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -5606,6 +6134,8 @@ { "@timestamp": "2018-11-30T16:45:27.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 19068, "client.port": 53163, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -5651,7 +6181,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -5677,6 +6211,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -5693,6 +6229,8 @@ { "@timestamp": "2018-11-30T16:45:27.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 5831, "client.port": 53164, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -5738,7 +6276,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -5764,6 +6306,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -5780,6 +6324,8 @@ { "@timestamp": "2018-11-30T16:45:27.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 7084, "client.port": 53165, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -5825,7 +6371,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -5851,6 +6401,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -5867,6 +6419,8 @@ { "@timestamp": "2018-11-30T16:45:27.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 18633, "client.port": 53166, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -5912,7 +6466,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -5938,6 +6496,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -5954,6 +6514,8 @@ { "@timestamp": "2018-11-30T16:45:27.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 25557, "client.port": 53167, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -5999,7 +6561,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -6025,6 +6591,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -6041,6 +6609,8 @@ { "@timestamp": "2018-11-30T16:45:27.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 20661, "client.port": 53150, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -6086,7 +6656,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -6112,6 +6686,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -6128,6 +6704,8 @@ { "@timestamp": "2018-11-30T16:45:28.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 65438, "client.port": 53185, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -6173,7 +6751,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -6199,6 +6781,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -6215,6 +6799,8 @@ { "@timestamp": "2018-11-30T16:45:28.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 53101, "client.port": 53187, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -6260,7 +6846,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -6286,6 +6876,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -6302,6 +6894,8 @@ { "@timestamp": "2018-11-30T16:45:28.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 35463, "client.port": 53188, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -6347,7 +6941,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -6373,6 +6971,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -6389,6 +6989,8 @@ { "@timestamp": "2018-11-30T16:45:29.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 45769, "client.port": 53178, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -6434,7 +7036,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", @@ -6460,6 +7066,8 @@ ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", diff --git a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json index 9e1333f9fb8..bb3e9809c3e 100644 --- a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json @@ -3,12 +3,14 @@ "@timestamp": "2018-11-30T16:09:07.000-02:00", "client.bytes": 1758, "client.ip": "192.168.15.207", - "client.packets": 20, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 16418, + "client.packets": 16, "client.port": 55113, "destination.address": "184.51.253.152", "destination.as.number": 16625, "destination.as.organization.name": "Akamai Technologies, Inc.", - "destination.bytes": 1758, + "destination.bytes": 5976, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -16,7 +18,7 @@ "destination.ip": "184.51.253.152", "destination.nat.ip": "184.51.253.152", "destination.nat.port": 443, - "destination.packets": 16, + "destination.packets": 20, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -51,7 +53,11 @@ "network.packets": 36, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -76,15 +82,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 5976, "server.ip": "184.51.253.152", - "server.packets": 16, + "server.nat.ip": "184.51.253.152", + "server.nat.port": 443, + "server.packets": 20, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.207", - "source.bytes": 5976, + "source.bytes": 1758, "source.ip": "192.168.15.207", "source.nat.ip": "192.168.1.63", "source.nat.port": 16418, - "source.packets": 20, + "source.packets": 16, "source.port": 55113, "tags": [ "pan-os" @@ -94,6 +102,8 @@ "@timestamp": "2018-11-30T16:09:09.000-02:00", "client.bytes": 588, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 0, "client.packets": 6, "client.port": 0, "destination.address": "8.8.8.8", @@ -142,7 +152,11 @@ "network.packets": 12, "network.transport": "icmp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -167,6 +181,8 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 588, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 0, "server.packets": 6, "server.port": 0, "service.type": "panw", @@ -185,12 +201,14 @@ "@timestamp": "2018-11-30T16:09:09.000-02:00", "client.bytes": 539, "client.ip": "192.168.15.207", - "client.packets": 5, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 51990, + "client.packets": 6, "client.port": 55114, "destination.address": "17.253.3.202", "destination.as.number": 6185, "destination.as.organization.name": "Apple Inc.", - "destination.bytes": 539, + "destination.bytes": 1035, "destination.geo.city_name": "Dallas", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -201,7 +219,7 @@ "destination.ip": "17.253.3.202", "destination.nat.ip": "17.253.3.202", "destination.nat.port": 80, - "destination.packets": 6, + "destination.packets": 5, "destination.port": 80, "event.action": "flow_terminated", "event.category": [ @@ -236,7 +254,11 @@ "network.packets": 11, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -261,15 +283,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 1035, "server.ip": "17.253.3.202", - "server.packets": 6, + "server.nat.ip": "17.253.3.202", + "server.nat.port": 80, + "server.packets": 5, "server.port": 80, "service.type": "panw", "source.address": "192.168.15.207", - "source.bytes": 1035, + "source.bytes": 539, "source.ip": "192.168.15.207", "source.nat.ip": "192.168.1.63", "source.nat.port": 51990, - "source.packets": 5, + "source.packets": 6, "source.port": 55114, "tags": [ "pan-os" @@ -279,6 +303,8 @@ "@timestamp": "2018-11-30T16:09:15.000-02:00", "client.bytes": 588, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 0, "client.packets": 6, "client.port": 0, "destination.address": "8.8.8.8", @@ -327,7 +353,11 @@ "network.packets": 12, "network.transport": "icmp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -352,6 +382,8 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 588, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 0, "server.packets": 6, "server.port": 0, "service.type": "panw", @@ -370,12 +402,14 @@ "@timestamp": "2018-11-30T16:09:15.000-02:00", "client.bytes": 2014, "client.ip": "192.168.15.196", - "client.packets": 3, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 15252, + "client.packets": 5, "client.port": 46774, "destination.address": "216.58.194.99", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 2014, + "destination.bytes": 1613, "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -386,7 +420,7 @@ "destination.ip": "216.58.194.99", "destination.nat.ip": "216.58.194.99", "destination.nat.port": 443, - "destination.packets": 5, + "destination.packets": 3, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -421,7 +455,11 @@ "network.packets": 8, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -446,15 +484,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 1613, "server.ip": "216.58.194.99", - "server.packets": 5, + "server.nat.ip": "216.58.194.99", + "server.nat.port": 443, + "server.packets": 3, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.196", - "source.bytes": 1613, + "source.bytes": 2014, "source.ip": "192.168.15.196", "source.nat.ip": "192.168.1.63", "source.nat.port": 15252, - "source.packets": 3, + "source.packets": 5, "source.port": 46774, "tags": [ "pan-os" @@ -464,12 +504,14 @@ "@timestamp": "2018-11-30T16:09:15.000-02:00", "client.bytes": 20642, "client.ip": "192.168.15.224", - "client.packets": 51, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 40763, + "client.packets": 62, "client.port": 52408, "destination.address": "209.234.224.22", "destination.as.number": 395162, "destination.as.organization.name": "Markit On Demand, Inc.", - "destination.bytes": 20642, + "destination.bytes": 21111, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -477,7 +519,7 @@ "destination.ip": "209.234.224.22", "destination.nat.ip": "209.234.224.22", "destination.nat.port": 443, - "destination.packets": 62, + "destination.packets": 51, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -512,7 +554,11 @@ "network.packets": 113, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -537,15 +583,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 21111, "server.ip": "209.234.224.22", - "server.packets": 62, + "server.nat.ip": "209.234.224.22", + "server.nat.port": 443, + "server.packets": 51, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 21111, + "source.bytes": 20642, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 40763, - "source.packets": 51, + "source.packets": 62, "source.port": 52408, "tags": [ "pan-os" @@ -555,6 +603,8 @@ "@timestamp": "2018-11-30T16:09:21.000-02:00", "client.bytes": 588, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 0, "client.packets": 6, "client.port": 0, "destination.address": "8.8.8.8", @@ -603,7 +653,11 @@ "network.packets": 12, "network.transport": "icmp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -628,6 +682,8 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 588, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 0, "server.packets": 6, "server.port": 0, "service.type": "panw", @@ -646,12 +702,14 @@ "@timestamp": "2018-11-30T16:09:21.000-02:00", "client.bytes": 3365, "client.ip": "192.168.15.224", - "client.packets": 9, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 52881, + "client.packets": 7, "client.port": 59190, "destination.address": "172.217.2.238", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 3365, + "destination.bytes": 3732, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -659,7 +717,7 @@ "destination.ip": "172.217.2.238", "destination.nat.ip": "172.217.2.238", "destination.nat.port": 443, - "destination.packets": 7, + "destination.packets": 9, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -694,7 +752,11 @@ "network.packets": 16, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -719,15 +781,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 3732, "server.ip": "172.217.2.238", - "server.packets": 7, + "server.nat.ip": "172.217.2.238", + "server.nat.port": 443, + "server.packets": 9, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 3732, + "source.bytes": 3365, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 52881, - "source.packets": 9, + "source.packets": 7, "source.port": 59190, "tags": [ "pan-os" @@ -737,12 +801,14 @@ "@timestamp": "2018-11-30T16:09:22.000-02:00", "client.bytes": 80, "client.ip": "192.168.15.207", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 26654, "client.packets": 1, "client.port": 49728, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 80, + "destination.bytes": 221, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -785,7 +851,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -810,11 +880,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 221, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.207", - "source.bytes": 221, + "source.bytes": 80, "source.ip": "192.168.15.207", "source.nat.ip": "192.168.1.63", "source.nat.port": 26654, @@ -828,12 +900,14 @@ "@timestamp": "2018-11-30T16:09:23.000-02:00", "client.bytes": 77, "client.ip": "192.168.15.207", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 2486, "client.packets": 1, "client.port": 50500, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 77, + "destination.bytes": 221, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -876,7 +950,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -901,11 +979,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 221, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.207", - "source.bytes": 221, + "source.bytes": 77, "source.ip": "192.168.15.207", "source.nat.ip": "192.168.1.63", "source.nat.port": 2486, @@ -919,12 +999,14 @@ "@timestamp": "2018-11-30T16:09:24.000-02:00", "client.bytes": 4509, "client.ip": "192.168.15.207", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 42021, "client.packets": 16, "client.port": 55112, "destination.address": "17.249.60.78", "destination.as.number": 714, "destination.as.organization.name": "Apple Inc.", - "destination.bytes": 4509, + "destination.bytes": 5469, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -967,7 +1049,11 @@ "network.packets": 32, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -992,11 +1078,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 5469, "server.ip": "17.249.60.78", + "server.nat.ip": "17.249.60.78", + "server.nat.port": 443, "server.packets": 16, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.207", - "source.bytes": 5469, + "source.bytes": 4509, "source.ip": "192.168.15.207", "source.nat.ip": "192.168.1.63", "source.nat.port": 42021, @@ -1010,12 +1098,14 @@ "@timestamp": "2018-11-30T16:09:24.000-02:00", "client.bytes": 73, "client.ip": "192.168.15.207", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 24377, "client.packets": 1, "client.port": 57632, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 73, + "destination.bytes": 224, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1058,7 +1148,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -1083,11 +1177,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 224, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.207", - "source.bytes": 224, + "source.bytes": 73, "source.ip": "192.168.15.207", "source.nat.ip": "192.168.1.63", "source.nat.port": 24377, @@ -1101,12 +1197,14 @@ "@timestamp": "2018-11-30T16:09:24.000-02:00", "client.bytes": 69, "client.ip": "192.168.15.207", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 48792, "client.packets": 1, "client.port": 50271, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 69, + "destination.bytes": 117, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1149,7 +1247,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -1174,11 +1276,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 117, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.207", - "source.bytes": 117, + "source.bytes": 69, "source.ip": "192.168.15.207", "source.nat.ip": "192.168.1.63", "source.nat.port": 48792, @@ -1192,12 +1296,14 @@ "@timestamp": "2018-11-30T16:09:24.000-02:00", "client.bytes": 85, "client.ip": "192.168.15.207", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 2987, "client.packets": 1, "client.port": 54061, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 85, + "destination.bytes": 307, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1240,7 +1346,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -1265,11 +1375,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 307, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.207", - "source.bytes": 307, + "source.bytes": 85, "source.ip": "192.168.15.207", "source.nat.ip": "192.168.1.63", "source.nat.port": 2987, @@ -1283,12 +1395,14 @@ "@timestamp": "2018-11-30T16:09:24.000-02:00", "client.bytes": 75, "client.ip": "192.168.15.207", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 6945, "client.packets": 1, "client.port": 52701, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 75, + "destination.bytes": 365, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1331,7 +1445,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -1356,11 +1474,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 365, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.207", - "source.bytes": 365, + "source.bytes": 75, "source.ip": "192.168.15.207", "source.nat.ip": "192.168.1.63", "source.nat.port": 6945, @@ -1374,6 +1494,8 @@ "@timestamp": "2018-11-30T16:09:27.000-02:00", "client.bytes": 588, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 0, "client.packets": 6, "client.port": 0, "destination.address": "8.8.8.8", @@ -1422,7 +1544,11 @@ "network.packets": 12, "network.transport": "icmp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -1447,6 +1573,8 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 588, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 0, "server.packets": 6, "server.port": 0, "service.type": "panw", @@ -1465,12 +1593,14 @@ "@timestamp": "2018-11-30T16:09:27.000-02:00", "client.bytes": 97, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 42208, "client.packets": 1, "client.port": 62503, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 97, + "destination.bytes": 161, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1513,7 +1643,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -1538,11 +1672,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 161, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 161, + "source.bytes": 97, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 42208, @@ -1556,12 +1692,14 @@ "@timestamp": "2018-11-30T16:09:28.000-02:00", "client.bytes": 2086, "client.ip": "192.168.15.224", - "client.packets": 13, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 14660, + "client.packets": 14, "client.port": 52442, "destination.address": "98.138.49.44", "destination.as.number": 36646, "destination.as.organization.name": "Oath Holdings Inc.", - "destination.bytes": 2086, + "destination.bytes": 7805, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1569,7 +1707,7 @@ "destination.ip": "98.138.49.44", "destination.nat.ip": "98.138.49.44", "destination.nat.port": 443, - "destination.packets": 14, + "destination.packets": 13, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -1604,7 +1742,11 @@ "network.packets": 27, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -1629,15 +1771,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 7805, "server.ip": "98.138.49.44", - "server.packets": 14, + "server.nat.ip": "98.138.49.44", + "server.nat.port": 443, + "server.packets": 13, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 7805, + "source.bytes": 2086, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 14660, - "source.packets": 13, + "source.packets": 14, "source.port": 52442, "tags": [ "pan-os" @@ -1647,12 +1791,14 @@ "@timestamp": "2018-11-30T16:09:28.000-02:00", "client.bytes": 2354, "client.ip": "192.168.15.224", - "client.packets": 11, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 16483, + "client.packets": 13, "client.port": 52441, "destination.address": "72.30.3.43", "destination.as.number": 26101, "destination.as.organization.name": "Oath Holdings Inc.", - "destination.bytes": 2354, + "destination.bytes": 6106, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1660,7 +1806,7 @@ "destination.ip": "72.30.3.43", "destination.nat.ip": "72.30.3.43", "destination.nat.port": 443, - "destination.packets": 13, + "destination.packets": 11, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -1695,7 +1841,11 @@ "network.packets": 24, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -1720,15 +1870,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 6106, "server.ip": "72.30.3.43", - "server.packets": 13, + "server.nat.ip": "72.30.3.43", + "server.nat.port": 443, + "server.packets": 11, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 6106, + "source.bytes": 2354, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 16483, - "source.packets": 11, + "source.packets": 13, "source.port": 52441, "tags": [ "pan-os" @@ -1738,6 +1890,8 @@ "@timestamp": "2018-11-30T16:09:29.000-02:00", "client.bytes": 196, "client.ip": "192.168.15.196", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 0, "client.packets": 2, "client.port": 0, "destination.address": "8.8.8.8", @@ -1786,7 +1940,11 @@ "network.packets": 4, "network.transport": "icmp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -1811,6 +1969,8 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 196, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 0, "server.packets": 2, "server.port": 0, "service.type": "panw", @@ -1829,12 +1989,14 @@ "@timestamp": "2018-11-30T16:09:29.000-02:00", "client.bytes": 2545, "client.ip": "192.168.15.224", - "client.packets": 17, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 5570, + "client.packets": 19, "client.port": 52355, "destination.address": "172.217.9.142", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 2545, + "destination.bytes": 3245, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1842,7 +2004,7 @@ "destination.ip": "172.217.9.142", "destination.nat.ip": "172.217.9.142", "destination.nat.port": 80, - "destination.packets": 19, + "destination.packets": 17, "destination.port": 80, "event.action": "flow_terminated", "event.category": [ @@ -1877,7 +2039,11 @@ "network.packets": 36, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -1902,15 +2068,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 3245, "server.ip": "172.217.9.142", - "server.packets": 19, + "server.nat.ip": "172.217.9.142", + "server.nat.port": 80, + "server.packets": 17, "server.port": 80, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 3245, + "source.bytes": 2545, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 5570, - "source.packets": 17, + "source.packets": 19, "source.port": 52355, "tags": [ "pan-os" @@ -1920,12 +2088,14 @@ "@timestamp": "2018-11-30T16:09:29.000-02:00", "client.bytes": 82, "client.ip": "192.168.15.207", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 24430, "client.packets": 1, "client.port": 50196, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 82, + "destination.bytes": 179, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1968,7 +2138,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -1993,11 +2167,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 179, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.207", - "source.bytes": 179, + "source.bytes": 82, "source.ip": "192.168.15.207", "source.nat.ip": "192.168.1.63", "source.nat.port": 24430, @@ -2011,12 +2187,14 @@ "@timestamp": "2018-11-30T16:09:30.000-02:00", "client.bytes": 1758, "client.ip": "192.168.15.224", - "client.packets": 12, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 12122, + "client.packets": 13, "client.port": 52454, "destination.address": "54.84.80.198", "destination.as.number": 14618, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 1758, + "destination.bytes": 4537, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2027,7 +2205,7 @@ "destination.ip": "54.84.80.198", "destination.nat.ip": "54.84.80.198", "destination.nat.port": 443, - "destination.packets": 13, + "destination.packets": 12, "destination.port": 443, "event.action": "flow_started", "event.category": [ @@ -2062,7 +2240,11 @@ "network.packets": 25, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -2087,15 +2269,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 4537, "server.ip": "54.84.80.198", - "server.packets": 13, + "server.nat.ip": "54.84.80.198", + "server.nat.port": 443, + "server.packets": 12, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 4537, + "source.bytes": 1758, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 12122, - "source.packets": 12, + "source.packets": 13, "source.port": 52454, "tags": [ "pan-os" @@ -2105,10 +2289,12 @@ "@timestamp": "2018-11-30T16:09:32.000-02:00", "client.bytes": 624, "client.ip": "192.168.15.224", - "client.packets": 0, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 49145, + "client.packets": 8, "client.port": 52445, "destination.address": "199.167.55.52", - "destination.bytes": 624, + "destination.bytes": 0, "destination.geo.city_name": "Sunnyvale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2119,7 +2305,7 @@ "destination.ip": "199.167.55.52", "destination.nat.ip": "199.167.55.52", "destination.nat.port": 4282, - "destination.packets": 8, + "destination.packets": 0, "destination.port": 4282, "event.action": "flow_dropped", "event.category": [ @@ -2154,7 +2340,11 @@ "network.packets": 8, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -2179,15 +2369,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 0, "server.ip": "199.167.55.52", - "server.packets": 8, + "server.nat.ip": "199.167.55.52", + "server.nat.port": 4282, + "server.packets": 0, "server.port": 4282, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 0, + "source.bytes": 624, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 49145, - "source.packets": 0, + "source.packets": 8, "source.port": 52445, "tags": [ "pan-os" @@ -2197,6 +2389,8 @@ "@timestamp": "2018-11-30T16:09:33.000-02:00", "client.bytes": 588, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 0, "client.packets": 6, "client.port": 0, "destination.address": "8.8.8.8", @@ -2245,7 +2439,11 @@ "network.packets": 12, "network.transport": "icmp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -2270,6 +2468,8 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 588, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 0, "server.packets": 6, "server.port": 0, "service.type": "panw", @@ -2288,12 +2488,14 @@ "@timestamp": "2018-11-30T16:09:34.000-02:00", "client.bytes": 85, "client.ip": "192.168.15.210", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 33110, "client.packets": 1, "client.port": 35485, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 85, + "destination.bytes": 130, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -2333,7 +2535,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -2358,11 +2564,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 130, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.210", - "source.bytes": 130, + "source.bytes": 85, "source.ip": "192.168.15.210", "source.nat.ip": "192.168.1.63", "source.nat.port": 33110, @@ -2376,12 +2584,14 @@ "@timestamp": "2018-11-30T16:09:37.000-02:00", "client.bytes": 2876, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 9299, "client.packets": 6, "client.port": 62730, "destination.address": "172.217.9.142", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 2876, + "destination.bytes": 1991, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -2421,7 +2631,11 @@ "network.packets": 12, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -2446,11 +2660,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 1991, "server.ip": "172.217.9.142", + "server.nat.ip": "172.217.9.142", + "server.nat.port": 443, "server.packets": 6, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 1991, + "source.bytes": 2876, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 9299, @@ -2464,12 +2680,14 @@ "@timestamp": "2018-11-30T16:09:38.000-02:00", "client.bytes": 1100, "client.ip": "192.168.15.224", - "client.packets": 5, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 47194, + "client.packets": 8, "client.port": 52506, "destination.address": "151.101.2.2", "destination.as.number": 54113, "destination.as.organization.name": "Fastly", - "destination.bytes": 1100, + "destination.bytes": 523, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -2477,7 +2695,7 @@ "destination.ip": "151.101.2.2", "destination.nat.ip": "151.101.2.2", "destination.nat.port": 443, - "destination.packets": 8, + "destination.packets": 5, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -2512,7 +2730,11 @@ "network.packets": 13, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -2537,15 +2759,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 523, "server.ip": "151.101.2.2", - "server.packets": 8, + "server.nat.ip": "151.101.2.2", + "server.nat.port": 443, + "server.packets": 5, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 523, + "source.bytes": 1100, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 47194, - "source.packets": 5, + "source.packets": 8, "source.port": 52506, "tags": [ "pan-os" @@ -2555,12 +2779,14 @@ "@timestamp": "2018-11-30T16:09:38.000-02:00", "client.bytes": 1977, "client.ip": "192.168.15.224", - "client.packets": 4, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 62921, + "client.packets": 5, "client.port": 60596, "destination.address": "216.58.194.66", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 1977, + "destination.bytes": 2428, "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2571,7 +2797,7 @@ "destination.ip": "216.58.194.66", "destination.nat.ip": "216.58.194.66", "destination.nat.port": 443, - "destination.packets": 5, + "destination.packets": 4, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -2606,7 +2832,11 @@ "network.packets": 9, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -2631,15 +2861,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 2428, "server.ip": "216.58.194.66", - "server.packets": 5, + "server.nat.ip": "216.58.194.66", + "server.nat.port": 443, + "server.packets": 4, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 2428, + "source.bytes": 1977, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 62921, - "source.packets": 4, + "source.packets": 5, "source.port": 60596, "tags": [ "pan-os" @@ -2649,6 +2881,8 @@ "@timestamp": "2018-11-30T16:09:39.000-02:00", "client.bytes": 588, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 0, "client.packets": 6, "client.port": 0, "destination.address": "8.8.8.8", @@ -2697,7 +2931,11 @@ "network.packets": 12, "network.transport": "icmp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -2722,6 +2960,8 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 588, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 0, "server.packets": 6, "server.port": 0, "service.type": "panw", @@ -2740,6 +2980,8 @@ "@timestamp": "2018-11-30T16:09:39.000-02:00", "client.bytes": 196, "client.ip": "192.168.15.210", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 0, "client.packets": 2, "client.port": 0, "destination.address": "8.8.8.8", @@ -2788,7 +3030,11 @@ "network.packets": 4, "network.transport": "icmp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -2813,6 +3059,8 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 196, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 0, "server.packets": 2, "server.port": 0, "service.type": "panw", @@ -2831,12 +3079,14 @@ "@timestamp": "2018-11-30T16:09:39.000-02:00", "client.bytes": 2228, "client.ip": "192.168.15.224", - "client.packets": 10, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 41958, + "client.packets": 12, "client.port": 52514, "destination.address": "184.51.253.193", "destination.as.number": 16625, "destination.as.organization.name": "Akamai Technologies, Inc.", - "destination.bytes": 2228, + "destination.bytes": 5003, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -2844,7 +3094,7 @@ "destination.ip": "184.51.253.193", "destination.nat.ip": "184.51.253.193", "destination.nat.port": 443, - "destination.packets": 12, + "destination.packets": 10, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -2879,7 +3129,11 @@ "network.packets": 22, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -2904,15 +3158,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 5003, "server.ip": "184.51.253.193", - "server.packets": 12, + "server.nat.ip": "184.51.253.193", + "server.nat.port": 443, + "server.packets": 10, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 5003, + "source.bytes": 2228, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 41958, - "source.packets": 10, + "source.packets": 12, "source.port": 52514, "tags": [ "pan-os" @@ -2922,12 +3178,14 @@ "@timestamp": "2018-11-30T16:09:40.000-02:00", "client.bytes": 96, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 51374, "client.packets": 1, "client.port": 55155, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 96, + "destination.bytes": 171, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -2970,7 +3228,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -2995,11 +3257,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 171, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 171, + "source.bytes": 96, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 51374, @@ -3013,10 +3277,12 @@ "@timestamp": "2018-11-30T16:09:40.000-02:00", "client.bytes": 78, "client.ip": "192.168.15.224", - "client.packets": 0, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 25566, + "client.packets": 1, "client.port": 52445, "destination.address": "199.167.55.52", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Sunnyvale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3027,7 +3293,7 @@ "destination.ip": "199.167.55.52", "destination.nat.ip": "199.167.55.52", "destination.nat.port": 4282, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 4282, "event.action": "flow_terminated", "event.category": [ @@ -3062,7 +3328,11 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -3087,15 +3357,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 0, "server.ip": "199.167.55.52", - "server.packets": 1, + "server.nat.ip": "199.167.55.52", + "server.nat.port": 4282, + "server.packets": 0, "server.port": 4282, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 25566, - "source.packets": 0, + "source.packets": 1, "source.port": 52445, "tags": [ "pan-os" @@ -3105,12 +3377,14 @@ "@timestamp": "2018-11-30T16:09:42.000-02:00", "client.bytes": 1086, "client.ip": "192.168.15.224", - "client.packets": 9, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 63757, + "client.packets": 11, "client.port": 52516, "destination.address": "199.167.52.219", "destination.as.number": 54538, "destination.as.organization.name": "PALO ALTO NETWORKS", - "destination.bytes": 1086, + "destination.bytes": 2316, "destination.geo.city_name": "Sunnyvale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3121,7 +3395,7 @@ "destination.ip": "199.167.52.219", "destination.nat.ip": "199.167.52.219", "destination.nat.port": 17472, - "destination.packets": 11, + "destination.packets": 9, "destination.port": 17472, "event.action": "flow_terminated", "event.category": [ @@ -3156,7 +3430,11 @@ "network.packets": 20, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -3181,15 +3459,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 2316, "server.ip": "199.167.52.219", - "server.packets": 11, + "server.nat.ip": "199.167.52.219", + "server.nat.port": 17472, + "server.packets": 9, "server.port": 17472, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 2316, + "source.bytes": 1086, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 63757, - "source.packets": 9, + "source.packets": 11, "source.port": 52516, "tags": [ "pan-os" @@ -3199,12 +3479,14 @@ "@timestamp": "2018-11-30T16:09:42.000-02:00", "client.bytes": 2628, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 3803, "client.packets": 19, "client.port": 52511, "destination.address": "52.71.117.196", "destination.as.number": 14618, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 2628, + "destination.bytes": 13966, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3250,7 +3532,11 @@ "network.packets": 38, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -3275,11 +3561,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 13966, "server.ip": "52.71.117.196", + "server.nat.ip": "52.71.117.196", + "server.nat.port": 443, "server.packets": 19, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 13966, + "source.bytes": 2628, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 3803, @@ -3293,12 +3581,14 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 79, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 34994, "client.packets": 1, "client.port": 3018, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 79, + "destination.bytes": 244, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -3341,7 +3631,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -3366,11 +3660,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 244, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 244, + "source.bytes": 79, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 34994, @@ -3384,12 +3680,14 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 95, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 38064, "client.packets": 1, "client.port": 16569, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 95, + "destination.bytes": 205, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -3432,7 +3730,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -3457,11 +3759,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 205, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 205, + "source.bytes": 95, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 38064, @@ -3475,12 +3779,14 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 4296, "client.ip": "192.168.15.224", - "client.packets": 20, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 42924, + "client.packets": 24, "client.port": 52479, "destination.address": "35.186.194.41", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 4296, + "destination.bytes": 2302, "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3491,7 +3797,7 @@ "destination.ip": "35.186.194.41", "destination.nat.ip": "35.186.194.41", "destination.nat.port": 443, - "destination.packets": 24, + "destination.packets": 20, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -3526,7 +3832,11 @@ "network.packets": 44, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -3551,15 +3861,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 2302, "server.ip": "35.186.194.41", - "server.packets": 24, + "server.nat.ip": "35.186.194.41", + "server.nat.port": 443, + "server.packets": 20, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 2302, + "source.bytes": 4296, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 42924, - "source.packets": 20, + "source.packets": 24, "source.port": 52479, "tags": [ "pan-os" @@ -3569,19 +3881,21 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 58831, "client.ip": "192.168.15.224", - "client.packets": 41, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 58977, + "client.packets": 63, "client.port": 52478, "destination.address": "35.201.124.9", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 58831, + "destination.bytes": 6757, "destination.geo.continent_name": "Asia", "destination.geo.location.lat": 35.0, "destination.geo.location.lon": 105.0, "destination.ip": "35.201.124.9", "destination.nat.ip": "35.201.124.9", "destination.nat.port": 443, - "destination.packets": 63, + "destination.packets": 41, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -3616,7 +3930,11 @@ "network.packets": 104, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -3641,15 +3959,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 6757, "server.ip": "35.201.124.9", - "server.packets": 63, + "server.nat.ip": "35.201.124.9", + "server.nat.port": 443, + "server.packets": 41, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 6757, + "source.bytes": 58831, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 58977, - "source.packets": 41, + "source.packets": 63, "source.port": 52478, "tags": [ "pan-os" @@ -3659,12 +3979,14 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 4069, "client.ip": "192.168.15.224", - "client.packets": 15, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 64732, + "client.packets": 17, "client.port": 52502, "destination.address": "100.24.131.237", "destination.as.number": 14618, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 4069, + "destination.bytes": 9007, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3675,7 +3997,7 @@ "destination.ip": "100.24.131.237", "destination.nat.ip": "100.24.131.237", "destination.nat.port": 443, - "destination.packets": 17, + "destination.packets": 15, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -3710,7 +4032,11 @@ "network.packets": 32, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -3735,15 +4061,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 9007, "server.ip": "100.24.131.237", - "server.packets": 17, + "server.nat.ip": "100.24.131.237", + "server.nat.port": 443, + "server.packets": 15, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 9007, + "source.bytes": 4069, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 64732, - "source.packets": 15, + "source.packets": 17, "source.port": 52502, "tags": [ "pan-os" @@ -3753,12 +4081,14 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 1100, "client.ip": "192.168.15.224", - "client.packets": 7, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 58292, + "client.packets": 8, "client.port": 52458, "destination.address": "184.51.252.247", "destination.as.number": 16625, "destination.as.organization.name": "Akamai Technologies, Inc.", - "destination.bytes": 1100, + "destination.bytes": 661, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -3766,7 +4096,7 @@ "destination.ip": "184.51.252.247", "destination.nat.ip": "184.51.252.247", "destination.nat.port": 443, - "destination.packets": 8, + "destination.packets": 7, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -3801,7 +4131,11 @@ "network.packets": 15, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -3826,15 +4160,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 661, "server.ip": "184.51.252.247", - "server.packets": 8, + "server.nat.ip": "184.51.252.247", + "server.nat.port": 443, + "server.packets": 7, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 661, + "source.bytes": 1100, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 58292, - "source.packets": 7, + "source.packets": 8, "source.port": 52458, "tags": [ "pan-os" @@ -3844,12 +4180,14 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 3596, "client.ip": "192.168.15.224", - "client.packets": 16, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 32209, + "client.packets": 15, "client.port": 52484, "destination.address": "35.190.88.148", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 3596, + "destination.bytes": 11136, "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3860,7 +4198,7 @@ "destination.ip": "35.190.88.148", "destination.nat.ip": "35.190.88.148", "destination.nat.port": 443, - "destination.packets": 15, + "destination.packets": 16, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -3895,7 +4233,11 @@ "network.packets": 31, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -3920,15 +4262,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 11136, "server.ip": "35.190.88.148", - "server.packets": 15, + "server.nat.ip": "35.190.88.148", + "server.nat.port": 443, + "server.packets": 16, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 11136, + "source.bytes": 3596, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 32209, - "source.packets": 16, + "source.packets": 15, "source.port": 52484, "tags": [ "pan-os" @@ -3938,12 +4282,14 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 3596, "client.ip": "192.168.15.224", - "client.packets": 16, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 38822, + "client.packets": 15, "client.port": 52482, "destination.address": "35.186.243.83", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 3596, + "destination.bytes": 11136, "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3954,7 +4300,7 @@ "destination.ip": "35.186.243.83", "destination.nat.ip": "35.186.243.83", "destination.nat.port": 443, - "destination.packets": 15, + "destination.packets": 16, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -3989,7 +4335,11 @@ "network.packets": 31, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -4014,15 +4364,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 11136, "server.ip": "35.186.243.83", - "server.packets": 15, + "server.nat.ip": "35.186.243.83", + "server.nat.port": 443, + "server.packets": 16, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 11136, + "source.bytes": 3596, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 38822, - "source.packets": 16, + "source.packets": 15, "source.port": 52482, "tags": [ "pan-os" @@ -4032,12 +4384,14 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 84, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 16044, "client.packets": 1, "client.port": 33769, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 84, + "destination.bytes": 182, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -4080,7 +4434,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -4105,11 +4463,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 182, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 182, + "source.bytes": 84, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 16044, @@ -4123,12 +4483,14 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 74, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 56614, "client.packets": 1, "client.port": 14106, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 74, + "destination.bytes": 90, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -4171,7 +4533,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -4196,11 +4562,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 90, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 90, + "source.bytes": 74, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 56614, @@ -4214,12 +4582,14 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 2731, "client.ip": "192.168.15.224", - "client.packets": 13, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 53168, + "client.packets": 17, "client.port": 52503, "destination.address": "100.24.165.74", "destination.as.number": 14618, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 2731, + "destination.bytes": 6669, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4230,7 +4600,7 @@ "destination.ip": "100.24.165.74", "destination.nat.ip": "100.24.165.74", "destination.nat.port": 443, - "destination.packets": 17, + "destination.packets": 13, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -4265,7 +4635,11 @@ "network.packets": 30, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -4290,15 +4664,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 6669, "server.ip": "100.24.165.74", - "server.packets": 17, + "server.nat.ip": "100.24.165.74", + "server.nat.port": 443, + "server.packets": 13, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 6669, + "source.bytes": 2731, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 53168, - "source.packets": 13, + "source.packets": 17, "source.port": 52503, "tags": [ "pan-os" @@ -4308,12 +4684,14 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 1100, "client.ip": "192.168.15.224", - "client.packets": 7, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 28012, + "client.packets": 8, "client.port": 52459, "destination.address": "184.51.252.247", "destination.as.number": 16625, "destination.as.organization.name": "Akamai Technologies, Inc.", - "destination.bytes": 1100, + "destination.bytes": 661, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -4321,7 +4699,7 @@ "destination.ip": "184.51.252.247", "destination.nat.ip": "184.51.252.247", "destination.nat.port": 443, - "destination.packets": 8, + "destination.packets": 7, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -4356,7 +4734,11 @@ "network.packets": 15, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "xtrust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -4381,15 +4763,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 661, "server.ip": "184.51.252.247", - "server.packets": 8, + "server.nat.ip": "184.51.252.247", + "server.nat.port": 443, + "server.packets": 7, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 661, + "source.bytes": 1100, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 28012, - "source.packets": 7, + "source.packets": 8, "source.port": 52459, "tags": [ "pan-os" @@ -4399,19 +4783,21 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 3596, "client.ip": "192.168.15.224", - "client.packets": 16, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 16050, + "client.packets": 15, "client.port": 52483, "destination.address": "35.201.94.140", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 3596, + "destination.bytes": 11136, "destination.geo.continent_name": "Asia", "destination.geo.location.lat": 35.0, "destination.geo.location.lon": 105.0, "destination.ip": "35.201.94.140", "destination.nat.ip": "35.201.94.140", "destination.nat.port": 443, - "destination.packets": 15, + "destination.packets": 16, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -4446,7 +4832,11 @@ "network.packets": 31, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "xuntrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -4471,15 +4861,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 11136, "server.ip": "35.201.94.140", - "server.packets": 15, + "server.nat.ip": "35.201.94.140", + "server.nat.port": 443, + "server.packets": 16, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 11136, + "source.bytes": 3596, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 16050, - "source.packets": 16, + "source.packets": 15, "source.port": 52483, "tags": [ "pan-os" @@ -4489,6 +4881,8 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 588, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 0, "client.packets": 6, "client.port": 0, "destination.address": "8.8.8.8", @@ -4537,7 +4931,9 @@ "network.packets": 12, "network.transport": "icmp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -4560,6 +4956,8 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 588, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 0, "server.packets": 6, "server.port": 0, "service.type": "panw", @@ -4578,12 +4976,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 84, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 61722, "client.packets": 1, "client.port": 38663, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 84, + "destination.bytes": 144, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -4626,7 +5026,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -4651,11 +5055,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 144, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 144, + "source.bytes": 84, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 61722, @@ -4669,12 +5075,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 131, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 14247, "client.packets": 1, "client.port": 50443, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 131, + "destination.bytes": 206, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -4717,7 +5125,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -4742,11 +5154,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 206, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 206, + "source.bytes": 131, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 14247, @@ -4760,12 +5174,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 131, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 33580, "client.packets": 1, "client.port": 54215, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 131, + "destination.bytes": 206, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -4808,7 +5224,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -4833,11 +5253,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 206, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 206, + "source.bytes": 131, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 33580, @@ -4851,12 +5273,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 83, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 13498, "client.packets": 1, "client.port": 35827, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 83, + "destination.bytes": 169, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -4899,7 +5323,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -4924,11 +5352,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 169, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 169, + "source.bytes": 83, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 13498, @@ -4942,12 +5372,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 100, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 20365, "client.packets": 1, "client.port": 60609, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 100, + "destination.bytes": 132, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -4990,7 +5422,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -5015,11 +5451,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 132, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 132, + "source.bytes": 100, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 20365, @@ -5033,12 +5471,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 79, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 61464, "client.packets": 1, "client.port": 3248, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 79, + "destination.bytes": 127, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -5081,7 +5521,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -5106,11 +5550,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 127, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 127, + "source.bytes": 79, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 61464, @@ -5124,12 +5570,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 89, "client.ip": "192.168.15.196", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 42877, "client.packets": 1, "client.port": 49284, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 89, + "destination.bytes": 105, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -5172,7 +5620,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -5197,11 +5649,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 105, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.196", - "source.bytes": 105, + "source.bytes": 89, "source.ip": "192.168.15.196", "source.nat.ip": "192.168.1.63", "source.nat.port": 42877, @@ -5215,12 +5669,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 97, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 5918, "client.packets": 1, "client.port": 57732, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 97, + "destination.bytes": 172, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -5263,7 +5719,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -5288,11 +5748,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 172, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 172, + "source.bytes": 97, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 5918, @@ -5306,12 +5768,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 78, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 28944, "client.packets": 1, "client.port": 49195, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 78, + "destination.bytes": 134, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -5354,7 +5818,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -5379,11 +5847,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 134, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 134, + "source.bytes": 78, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 28944, @@ -5397,12 +5867,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 73, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 13415, "client.packets": 1, "client.port": 17266, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 73, + "destination.bytes": 179, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -5445,7 +5917,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -5470,11 +5946,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 179, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 179, + "source.bytes": 73, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 13415, @@ -5488,12 +5966,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 90, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 2489, "client.packets": 1, "client.port": 48631, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 90, + "destination.bytes": 218, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -5536,7 +6016,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -5561,11 +6045,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 218, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 218, + "source.bytes": 90, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 2489, @@ -5579,12 +6065,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 77, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 49328, "client.packets": 1, "client.port": 58540, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 77, + "destination.bytes": 172, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -5627,7 +6115,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -5652,11 +6144,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 172, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 172, + "source.bytes": 77, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 49328, @@ -5670,12 +6164,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 74, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 36036, "client.packets": 1, "client.port": 42678, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 74, + "destination.bytes": 305, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -5718,7 +6214,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -5743,11 +6243,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 305, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 305, + "source.bytes": 74, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 36036, @@ -5761,12 +6263,14 @@ "@timestamp": "2018-11-30T16:09:47.000-02:00", "client.bytes": 76, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 33744, "client.packets": 1, "client.port": 16576, "destination.address": "66.28.0.45", "destination.as.number": 174, "destination.as.organization.name": "Cogent Communications", - "destination.bytes": 76, + "destination.bytes": 527, "destination.geo.city_name": "Lanham", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5812,7 +6316,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -5837,11 +6345,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 527, "server.ip": "66.28.0.45", + "server.nat.ip": "66.28.0.45", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 527, + "source.bytes": 76, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 33744, @@ -5855,12 +6365,14 @@ "@timestamp": "2018-11-30T16:09:47.000-02:00", "client.bytes": 89, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 45809, "client.packets": 1, "client.port": 39830, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 89, + "destination.bytes": 153, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -5903,7 +6415,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -5928,11 +6444,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 153, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 153, + "source.bytes": 89, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 45809, @@ -5946,12 +6464,14 @@ "@timestamp": "2018-11-30T16:09:47.000-02:00", "client.bytes": 71, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 3675, "client.packets": 1, "client.port": 6185, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 71, + "destination.bytes": 169, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -5994,7 +6514,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -6019,11 +6543,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 169, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 169, + "source.bytes": 71, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 3675, @@ -6037,12 +6563,14 @@ "@timestamp": "2018-11-30T16:09:47.000-02:00", "client.bytes": 80, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 5787, "client.packets": 1, "client.port": 8781, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 80, + "destination.bytes": 128, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -6085,7 +6613,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -6110,11 +6642,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 128, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 128, + "source.bytes": 80, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 5787, @@ -6128,12 +6662,14 @@ "@timestamp": "2018-11-30T16:09:47.000-02:00", "client.bytes": 72, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 12342, "client.packets": 1, "client.port": 16788, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 72, + "destination.bytes": 181, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -6176,7 +6712,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -6201,11 +6741,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 181, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 181, + "source.bytes": 72, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 12342, @@ -6219,12 +6761,14 @@ "@timestamp": "2018-11-30T16:09:47.000-02:00", "client.bytes": 76, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 18729, "client.packets": 1, "client.port": 45307, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 76, + "destination.bytes": 121, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -6267,7 +6811,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -6292,11 +6840,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 121, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 121, + "source.bytes": 76, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 18729, @@ -6310,12 +6860,14 @@ "@timestamp": "2018-11-30T16:09:47.000-02:00", "client.bytes": 681, "client.ip": "192.168.15.224", - "client.packets": 5, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 57858, + "client.packets": 6, "client.port": 52520, "destination.address": "23.52.174.25", "destination.as.number": 20940, "destination.as.organization.name": "Akamai International B.V.", - "destination.bytes": 681, + "destination.bytes": 1246, "destination.geo.city_name": "San Antonio", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -6326,7 +6878,7 @@ "destination.ip": "23.52.174.25", "destination.nat.ip": "23.52.174.25", "destination.nat.port": 80, - "destination.packets": 6, + "destination.packets": 5, "destination.port": 80, "event.action": "flow_terminated", "event.category": [ @@ -6361,7 +6913,11 @@ "network.packets": 11, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -6386,15 +6942,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 1246, "server.ip": "23.52.174.25", - "server.packets": 6, + "server.nat.ip": "23.52.174.25", + "server.nat.port": 80, + "server.packets": 5, "server.port": 80, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 1246, + "source.bytes": 681, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 57858, - "source.packets": 5, + "source.packets": 6, "source.port": 52520, "tags": [ "pan-os" @@ -6404,12 +6962,14 @@ "@timestamp": "2018-11-30T16:09:47.000-02:00", "client.bytes": 79, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 2722, "client.packets": 1, "client.port": 8503, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 79, + "destination.bytes": 315, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -6452,7 +7012,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -6477,11 +7041,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 315, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 315, + "source.bytes": 79, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 2722, @@ -6495,12 +7061,14 @@ "@timestamp": "2018-11-30T16:09:47.000-02:00", "client.bytes": 82, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 6674, "client.packets": 1, "client.port": 6910, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 82, + "destination.bytes": 130, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -6543,7 +7111,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -6568,11 +7140,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 130, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 130, + "source.bytes": 82, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 6674, @@ -6586,12 +7160,14 @@ "@timestamp": "2018-11-30T16:09:47.000-02:00", "client.bytes": 354, "client.ip": "192.168.15.224", - "client.packets": 4, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 37427, + "client.packets": 5, "client.port": 52475, "destination.address": "54.230.5.228", "destination.as.number": 16509, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 354, + "destination.bytes": 288, "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -6602,7 +7178,7 @@ "destination.ip": "54.230.5.228", "destination.nat.ip": "54.230.5.228", "destination.nat.port": 443, - "destination.packets": 5, + "destination.packets": 4, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -6637,7 +7213,11 @@ "network.packets": 9, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -6662,15 +7242,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 288, "server.ip": "54.230.5.228", - "server.packets": 5, + "server.nat.ip": "54.230.5.228", + "server.nat.port": 443, + "server.packets": 4, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 288, + "source.bytes": 354, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 37427, - "source.packets": 4, + "source.packets": 5, "source.port": 52475, "tags": [ "pan-os" @@ -6680,12 +7262,14 @@ "@timestamp": "2018-11-30T16:09:47.000-02:00", "client.bytes": 76, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 22408, "client.packets": 1, "client.port": 14342, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 76, + "destination.bytes": 149, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -6728,7 +7312,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -6753,11 +7341,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 149, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 149, + "source.bytes": 76, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 22408, @@ -6771,12 +7361,14 @@ "@timestamp": "2018-11-30T16:09:48.000-02:00", "client.bytes": 71, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 27899, "client.packets": 1, "client.port": 48197, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 71, + "destination.bytes": 202, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -6819,7 +7411,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -6844,11 +7440,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 202, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 202, + "source.bytes": 71, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 27899, @@ -6862,12 +7460,14 @@ "@timestamp": "2018-11-30T16:09:48.000-02:00", "client.bytes": 75, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 52939, "client.packets": 1, "client.port": 32296, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 75, + "destination.bytes": 195, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -6910,7 +7510,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -6935,11 +7539,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 195, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 195, + "source.bytes": 75, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 52939, @@ -6953,6 +7559,8 @@ "@timestamp": "2018-11-30T16:09:48.000-02:00", "client.bytes": 90, "client.ip": "192.168.15.195", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 42907, "client.packets": 1, "client.port": 33870, "destination.address": "208.83.246.20", @@ -7001,7 +7609,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -7026,6 +7638,8 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 90, "server.ip": "208.83.246.20", + "server.nat.ip": "208.83.246.20", + "server.nat.port": 123, "server.packets": 1, "server.port": 123, "service.type": "panw", @@ -7044,12 +7658,14 @@ "@timestamp": "2018-11-30T16:09:49.000-02:00", "client.bytes": 148, "client.ip": "192.168.15.196", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 19658, "client.packets": 2, "client.port": 54659, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 148, + "destination.bytes": 192, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -7091,7 +7707,11 @@ "network.packets": 4, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "drop-icmp", "panw.panos.destination.interface": "ethernet1/1", @@ -7116,11 +7736,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 192, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 2, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.196", - "source.bytes": 192, + "source.bytes": 148, "source.ip": "192.168.15.196", "source.nat.ip": "192.168.1.63", "source.nat.port": 19658, @@ -7134,12 +7756,14 @@ "@timestamp": "2018-11-30T16:09:49.000-02:00", "client.bytes": 83, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 64352, "client.packets": 1, "client.port": 57446, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 83, + "destination.bytes": 208, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -7181,7 +7805,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "reset-client", "panw.panos.destination.interface": "ethernet1/1", @@ -7206,11 +7834,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 208, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 208, + "source.bytes": 83, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 64352, @@ -7224,12 +7854,14 @@ "@timestamp": "2018-11-30T16:09:49.000-02:00", "client.bytes": 84, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 60126, "client.packets": 1, "client.port": 22655, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 84, + "destination.bytes": 100, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -7271,7 +7903,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "reset-server", "panw.panos.destination.interface": "ethernet1/1", @@ -7296,11 +7932,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 100, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 100, + "source.bytes": 84, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 60126, @@ -7314,12 +7952,14 @@ "@timestamp": "2018-11-30T16:09:49.000-02:00", "client.bytes": 2053, "client.ip": "192.168.15.224", - "client.packets": 11, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 59771, + "client.packets": 13, "client.port": 52509, "destination.address": "35.185.88.112", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 2053, + "destination.bytes": 7237, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 38.6583, @@ -7329,7 +7969,7 @@ "destination.ip": "35.185.88.112", "destination.nat.ip": "35.185.88.112", "destination.nat.port": 443, - "destination.packets": 13, + "destination.packets": 11, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -7363,7 +8003,11 @@ "network.packets": 24, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", @@ -7388,15 +8032,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 7237, "server.ip": "35.185.88.112", - "server.packets": 13, + "server.nat.ip": "35.185.88.112", + "server.nat.port": 443, + "server.packets": 11, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 7237, + "source.bytes": 2053, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 59771, - "source.packets": 11, + "source.packets": 13, "source.port": 52509, "tags": [ "pan-os" @@ -7406,12 +8052,14 @@ "@timestamp": "2018-11-30T16:09:49.000-02:00", "client.bytes": 93, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 35748, "client.packets": 1, "client.port": 27192, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 93, + "destination.bytes": 109, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -7454,7 +8102,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -7479,11 +8131,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 109, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 109, + "source.bytes": 93, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 35748, @@ -7497,12 +8151,14 @@ "@timestamp": "2018-11-30T16:09:49.000-02:00", "client.bytes": 84, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 63701, "client.packets": 1, "client.port": 30221, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 84, + "destination.bytes": 116, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -7545,7 +8201,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -7570,11 +8230,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 116, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 116, + "source.bytes": 84, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 63701, @@ -7588,12 +8250,14 @@ "@timestamp": "2018-11-30T16:09:49.000-02:00", "client.bytes": 64, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 57872, "client.packets": 1, "client.port": 30570, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 64, + "destination.bytes": 96, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -7636,7 +8300,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -7661,11 +8329,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 96, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 96, + "source.bytes": 64, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 57872, @@ -7679,12 +8349,14 @@ "@timestamp": "2018-11-30T16:09:50.000-02:00", "client.bytes": 1100, "client.ip": "192.168.15.224", - "client.packets": 7, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 37581, + "client.packets": 8, "client.port": 52497, "destination.address": "50.19.85.24", "destination.as.number": 14618, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 1100, + "destination.bytes": 654, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -7695,7 +8367,7 @@ "destination.ip": "50.19.85.24", "destination.nat.ip": "50.19.85.24", "destination.nat.port": 443, - "destination.packets": 8, + "destination.packets": 7, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -7730,7 +8402,11 @@ "network.packets": 15, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -7755,15 +8431,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 654, "server.ip": "50.19.85.24", - "server.packets": 8, + "server.nat.ip": "50.19.85.24", + "server.nat.port": 443, + "server.packets": 7, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 654, + "source.bytes": 1100, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 37581, - "source.packets": 7, + "source.packets": 8, "source.port": 52497, "tags": [ "pan-os" @@ -7773,12 +8451,14 @@ "@timestamp": "2018-11-30T16:09:50.000-02:00", "client.bytes": 1100, "client.ip": "192.168.15.224", - "client.packets": 7, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 19226, + "client.packets": 8, "client.port": 52498, "destination.address": "50.19.85.24", "destination.as.number": 14618, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 1100, + "destination.bytes": 654, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -7789,7 +8469,7 @@ "destination.ip": "50.19.85.24", "destination.nat.ip": "50.19.85.24", "destination.nat.port": 443, - "destination.packets": 8, + "destination.packets": 7, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -7824,7 +8504,11 @@ "network.packets": 15, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -7849,15 +8533,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 654, "server.ip": "50.19.85.24", - "server.packets": 8, + "server.nat.ip": "50.19.85.24", + "server.nat.port": 443, + "server.packets": 7, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 654, + "source.bytes": 1100, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 19226, - "source.packets": 7, + "source.packets": 8, "source.port": 52498, "tags": [ "pan-os" @@ -7867,12 +8553,14 @@ "@timestamp": "2018-11-30T16:09:50.000-02:00", "client.bytes": 1100, "client.ip": "192.168.15.224", - "client.packets": 7, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 61721, + "client.packets": 8, "client.port": 52496, "destination.address": "50.19.85.24", "destination.as.number": 14618, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 1100, + "destination.bytes": 654, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -7883,7 +8571,7 @@ "destination.ip": "50.19.85.24", "destination.nat.ip": "50.19.85.24", "destination.nat.port": 443, - "destination.packets": 8, + "destination.packets": 7, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -7918,7 +8606,11 @@ "network.packets": 15, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -7943,15 +8635,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 654, "server.ip": "50.19.85.24", - "server.packets": 8, + "server.nat.ip": "50.19.85.24", + "server.nat.port": 443, + "server.packets": 7, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 654, + "source.bytes": 1100, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 61721, - "source.packets": 7, + "source.packets": 8, "source.port": 52496, "tags": [ "pan-os" @@ -7961,12 +8655,14 @@ "@timestamp": "2018-11-30T16:09:50.000-02:00", "client.bytes": 2691, "client.ip": "192.168.15.224", - "client.packets": 10, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 10098, + "client.packets": 12, "client.port": 52510, "destination.address": "104.254.150.9", "destination.as.number": 29990, "destination.as.organization.name": "AppNexus, Inc", - "destination.bytes": 2691, + "destination.bytes": 7820, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -7974,7 +8670,7 @@ "destination.ip": "104.254.150.9", "destination.nat.ip": "104.254.150.9", "destination.nat.port": 443, - "destination.packets": 12, + "destination.packets": 10, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -8009,7 +8705,11 @@ "network.packets": 22, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -8034,15 +8734,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 7820, "server.ip": "104.254.150.9", - "server.packets": 12, + "server.nat.ip": "104.254.150.9", + "server.nat.port": 443, + "server.packets": 10, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 7820, + "source.bytes": 2691, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 10098, - "source.packets": 10, + "source.packets": 12, "source.port": 52510, "tags": [ "pan-os" @@ -8052,12 +8754,14 @@ "@timestamp": "2018-11-30T16:09:50.000-02:00", "client.bytes": 1100, "client.ip": "192.168.15.224", - "client.packets": 7, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 4564, + "client.packets": 8, "client.port": 52495, "destination.address": "50.19.85.24", "destination.as.number": 14618, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 1100, + "destination.bytes": 654, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -8068,7 +8772,7 @@ "destination.ip": "50.19.85.24", "destination.nat.ip": "50.19.85.24", "destination.nat.port": 443, - "destination.packets": 8, + "destination.packets": 7, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -8103,7 +8807,11 @@ "network.packets": 15, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -8128,15 +8836,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 654, "server.ip": "50.19.85.24", - "server.packets": 8, + "server.nat.ip": "50.19.85.24", + "server.nat.port": 443, + "server.packets": 7, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 654, + "source.bytes": 1100, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 4564, - "source.packets": 7, + "source.packets": 8, "source.port": 52495, "tags": [ "pan-os" @@ -8146,12 +8856,14 @@ "@timestamp": "2018-11-30T16:09:50.000-02:00", "client.bytes": 276, "client.ip": "192.168.15.224", - "client.packets": 3, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 32104, + "client.packets": 4, "client.port": 52486, "destination.address": "52.0.218.108", "destination.as.number": 14618, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 276, + "destination.bytes": 214, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -8162,7 +8874,7 @@ "destination.ip": "52.0.218.108", "destination.nat.ip": "52.0.218.108", "destination.nat.port": 443, - "destination.packets": 4, + "destination.packets": 3, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -8197,7 +8909,11 @@ "network.packets": 7, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -8222,15 +8938,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 214, "server.ip": "52.0.218.108", - "server.packets": 4, + "server.nat.ip": "52.0.218.108", + "server.nat.port": 443, + "server.packets": 3, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 214, + "source.bytes": 276, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 32104, - "source.packets": 3, + "source.packets": 4, "source.port": 52486, "tags": [ "pan-os" @@ -8240,12 +8958,14 @@ "@timestamp": "2018-11-30T16:09:50.000-02:00", "client.bytes": 276, "client.ip": "192.168.15.224", - "client.packets": 3, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 14172, + "client.packets": 4, "client.port": 52489, "destination.address": "52.6.117.19", "destination.as.number": 14618, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 276, + "destination.bytes": 214, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -8256,7 +8976,7 @@ "destination.ip": "52.6.117.19", "destination.nat.ip": "52.6.117.19", "destination.nat.port": 443, - "destination.packets": 4, + "destination.packets": 3, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -8291,7 +9011,11 @@ "network.packets": 7, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -8316,15 +9040,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 214, "server.ip": "52.6.117.19", - "server.packets": 4, + "server.nat.ip": "52.6.117.19", + "server.nat.port": 443, + "server.packets": 3, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 214, + "source.bytes": 276, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 14172, - "source.packets": 3, + "source.packets": 4, "source.port": 52489, "tags": [ "pan-os" @@ -8334,12 +9060,14 @@ "@timestamp": "2018-11-30T16:09:50.000-02:00", "client.bytes": 276, "client.ip": "192.168.15.224", - "client.packets": 3, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 10286, + "client.packets": 4, "client.port": 52490, "destination.address": "34.238.96.22", "destination.as.number": 14618, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 276, + "destination.bytes": 214, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -8350,7 +9078,7 @@ "destination.ip": "34.238.96.22", "destination.nat.ip": "34.238.96.22", "destination.nat.port": 443, - "destination.packets": 4, + "destination.packets": 3, "destination.port": 443, "event.action": "flow_terminated", "event.category": [ @@ -8385,7 +9113,11 @@ "network.packets": 7, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -8410,15 +9142,17 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 214, "server.ip": "34.238.96.22", - "server.packets": 4, + "server.nat.ip": "34.238.96.22", + "server.nat.port": 443, + "server.packets": 3, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 214, + "source.bytes": 276, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 10286, - "source.packets": 3, + "source.packets": 4, "source.port": 52490, "tags": [ "pan-os" @@ -8428,12 +9162,14 @@ "@timestamp": "2018-11-30T16:09:50.000-02:00", "client.bytes": 276, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 30799, "client.packets": 4, "client.port": 52493, "destination.address": "130.211.47.17", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 276, + "destination.bytes": 280, "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -8479,7 +9215,11 @@ "network.packets": 8, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -8504,11 +9244,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 280, "server.ip": "130.211.47.17", + "server.nat.ip": "130.211.47.17", + "server.nat.port": 443, "server.packets": 4, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 280, + "source.bytes": 276, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 30799, @@ -8522,12 +9264,14 @@ "@timestamp": "2018-11-30T16:09:51.000-02:00", "client.bytes": 97, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 13490, "client.packets": 1, "client.port": 59320, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 97, + "destination.bytes": 172, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -8570,7 +9314,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -8595,11 +9343,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 172, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 172, + "source.bytes": 97, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 13490, @@ -8613,6 +9363,8 @@ "@timestamp": "2018-11-30T16:09:52.000-02:00", "client.bytes": 588, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 0, "client.packets": 6, "client.port": 0, "destination.address": "8.8.8.8", @@ -8661,7 +9413,11 @@ "network.packets": 12, "network.transport": "icmp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -8686,6 +9442,8 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 588, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 0, "server.packets": 6, "server.port": 0, "service.type": "panw", @@ -8704,12 +9462,14 @@ "@timestamp": "2018-11-30T16:09:52.000-02:00", "client.bytes": 78, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 53751, "client.packets": 1, "client.port": 13076, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 78, + "destination.bytes": 94, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -8752,7 +9512,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -8777,11 +9541,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 94, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 94, + "source.bytes": 78, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 53751, @@ -8795,12 +9561,14 @@ "@timestamp": "2018-11-30T16:09:52.000-02:00", "client.bytes": 72, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 21643, "client.packets": 1, "client.port": 5511, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 72, + "destination.bytes": 170, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -8843,7 +9611,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -8868,11 +9640,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 170, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 170, + "source.bytes": 72, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 21643, @@ -8886,12 +9660,14 @@ "@timestamp": "2018-11-30T16:09:52.000-02:00", "client.bytes": 78, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 22446, "client.packets": 1, "client.port": 9799, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 78, + "destination.bytes": 94, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -8934,7 +9710,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -8959,11 +9739,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 94, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 94, + "source.bytes": 78, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 22446, @@ -8977,12 +9759,14 @@ "@timestamp": "2018-11-30T16:09:52.000-02:00", "client.bytes": 78, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 22301, "client.packets": 1, "client.port": 39169, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 78, + "destination.bytes": 94, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -9025,7 +9809,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -9050,11 +9838,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 94, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 94, + "source.bytes": 78, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 22301, @@ -9068,12 +9858,14 @@ "@timestamp": "2018-11-30T16:09:52.000-02:00", "client.bytes": 72, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 58124, "client.packets": 1, "client.port": 42476, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 72, + "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -9116,7 +9908,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", @@ -9141,11 +9937,13 @@ "rule.name": "new_outbound_from_trust", "server.bytes": 166, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 166, + "source.bytes": 72, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 58124,