From 79dd2750076f5829db37d936cc94d6640ac1430d Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Tue, 2 Apr 2019 19:35:04 +0200 Subject: [PATCH 01/10] PAN-OS module --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/fields.asciidoc | 235 + filebeat/docs/modules_list.asciidoc | 2 + x-pack/filebeat/filebeat.reference.yml | 12 + x-pack/filebeat/include/list.go | 1 + x-pack/filebeat/module/palo_alto/README.md | 6 + .../module/palo_alto/_meta/config.yml | 10 + .../module/palo_alto/_meta/docs.asciidoc | 175 + .../module/palo_alto/_meta/fields.yml | 10 + x-pack/filebeat/module/palo_alto/fields.go | 23 + .../module/palo_alto/log/_meta/fields.yml | 119 + .../module/palo_alto/log/config/input.yml | 156 + .../module/palo_alto/log/ingest/pipeline.yml | 316 + .../module/palo_alto/log/manifest.yml | 30 + .../palo_alto/log/test/pan_inc_other.log | 34 + .../log/test/pan_inc_other.log-expected.json | 73 + .../palo_alto/log/test/pan_inc_threat.log | 100 + .../log/test/pan_inc_threat.log-expected.json | 6185 +++++++++++++++ .../palo_alto/log/test/pan_inc_traffic.log | 100 + .../test/pan_inc_traffic.log-expected.json | 6935 +++++++++++++++++ .../module/palo_alto/log/test/threat.log | 76 + .../log/test/threat.log-expected.json | 4728 +++++++++++ .../module/palo_alto/log/test/traffic.log | 100 + .../log/test/traffic.log-expected.json | 6864 ++++++++++++++++ x-pack/filebeat/module/palo_alto/module.yml | 3 + 25 files changed, 26294 insertions(+) create mode 100644 x-pack/filebeat/module/palo_alto/README.md create mode 100644 x-pack/filebeat/module/palo_alto/_meta/config.yml create mode 100644 x-pack/filebeat/module/palo_alto/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/palo_alto/_meta/fields.yml create mode 100644 x-pack/filebeat/module/palo_alto/fields.go create mode 100644 x-pack/filebeat/module/palo_alto/log/_meta/fields.yml create mode 100644 x-pack/filebeat/module/palo_alto/log/config/input.yml create mode 100644 x-pack/filebeat/module/palo_alto/log/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/palo_alto/log/manifest.yml create mode 100644 x-pack/filebeat/module/palo_alto/log/test/pan_inc_other.log create mode 100644 x-pack/filebeat/module/palo_alto/log/test/pan_inc_other.log-expected.json create mode 100644 x-pack/filebeat/module/palo_alto/log/test/pan_inc_threat.log create mode 100644 x-pack/filebeat/module/palo_alto/log/test/pan_inc_threat.log-expected.json create mode 100644 x-pack/filebeat/module/palo_alto/log/test/pan_inc_traffic.log create mode 100644 x-pack/filebeat/module/palo_alto/log/test/pan_inc_traffic.log-expected.json create mode 100644 x-pack/filebeat/module/palo_alto/log/test/threat.log create mode 100644 x-pack/filebeat/module/palo_alto/log/test/threat.log-expected.json create mode 100644 x-pack/filebeat/module/palo_alto/log/test/traffic.log create mode 100644 x-pack/filebeat/module/palo_alto/log/test/traffic.log-expected.json create mode 100644 x-pack/filebeat/module/palo_alto/module.yml diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 4dec4b62bbe0..fb2be810c8d6 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -174,6 +174,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add Filebeat envoyproxy module. {pull}11700[11700] - Add apache2(httpd) log path (`/var/log/httpd`) to make apache2 module work out of the box on Redhat-family OSes. {issue}11887[11887] {pull}11888[11888] - Add support to new MongoDB additional diagnostic information {pull}11952[11952] +- New module `palo_alto` for Palo Alto Networks PAN-OS logs. {pull}11999[11999] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 7638265ce1a4..e79845cfd8d2 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -40,6 +40,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> @@ -11822,6 +11823,240 @@ Unix timestamp of the event, in seconds since the epoch. Used for computing the String representation of the collection time, as formatted by osquery. +-- + +[[exported-fields-palo_alto]] +== palo_alto fields + +Module for Palo Alto Networks (PAN-OS) + + + +[float] +== palo_alto fields + +Fields from the palo_alto logs. + + + +*`palo_alto.ruleset`*:: ++ +-- +type: keyword + +Name of the rule that matched this session. + + +-- + +[float] +== source fields + +Fields to extend the top-level source object. + + + +*`palo_alto.source.zone`*:: ++ +-- +type: keyword + +Source zone for this session. + + +-- + +*`palo_alto.source.interface`*:: ++ +-- +type: keyword + +Source interface for this session. + + +-- + +[float] +== nat fields + +Post-NAT source address, if source NAT is performed. + + + +*`palo_alto.source.nat.ip`*:: ++ +-- +type: ip + +Post-NAT source IP. + + +-- + +*`palo_alto.source.nat.port`*:: ++ +-- +type: long + +Post-NAT source port. + + +-- + +[float] +== destination fields + +Fields to extend the top-level destination object. + + + +*`palo_alto.destination.zone`*:: ++ +-- +type: keyword + +Destination zone for this session. + + +-- + +*`palo_alto.destination.interface`*:: ++ +-- +type: keyword + +Destination interface for this session. + + +-- + +[float] +== nat fields + +Post-NAT destination address, if destination NAT is performed. + + + +*`palo_alto.destination.nat.ip`*:: ++ +-- +type: ip + +Post-NAT destination IP. + + +-- + +*`palo_alto.destination.nat.port`*:: ++ +-- +type: long + +Post-NAT destination port. + + +-- + +[float] +== network fields + +Fields to extend the top-level network object. + + + +*`palo_alto.network.pcap_id`*:: ++ +-- +type: keyword + +Packet capture ID for a threat. + + +-- + + +*`palo_alto.network.nat.community_id`*:: ++ +-- +type: keyword + +Community ID flow-hash for the NAT 5-tuple. + + +-- + +[float] +== file fields + +Fields to extend the top-level file object. + + + +*`palo_alto.file.hash`*:: ++ +-- +type: keyword + +Binary hash for a threat file sent to be analyzed by the WildFire service. + + +-- + +[float] +== url fields + +Fields to extend the top-level url object. + + + +*`palo_alto.url.category`*:: ++ +-- +type: keyword + +For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'. + + +-- + +*`palo_alto.flow_id`*:: ++ +-- +type: keyword + +Internal numeric identifier for each session. + + +-- + +*`palo_alto.sequence_number`*:: ++ +-- +type: long + +Log entry identifier that is incremented sequentially. Unique for each log type. + + +-- + +*`palo_alto.threat_file_or_url`*:: ++ +-- +type: keyword + +URL or file name for a threat. + + +-- + +*`palo_alto.threat_id`*:: ++ +-- +type: keyword + +Palo Alto Networks identifier for the threat. + + -- [[exported-fields-postgresql]] diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 7fce59f66418..470f06d5a2bf 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -22,6 +22,7 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> * <> * <> @@ -53,6 +54,7 @@ include::modules/nats.asciidoc[] include::modules/netflow.asciidoc[] include::modules/nginx.asciidoc[] include::modules/osquery.asciidoc[] +include::modules/palo_alto.asciidoc[] include::modules/postgresql.asciidoc[] include::modules/redis.asciidoc[] include::modules/santa.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index e5eb54cac2f6..36b8e91a44d5 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -403,6 +403,18 @@ filebeat.modules: # of the document. The default is true. #var.use_namespace: true +#------------------------------ Palo_alto Module ------------------------------ +- module: palo_alto + log: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + #------------------------------ PostgreSQL Module ------------------------------ #- module: postgresql # Logs diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index be8a433b9e33..3eac6f892142 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -14,6 +14,7 @@ import ( _ "github.com/elastic/beats/x-pack/filebeat/module/envoyproxy" _ "github.com/elastic/beats/x-pack/filebeat/module/iptables" _ "github.com/elastic/beats/x-pack/filebeat/module/netflow" + _ "github.com/elastic/beats/x-pack/filebeat/module/palo_alto" _ "github.com/elastic/beats/x-pack/filebeat/module/suricata" _ "github.com/elastic/beats/x-pack/filebeat/module/zeek" ) diff --git a/x-pack/filebeat/module/palo_alto/README.md b/x-pack/filebeat/module/palo_alto/README.md new file mode 100644 index 000000000000..2c3910538265 --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/README.md @@ -0,0 +1,6 @@ +# Palo Alto module + +## Caveats + +* Module is to be considered _beta_. + diff --git a/x-pack/filebeat/module/palo_alto/_meta/config.yml b/x-pack/filebeat/module/palo_alto/_meta/config.yml new file mode 100644 index 000000000000..92bd528253de --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/_meta/config.yml @@ -0,0 +1,10 @@ +- module: palo_alto + log: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/x-pack/filebeat/module/palo_alto/_meta/docs.asciidoc b/x-pack/filebeat/module/palo_alto/_meta/docs.asciidoc new file mode 100644 index 000000000000..b8f8c89adf7d --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/_meta/docs.asciidoc @@ -0,0 +1,175 @@ +[role="xpack"] + +:modulename: palo_alto +:has-dashboards: true + +== Palo Alto Networks module + +This is a module for Palo Alto Networks PAN-OS firewall monitoring logs received +over Syslog or read from a file. It currently supports messages of Traffic and +Threat types. + +[float] +=== Compatibility + +This module has been tested with logs generated by devices running PAN-OS +versions 7.1 to 9.0 but limited compatibility is expected for earlier versions. + +The {plugins}/ingest-geoip.html[ingest-geoip] +Elasticsearch plugin is required to run this module. + +include::../include/running-modules.asciidoc[] + +[float] +=== ECS field mappings + +These are the PAN-OS to ECS field mappings as well as those fields still not +in ECS that are added under the `palo_alto` prefix: + +.Traffic log mappings +[options="header"] +|============== +| PAN-OS Field | ECS Field | Non-standard field +| Receive Time | event.created | +| Serial Number | observer.serial_number | +| Type | event.category | +| Subtype | event.action | +| Generated Time | `@timestamp` | +| Source IP | client.ip source.ip | +| Destination IP | server.ip destination.ip | +| NAT Source IP | | palo_alto.source.nat.ip +| NAT Destination IP | | palo_alto.destination.nat.ip +| Rule Name | | palo_alto.ruleset +| Source User | client.user.name source.user.name | +| Destination User | server.user.name destination.user.name | +| Application | network.application | +| Source Zone | | palo_alto.source.zone +| Destination Zone | | palo_alto.destination.zone +| Ingress Interface | | palo_alto.source.interface +| Egress Interface | | palo_alto.destination.interface +| Session ID | | palo_alto.flow_id +| Source Port | client.port source.port | +| Destination Port | destination.port server.port | +| NAT Source Port | | palo_alto.source.nat.port +| NAT Destination Port | | palo_alto.destination.nat.port +| Flags | labels | +| Protocol | network.transport | +| Action | event.outcome | +| Bytes | network.bytes | +| Bytes Sent | client.bytes destination.bytes | +| Bytes Received | server.bytes source.bytes | +| Packets | network.packets | +| Start Time | event.start | +| Elapsed Time | event.duration | +| Category | | palo_alto.url.category +| Sequence Number | | palo_alto.sequence_number +| Packets Sent | server.packets destination.packets | +| Packets Received | client.packets source.packets | +| Device Name | observer.hostname | +|============== + +.Threat logs mappings +[options="header"] +|============== +| PAN-OS Field | ECS Field | Non-standard field +| Receive Time | event.created | +| Serial Number | observer.serial_number | +| Type | event.category | +| Subtype | event.action | +| Generated Time | `@timestamp` | +| Source IP | client.ip source.ip | +| Destination IP | server.ip destination.ip | +| NAT Source IP | | palo_alto.source.nat.ip +| NAT Destination IP | | palo_alto.destination.nat.ip +| Rule Name | | palo_alto.ruleset +| Source User | client.user.name source.user.name | +| Destination User | server.user.name destination.user.name | +| Application | network.application | +| Source Zone | | palo_alto.source.zone +| Destination Zone | | palo_alto.destination.zone +| Ingress Interface | | palo_alto.source.interface +| Egress Interface | | palo_alto.destination.interface +| Session ID | | palo_alto.flow_id +| Source Port | client.port source.port | +| Destination Port | destination.port server.port | +| NAT Source Port | | palo_alto.source.nat.port +| NAT Destination Port | | palo_alto.destination.nat.port +| Flags | labels | +| Protocol | network.transport | +| Action | event.outcome | +| Miscellaneous | url.original | palo_alto.threat_file_or_url +| Threat ID | | palo_alto.threat_id +| Category | | palo_alto.url.category +| Severity | log.level | +| Direction | network.direction | +| Source Location | source.geo.country_iso_code | +| Destination Location | destination.geo.country_iso_code | +| PCAP_id | | palo_alto.network.pcap_id +| Filedigest | | palo_alto.file.hash +| User Agent | user_agent.original | +| File Type | file.type | +| X-Forwarded-For | network.forwarded_ip | +| Referer | http.request.referer | +| Sender | source.user.email | +| Subject | | palo_alto.subject +| Recipient | destination.user.email | +| Device Name | observer.hostname | +|============== + +[float] +=== Example dashboard + +This module comes with a sample dashboard: + +(TODO) +[role="screenshot"] +image::./images/kibana-cisco-asa.png[] + +include::../include/configuring-intro.asciidoc[] + +The module is by default configured to run via syslog on port 9001. However +it can also be configured to read logs from a file. See the following example. + +["source","yaml",subs="attributes"] +----- +- module: palo_alto + log: + enabled: true + var.paths: ["/var/log/pan-os.log"] + var.input: "file" +----- + +:fileset_ex: log + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `log` fileset settings + +Example config: + +[source,yaml] +---- + log: + var.syslog_host: 0.0.0.0 + var.syslog_port: 514 +---- + +include::../include/var-paths.asciidoc[] + +*`var.syslog_host`*:: + +The interface to listen to UDP based syslog traffic. Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The UDP port to listen for syslog traffic. Defaults to `9001` + +NOTE: Ports below 1024 require {beatname_uc} to run as root. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: diff --git a/x-pack/filebeat/module/palo_alto/_meta/fields.yml b/x-pack/filebeat/module/palo_alto/_meta/fields.yml new file mode 100644 index 000000000000..c02e9c69aa11 --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/_meta/fields.yml @@ -0,0 +1,10 @@ +- key: palo_alto + title: palo_alto + description: > + Module for Palo Alto Networks (PAN-OS) + fields: + - name: palo_alto + type: group + description: > + Fields from the palo_alto logs. + fields: diff --git a/x-pack/filebeat/module/palo_alto/fields.go b/x-pack/filebeat/module/palo_alto/fields.go new file mode 100644 index 000000000000..2f9e0af13e24 --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package palo_alto + +import ( + "github.com/elastic/beats/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "palo_alto", asset.ModuleFieldsPri, AssetPaloAlto); err != nil { + panic(err) + } +} + +// AssetPaloAlto returns asset data. +// This is the base64 encoded gzipped contents of module/palo_alto. +func AssetPaloAlto() string { + return "eJzMl8Fu4zYQhu95irm5BeLcesmhQNpFgABpauw26NGgqZHFhuJoh6O42qdfkJIcxaItx4mB8BYy5Hzzz/yiOYcnbK6hUpaWygpdAIgRi6+nMvSaTSWG3DX8fgEA8BdltUXIiWGhLMGNFYIHlA3xk4dfFjcP87+//XoBkBu0mb+Om+bgVLlzdhjSVHgNa6a66mYSEcO4jYdBzlSCFPhyEFha+6vu/4Yh29EH5tqiRxms9MGfsNkQZ69W9kC040GVCJRHjHAsSKEESiW6wAykMB48em/IXSVAPNWsMcExFOEIik4QIcD/BV0WcYSqucVntF0YoNV/qOXq1d6xSEO+H+RwZ+mQUpOcYXxrYcLRsW/2aTTkME6Qc6XPBbM9/2gip2QPy7h0R5EsyMv84eafvlgqyxi9vwST91Nh1XiokHPiErNdtn3VHOg4Buuxk0uT1GPuu8UYa2t44rFqPYAlt/4YhBDmBSJhuwy9GKfCmWf33iDWJzHglwHR53DhkOgzWXFYu6Efh/Onm3LClgeNeZQv9mSScuikRydc+h6eSbu69vfE2a3axTnBppVW1dKMO/+dvlgo/YQCWlVSM8Ldl+gJBVIwqrRm8A5jTDeqprKsnZEmlex0wkclHcaffZyYs6XNvFC+6L4I7UX421zqyuLBxsmNPf+PqxDkhJYJCb29I/4wTnEDWzX6XmgpPDoJnCsE5ZRtfmCqBqsmZvCvsdmt4bCLn43G8UchXcyEzjXbs8tcsz1BZa0E18TNRzvzNnZiVP7x6324FWTmI/Hj1/tt1NR3Nuzspb+MO56RM6MFyMU/YyWVy8D4xHY0UiDDrFTWaEO1n13CbM2q2SjG2SUQw2yFzqzd7LA1LG12TXziE+gu3NhOWXB1iWw0mAydmNwgxx5FpYvxHZ56DeH3Gp3GpavLFXKCbXT7HAS7pzWgE26GRPF9ZjwYpxlLdIJZF1iMsnZUs0dnvtf4koildYQ5mEnbGstQyiXxMu2PNwsdWou4bZAQZ/o22OH5mHonHvo7FY/O7ah+BgAA//8eOSmJ" +} diff --git a/x-pack/filebeat/module/palo_alto/log/_meta/fields.yml b/x-pack/filebeat/module/palo_alto/log/_meta/fields.yml new file mode 100644 index 000000000000..25ef9773007a --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/log/_meta/fields.yml @@ -0,0 +1,119 @@ + - name: ruleset + type: keyword + description: > + Name of the rule that matched this session. + - name: source + type: group + description: > + Fields to extend the top-level source object. + fields: + - name: zone + type: keyword + description: > + Source zone for this session. + - name: interface + type: keyword + description: > + Source interface for this session. + - name: nat + type: group + description: > + Post-NAT source address, if source NAT is performed. + fields: + - name: ip + type: ip + description: > + Post-NAT source IP. + - name: port + type: long + description: > + Post-NAT source port. + + - name: destination + type: group + description: > + Fields to extend the top-level destination object. + fields: + - name: zone + type: keyword + description: > + Destination zone for this session. + - name: interface + type: keyword + description: > + Destination interface for this session. + - name: nat + type: group + description: > + Post-NAT destination address, if destination NAT is performed. + fields: + - name: ip + type: ip + description: > + Post-NAT destination IP. + - name: port + type: long + description: > + Post-NAT destination port. + + - name: network + type: group + description: > + Fields to extend the top-level network object. + fields: + - name: pcap_id + type: keyword + description: > + Packet capture ID for a threat. + + - name: nat + type: group + fields: + - name: community_id + type: keyword + description: > + Community ID flow-hash for the NAT 5-tuple. + + - name: file + type: group + description: > + Fields to extend the top-level file object. + fields: + - name: hash + description: > + Binary hash for a threat file sent to be analyzed + by the WildFire service. + type: keyword + + - name: url + type: group + description: > + Fields to extend the top-level url object. + fields: + - name: category + type: keyword + description: > + For threat URLs, it's the URL category. + For WildFire, the verdict on the file and is + either 'malicious', 'grayware', or 'benign'. + + - name: flow_id + type: keyword + description: > + Internal numeric identifier for each session. + + - name: sequence_number + type: long + description: > + Log entry identifier that is incremented sequentially. + Unique for each log type. + + - name: threat_file_or_url + type: keyword + description: > + URL or file name for a threat. + + - name: threat_id + type: keyword + description: > + Palo Alto Networks identifier for the threat. diff --git a/x-pack/filebeat/module/palo_alto/log/config/input.yml b/x-pack/filebeat/module/palo_alto/log/config/input.yml new file mode 100644 index 000000000000..cc96002f1d68 --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/log/config/input.yml @@ -0,0 +1,156 @@ +{{ if eq .input "syslog" }} + +type: syslog +protocol.udp: + host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +tags: {{.tags}} + +processors: +{{ if .convert_timezone }} + - add_locale: ~ +{{ end }} + + - decode_csv_fields: + fields: + message: csv + + - extract_array: + field: csv + overwrite_keys: true + mappings: + event.created: 1 + observer.serial_number: 2 + _temp_.message_type: 3 + _temp_.message_subtype: 4 + _temp_.generated_time: 6 + + - extract_array: + when: + equals: + _temp_.message_type: TRAFFIC + field: csv + overwrite_keys: true + omit_empty: true + fail_on_error: false + mappings: + client.ip: 7 + source.ip: 7 + server.ip: 8 + destination.ip: 8 + palo_alto.source.nat.ip: 9 + palo_alto.destination.nat.ip: 10 + palo_alto.ruleset: 11 + client.user.name: 12 + source.user.name: 12 + server.user.name: 13 + destination.user.name: 13 + network.application: 14 + palo_alto.source.zone: 16 + palo_alto.destination.zone: 17 + palo_alto.source.interface: 18 + palo_alto.destination.interface: 19 + palo_alto.flow_id: 22 + client.port: 24 + source.port: 24 + destination.port: 25 + server.port: 25 + palo_alto.source.nat.port: 26 + palo_alto.destination.nat.port: 27 + _temp_.labels: 28 + network.transport: 29 + event.outcome: 30 + network.bytes: 31 + client.bytes: 32 + destination.bytes: 32 + server.bytes: 33 + source.bytes: 33 + network.packets: 34 + event.start: 35 + event.duration: 36 + palo_alto.url.category: 37 + palo_alto.sequence_number: 39 + server.packets: 44 + destination.packets: 44 + client.packets: 45 + source.packets: 45 + observer.hostname: 52 + + - extract_array: + when: + equals: + _temp_.message_type: THREAT + field: csv + omit_empty: true + overwrite_keys: true + fail_on_error: false + mappings: + client.ip: 7 + source.ip: 7 + server.ip: 8 + destination.ip: 8 + palo_alto.source.nat.ip: 9 + palo_alto.destination.nat.ip: 10 + palo_alto.ruleset: 11 + client.user.name: 12 + source.user.name: 12 + server.user.name: 13 + destination.user.name: 13 + network.application: 14 + palo_alto.source.zone: 16 + palo_alto.destination.zone: 17 + palo_alto.source.interface: 18 + palo_alto.destination.interface: 19 + palo_alto.flow_id: 22 + client.port: 24 + source.port: 24 + destination.port: 25 + server.port: 25 + palo_alto.source.nat.port: 26 + palo_alto.destination.nat.port: 27 + _temp_.labels: 28 + network.transport: 29 + event.outcome: 30 + palo_alto.threat_file_or_url: 31 + url.original: 31 + palo_alto.threat_id: 32 + palo_alto.url.category: 33 + log.level: 34 + _temp_.direction: 35 + source.geo.country_iso_code: 38 + destination.geo.country_iso_code: 39 + palo_alto.network.pcap_id: 42 + palo_alto.file.hash: 43 + user_agent.original: 46 + file.type: 47 + network.forwarded_ip: 48 + http.request.referer: 49 + source.user.email: 50 + palo_alto.subject: 51 + destination.user.email: 52 + observer.hostname: 59 + + - drop_fields: + fields: + - csv + + - community_id: ~ + + - community_id: + target: palo_alto.network.nat.community_id + fields: + source_ip: palo_alto.source.nat.ip + source_port: palo_alto.source.nat.port + destination_ip: palo_alto.destination.nat.ip + destination_port: palo_alto.destination.nat.port diff --git a/x-pack/filebeat/module/palo_alto/log/ingest/pipeline.yml b/x-pack/filebeat/module/palo_alto/log/ingest/pipeline.yml new file mode 100644 index 000000000000..7ffa96225800 --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/log/ingest/pipeline.yml @@ -0,0 +1,316 @@ +description: "Pipeline for Palo Alto PAN-OS Logs" +processors: + +# keep message as log.original. + - rename: + field: message + target_field: log.original + +# Set @timestamp to the time when the entry was generated at the data plane. + - date: + field: "_temp_.generated_time" + ignore_failure: true + {< if .convert_timezone >} + timezone: "{{ event.timezone }}" + {< end >} + formats: + - "yyyy/MM/dd HH:mm:ss" + +# event.created is the time the event was received at the management plane. + - date: + field: "event.created" + target_field: "event.created" + ignore_failure: true + {< if .convert_timezone >} + timezone: "{{ event.timezone }}" + {< end >} + formats: + - "yyyy/MM/dd HH:mm:ss" + +# event.start (traffic only) is the time the session started. + - date: + field: "event.start" + target_field: "event.start" + ignore_failure: true + {< if .convert_timezone >} + timezone: "{{ event.timezone }}" + {< end >} + formats: + - "yyyy/MM/dd HH:mm:ss" + +# convert integer fields as the output of the CSV processor is always a string. + - convert: { type: long, ignore_missing: true, field: client.bytes } + - convert: { type: long, ignore_missing: true, field: client.packets } + - convert: { type: long, ignore_missing: true, field: client.port } + - convert: { type: long, ignore_missing: true, field: server.bytes } + - convert: { type: long, ignore_missing: true, field: server.packets } + - convert: { type: long, ignore_missing: true, field: server.port } + - convert: { type: long, ignore_missing: true, field: source.bytes } + - convert: { type: long, ignore_missing: true, field: source.packets } + - convert: { type: long, ignore_missing: true, field: source.port } + - convert: { type: long, ignore_missing: true, field: destination.bytes } + - convert: { type: long, ignore_missing: true, field: destination.packets } + - convert: { type: long, ignore_missing: true, field: destination.port } + - convert: { type: long, ignore_missing: true, field: network.bytes } + - convert: { type: long, ignore_missing: true, field: network.packets } + - convert: { type: long, ignore_missing: true, field: event.duration } + - convert: { type: long, ignore_missing: true, field: _temp_.labels } + - convert: { type: long, ignore_missing: true, field: palo_alto.sequence_number } + - convert: { type: long, ignore_missing: true, field: palo_alto.source.nat.port } + - convert: { type: long, ignore_missing: true, field: palo_alto.destination.nat.port } + +# Remove PCAP ID when zero (no packet capture). + - remove: + if: 'ctx?.palo_alto?.network?.pcap_id == "0"' + field: + - palo_alto.network.pcap_id + +# Extract 'flags' bitfield into labels. + - script: + lang: painless + if: 'ctx?._temp_?.labels != null && ctx._temp_.labels != 0' + params: + pcap_included: 0x80000000 + ipv6_session: 0x02000000 + ssl_decrypted: 0x01000000 + url_filter_denied: 0x00800000 + nat_translated: 0x00400000 + captive_portal: 0x00200000 + x_forwarded_for: 0x00080000 + http_proxy: 0x00040000 + container_page: 0x00008000 + temporary_match: 0x00002000 + symmetric_return: 0x00000800 + source: > + def labels = ctx?.labels; + if (labels == null) { + labels = new HashMap(); + ctx['labels'] = labels; + } + long value = ctx._temp_.labels; + for (entry in params.entrySet()) { + if ((value & entry.getValue()) != 0) { + labels[entry.getKey()] = true; + } + } + +# normalize event.duration and determine event.end. + - script: + lang: painless + if: 'ctx?.event?.duration != null' + params: + NANOS_IN_A_SECOND: 1000000000 + source: > + long nanos = ctx['event']['duration'] * params.NANOS_IN_A_SECOND; + ctx['event']['duration'] = nanos; + def start = ctx.event?.start; + if (start != null) { + ctx.event['end'] = ZonedDateTime.ofInstant( + Instant.parse(start).plusNanos(nanos), ZoneOffset.UTC); + } + +# Set network.direction using src/dst zone (traffic logs). + - set: + field: network.direction + value: inbound + if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.palo_alto?.source?.zone == "untrust" && ctx?.palo_alto?.destination?.zone == "trust"' + - set: + field: network.direction + value: outbound + if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.palo_alto?.source?.zone == "trust" && ctx?.palo_alto?.destination?.zone == "untrust"' + - set: + field: network.direction + value: internal + if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.palo_alto?.source?.zone == "trust" && ctx?.palo_alto?.destination?.zone == "trust"' + - set: + field: network.direction + value: external + if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.palo_alto?.source?.zone == "untrust" && ctx?.palo_alto?.destination?.zone == "untrust"' + - set: + field: network.direction + value: unknown + if: 'ctx?._temp_?.message_type == "TRAFFIC" && ((ctx?.palo_alto?.source?.zone != "trust" && ctx?.palo_alto?.source?.zone != "untrust") || (ctx?.palo_alto?.destination?.zone != "trust" && ctx?.palo_alto?.destination?.zone != "untrust"))' + +# Set network.direction from threat direction (Threat logs). + - set: + field: network.direction + value: inbound + if: 'ctx?._temp_?.message_type == "THREAT" && (ctx?._temp_?.direction == "0" || ctx?._temp_?.direction == "client-to-server")' + + - set: + field: network.direction + value: outbound + if: 'ctx?._temp_?.message_type == "THREAT" && (ctx?._temp_?.direction == "1" || ctx?._temp_?.direction == "server-to-client")' + + - set: + field: network.direction + value: unknown + if: 'ctx?._temp_?.message_type == "THREAT" && ctx?.network?.direction == null' + +# Set event.category depending on log type. + - set: + field: event.category + value: network_traffic + if: 'ctx?._temp_?.message_type == "TRAFFIC"' + - set: + field: event.category + value: security_threat + if: 'ctx?._temp_?.message_type == "THREAT"' + + - drop: + if: 'ctx?.event?.category == null' + +# event.action for traffic logs. + - set: + field: event.action + value: flow_started + if: 'ctx?._temp_?.message_subtype == "start"' + - set: + field: event.action + value: flow_terminated + if: 'ctx?._temp_?.message_subtype == "end"' + - set: + field: event.action + value: flow_dropped + if: 'ctx?._temp_?.message_subtype == "drop"' + - set: + field: event.action + value: flow_denied + if: 'ctx?._temp_?.message_subtype == "deny"' + +# event.action for threat logs. + - set: + field: event.action + value: data_match + if: 'ctx?._temp_?.message_subtype == "data"' + - set: + field: event.action + value: file_match + if: 'ctx?._temp_?.message_subtype == "file"' + - set: + field: event.action + value: flood_detected + if: 'ctx?._temp_?.message_subtype == "flood"' + - set: + field: event.action + value: packet_attack + if: 'ctx?._temp_?.message_subtype == "packet"' + - set: + field: event.action + value: scan_detected + if: 'ctx?._temp_?.message_subtype == "scan"' + - set: + field: event.action + value: spyware_detected + if: 'ctx?._temp_?.message_subtype == "spyware"' + - set: + field: event.action + value: url_filtering + if: 'ctx?._temp_?.message_subtype == "url"' + - set: + field: event.action + value: virus_detected + if: 'ctx?._temp_?.message_subtype == "virus"' + - set: + field: event.action + value: exploit_detected + if: 'ctx?._temp_?.message_subtype == "vulnerability"' + - set: + field: event.action + value: wildfire_veredict + if: 'ctx?._temp_?.message_subtype == "wildfire"' + - set: + field: event.action + value: wildfire_virus_detected + if: 'ctx?._temp_?.message_subtype == "wildfire-virus"' + + +# Set numeric log.level from event.severity. + - set: + field: "event.severity" + if: 'ctx.log.level == "critical"' + value: 1 + - set: + field: "event.severity" + if: 'ctx.log.level == "high"' + value: 2 + - set: + field: "event.severity" + if: 'ctx.log.level == "medium"' + value: 3 + - set: + field: "event.severity" + if: 'ctx.log.level == "low"' + value: 4 + - set: + field: "event.severity" + if: 'ctx.log.level == "informational"' + value: 5 + +# Normalize event.outcome. +# These values appear in the TRAFFIC docs but look like a mistake. + - set: + field: event.outcome + value: 'drop-icmp' + if: 'ctx?.event?.outcome == "drop icmp" || ctx?.event?.outcome == "drop ICMP"' + - set: + field: event.outcome + value: 'reset-both' + if: 'ctx?.event?.outcome == "reset both"' + - set: + field: event.outcome + value: 'reset-client' + if: 'ctx?.event?.outcome == "reset client"' + - set: + field: event.outcome + value: 'reset-server' + if: 'ctx?.event?.outcome == "reset server"' + +# Build related.ip array from src/dest/NAT IPs. + - append: + if: 'ctx?.source?.ip != null' + field: related.ip + value: + - '{{source.ip}}' + - append: + if: 'ctx?.destination?.ip != null' + field: related.ip + value: + - '{{destination.ip}}' + - append: + if: 'ctx?.palo_alto?.source?.nat?.ip != null' + field: related.ip + value: + - '{{palo_alto.source.nat.ip}}' + - append: + if: 'ctx?.palo_alto?.destination?.nat?.ip != null' + field: related.ip + value: + - '{{palo_alto.destination.nat.ip}}' + +# Geolocation for source. + - geoip: + if: 'ctx?.source?.ip != null' + field: source.ip + target_field: source.geo + +# Geolocation for destination. + - geoip: + if: 'ctx?.destination?.ip != null' + field: destination.ip + target_field: destination.geo + +# Remove temporary fields. + - remove: + field: + - _temp_ + ignore_missing: true + +on_failure: + - set: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" + - remove: + field: + - _temp_ + ignore_missing: true diff --git a/x-pack/filebeat/module/palo_alto/log/manifest.yml b/x-pack/filebeat/module/palo_alto/log/manifest.yml new file mode 100644 index 000000000000..cdcc1ffec7bd --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/log/manifest.yml @@ -0,0 +1,30 @@ +module_version: "1.0" + +var: + - name: paths + default: + - /var/log/iptables.log + - name: tags + default: [pan-os] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9001 + - name: input + default: syslog + - name: convert_timezone + default: false + # if ES < 6.1.0, this flag switches to false automatically when evaluating the + # pipeline + min_elasticsearch_version: + version: 6.1.0 + value: false + - name: community_id + default: true + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/palo_alto/log/test/pan_inc_other.log b/x-pack/filebeat/module/palo_alto/log/test/pan_inc_other.log new file mode 100644 index 000000000000..421c6f796a6c --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/log/test/pan_inc_other.log @@ -0,0 +1,34 @@ +Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,CONFIG,0,0,2012/02/25 00:51:50,192.168.0.2,,set,admin,Web,Succeeded, config shared local-user-database user badguy,0,0x0 +Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,CONFIG,0,0,2012/02/25 00:53:22,192.168.0.2,,set,admin,Web,Succeeded, config mgt-config users badguy,0,0x0 +Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,CONFIG,0,0,2012/02/25 00:53:40,192.168.0.2,,commit,admin,Web,Submitted,,0,0x0 +Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,SYSTEM,routing,0,2012/02/25 00:53:53,,routed-config-p1-success,,0,0,general,informational,Route daemon configuration load phase-1 succeeded.,0,0x0 +Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,SYSTEM,vpn,0,2012/02/25 00:53:56,,ike-config-p1-success,,0,0,general,informational,IKE daemon configuration load phase-1 succeeded.,0,0x0 +Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,SYSTEM,routing,0,2012/02/25 00:54:16,,routed-config-p2-success,,0,0,general,informational,Route daemon configuration load phase-2 succeeded.,0,0x0 +Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,SYSTEM,ras,0,2012/02/25 00:54:16,,rasmgr-config-p2-success,,0,0,general,informational,RASMGR daemon configuration load phase-2 succeeded.,0,0x0 +Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,CONFIG,0,0,2012/02/25 00:57:17,192.168.0.2,,edit,badguy,Web,Succeeded, vsys vsys1 profiles url-filtering monzyspolicy,0,0x0 +Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,CONFIG,0,0,2012/02/25 00:57:36,192.168.0.2,,commit,badguy,Web,Submitted,,0,0x0 +Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,SYSTEM,routing,0,2012/02/25 00:57:49,,routed-config-p1-success,,0,0,general,informational,Route daemon configuration load phase-1 succeeded.,0,0x0 +Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,SYSTEM,vpn,0,2012/02/25 00:57:52,,ike-config-p1-success,,0,0,general,informational,IKE daemon configuration load phase-1 succeeded.,0,0x0 +Mar 25 23:59:07 1,2013/03/25 23:59:07,1606001116,SYSTEM,routing,0,2012/02/25 00:58:12,,routed-config-p2-success,,0,0,general,informational,Route daemon configuration load phase-2 succeeded.,0,0x0 +Mar 25 23:59:07 1,2013/03/25 23:59:07,1606001116,SYSTEM,vpn,0,2012/02/25 00:58:12,,ike-config-p2-success,,0,0,general,informational,IKE daemon configuration load phase-2 succeeded.,0,0x0 +Mar 25 23:59:07 1,2013/03/25 23:59:07,1606001116,SYSTEM,ras,0,2012/02/25 00:58:12,,rasmgr-config-p2-success,,0,0,general,informational,RASMGR daemon configuration load phase-2 succeeded.,0,0x0 +Mar 25 23:59:07 1,2013/03/25 23:59:07,1606001116,SYSTEM,general,1,2012/02/25 00:58:14,,unknown,,0,0,general,informational,Config installed,909,0x0 +Mar 25 23:59:07 1,2013/03/25 23:59:07,1606001116,SYSTEM,general,0,2012/02/25 00:59:36,,general,,0,0,general,informational,Log type config cleared by user badguy ,0,0x0 +Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,SYSTEM,general,1,2012/04/10 03:11:57,,unknown,,0,0,general,informational,Config installed,884,0x0 +Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,SYSTEM,ras,0,2012/04/10 03:11:56,,rasmgr-config-p2-success,,0,0,general,informational,RASMGR daemon configuration load phase-2 succeeded.,0,0x0 +Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,SYSTEM,vpn,0,2012/04/10 03:11:56,,ike-config-p2-success,,0,0,general,informational,IKE daemon configuration load phase-2 succeeded.,0,0x0 +Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,SYSTEM,routing,0,2012/04/10 03:11:56,,routed-config-p2-success,,0,0,general,informational,Route daemon configuration load phase-2 succeeded.,0,0x0 +Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,SYSTEM,ras,0,2012/04/10 03:06:11,,rasmgr-config-p1-success,,0,0,general,informational,RASMGR daemon configuration load phase-1 succeeded.,0,0x0 +Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,routing,0,2012/04/10 03:06:00,,routed-config-p1-success,,0,0,general,informational,Route daemon configuration load phase-1 succeeded.,0,0x0 +Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,general,1,2012/04/09 09:02:53,,unknown,,0,0,general,informational,Config installed,840,0x0 +Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,ras,0,2012/04/09 09:02:52,,rasmgr-config-p2-success,,0,0,general,informational,RASMGR daemon configuration load phase-2 succeeded.,0,0x0 +Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,vpn,0,2012/04/09 09:02:52,,ike-config-p2-success,,0,0,general,informational,IKE daemon configuration load phase-2 succeeded.,0,0x0 +Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,routing,0,2012/04/09 09:02:52,,routed-config-p2-success,,0,0,general,informational,Route daemon configuration load phase-2 succeeded.,0,0x0 +Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,ras,0,2012/04/09 09:00:55,,rasmgr-config-p1-success,,0,0,general,informational,RASMGR daemon configuration load phase-1 succeeded.,0,0x0 +Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,vpn,0,2012/04/09 09:00:52,,ike-config-p1-success,,0,0,general,informational,IKE daemon configuration load phase-1 succeeded.,0,0x0 +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,CONFIG,0,0,2012/04/09 09:00:35,192.168.0.2,,commit,admin,Web,Submitted,,0,0x0 +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,CONFIG,0,0,2012/04/09 09:00:20,192.168.0.2,,edit,admin,Web,Succeeded, vsys vsys1 profiles data-objects PII,0,0x0 +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,SYSTEM,general,1,2012/04/09 03:21:53,,unknown,,0,0,general,informational,Config installed,821,0x0 +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,SYSTEM,ras,0,2012/04/09 03:21:53,,rasmgr-config-p2-success,,0,0,general,informational,RASMGR daemon configuration load phase-2 succeeded.,0,0x0 +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,SYSTEM,vpn,0,2012/04/09 03:21:53,,ike-config-p2-success,,0,0,general,informational,IKE daemon configuration load phase-2 succeeded.,0,0x0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 diff --git a/x-pack/filebeat/module/palo_alto/log/test/pan_inc_other.log-expected.json b/x-pack/filebeat/module/palo_alto/log/test/pan_inc_other.log-expected.json new file mode 100644 index 000000000000..bbf67e36628e --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/log/test/pan_inc_other.log-expected.json @@ -0,0 +1,73 @@ +[ + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59309, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:56.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:56.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 5853, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:mY2EPMYo0US42k87/2uTzjo/rGA=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25149", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59309, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/palo_alto/log/test/pan_inc_threat.log b/x-pack/filebeat/module/palo_alto/log/test/pan_inc_threat.log new file mode 100644 index 000000000000..b493a709848f --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/log/test/pan_inc_threat.log @@ -0,0 +1,100 @@ +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25149,1,59309,80,0,0,0x208000,tcp,alert,"lorexx.cn/loader.exe",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26067,1,59313,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/count.php?o=2",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26522,1,59314,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/count.php?o=5",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/count.php?o=7",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/exploits/x18.php?o=2&t=1241403746&i=1365814122",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/exploits/x19.php?o=2&t=1241403746&i=1365814122",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24910,1,59302,80,0,0,0x208000,tcp,alert,"liteautobestguide.cn/load.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26862,1,59301,80,0,0,0x208000,tcp,alert,"liteautobestguide.cn/index.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,22860,1,59303,80,0,0,0x208000,tcp,alert,"litetopdetect.cn/index.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26360,1,59304,80,0,0,0x208000,tcp,alert,"lkmpmlm.com/fff9999.php?aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25543,1,59297,80,0,0,0x208000,tcp,alert,"girlteenxxxfreemov.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25437,1,59299,80,0,0,0x208000,tcp,alert,"imagesrepository.com/resolution.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26338,1,59298,80,0,0,0x208000,tcp,alert,"hottestfiles.com/search/search.php?q=xxx",(9999),search-engines,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25713,1,59300,80,0,0,0x200000,tcp,block-url,"infodist1.com/in.cgi?11¶meter=404",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25451,1,59295,80,0,0,0x208000,tcp,alert,"cls-softwares.com/suc.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26414,1,59291,80,0,0,0x208000,tcp,alert,"cls-softwares.com/softwarefortubeview.40013.exe",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,78.159.99.224,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26927,1,59296,80,0,0,0x200000,tcp,block-url,"findmorepill.com/klik/search.php?q=xxx",(9999),online-gambling,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Germany,0, +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26127,1,59280,80,0,0,0x208000,tcp,alert,"allowedwebsurfing.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,25306,1,59281,80,0,0,0x208000,tcp,alert,"antivirus-remote.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24561,1,59282,80,0,0,0x208000,tcp,alert,"bklinkov.ru/hi/start.cfg",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,15099,1,59290,80,0,0,0x208000,tcp,alert,"blogsexnakedgirlxxx.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24955,1,59286,80,0,0,0x208000,tcp,alert,"bklinkov.ru/hi/start.exe",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25398,1,59275,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25945,1,59277,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,27111,1,59276,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25871,1,59278,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26251,1,59279,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,24816,1,59271,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25062,1,59269,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,26266,1,59270,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,23898,1,59274,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25259,1,59273,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26466,1,59272,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:47 1,2012/10/30 09:46:47,01606001116,THREAT,url,1,2012/04/10 04:39:43,192.168.0.2,69.43.161.167,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:44,4086,1,59261,80,0,0,0x200000,tcp,block-url,"wantfinest.com/tds/in.cgi?default",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:47:02 1,2012/10/30 09:47:02,01606001116,THREAT,url,1,2012/04/10 04:39:38,192.168.0.2,202.31.187.154,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:39,26534,1,59248,80,0,0,0x200000,tcp,block-url,"sameshitasiteverwas.com/traf/tds/in.cgi?2",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Korea Republic Of,0, +Oct 30 09:47:02 1,2012/10/30 09:47:02,01606001116,THREAT,url,1,2012/04/10 04:39:39,192.168.0.2,89.111.176.67,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:40,26965,1,59251,80,0,0,0x200000,tcp,block-url,"svarkon.ru/update.exe",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, +Oct 30 09:47:12 1,2012/10/30 09:47:12,01606001116,THREAT,url,1,2012/04/10 04:39:36,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:37,26076,1,59244,80,0,0,0x200000,tcp,block-url,"onlinescanxpp.com/land/eurl/1.php?code=",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:47:17 1,2012/10/30 09:47:17,01606001116,THREAT,url,1,2012/04/10 04:39:34,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:35,26198,1,59237,80,0,0,0x200000,tcp,block-url,"nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:47:17 1,2012/10/30 09:47:17,01606001116,THREAT,url,1,2012/04/10 04:39:35,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:36,26056,1,59238,80,0,0,0x200000,tcp,block-url,"nolagtime.com/gwc.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:51:03 1,2012/10/30 09:51:03,01606001116,THREAT,url,1,2012/04/10 04:38:19,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:20,25465,1,59010,80,0,0,0x200000,tcp,block-url,"karavan.us/bon/index.php",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:51:23 1,2012/10/30 09:51:23,01606001116,THREAT,url,1,2012/04/10 04:38:14,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:15,24316,1,58969,80,0,0,0x200000,tcp,block-url,"findnolimits.com/go.php?sid=1",(9999),dead-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:51:33 1,2012/10/30 09:51:33,01606001116,THREAT,url,1,2012/04/10 04:38:12,192.168.0.2,89.108.64.156,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,17258,1,58941,80,0,0,0x200000,tcp,block-url,"bizoplata.ru/moun.html",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, +Oct 30 09:51:33 1,2012/10/30 09:51:33,01606001116,THREAT,url,1,2012/04/10 04:38:12,192.168.0.2,89.108.64.156,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,24735,1,58942,80,0,0,0x200000,tcp,block-url,"bizoplata.ru/palast.html",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, +Oct 30 09:53:33 1,2012/10/30 09:53:33,01606001116,THREAT,spyware,1,2012/04/10 04:37:28,204.232.231.46,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:33,23497,1,80,58849,0,0,0x200000,tcp,drop-all-packets,"controller.php",Bredolab.Gen Command and Control Traffic(13024),any,critical,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Oct 30 09:53:38 1,2012/10/30 09:53:38,01606001116,THREAT,url,1,2012/04/10 04:37:32,192.168.0.2,216.8.179.25,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:32,23711,1,58856,80,0,0,0x200000,tcp,block-url,"www.15min.it/",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Canada,0, +Oct 30 09:53:48 1,2012/10/30 09:53:48,01606001116,THREAT,url,1,2012/04/10 04:37:27,192.168.0.2,69.43.161.154,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:27,23659,1,58847,80,0,0,0x200000,tcp,block-url,"tubemov.com/",(9999),adult-and-pornography,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:53:58 1,2012/10/30 09:53:58,01606001116,THREAT,url,1,2012/04/10 04:37:25,192.168.0.2,208.91.196.252,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:25,23782,1,58841,80,0,0,0x200000,tcp,block-url,"pagesinxt.com/?dn=teenstube.us&flrdr=yes&nxte=js",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Virgin Islands British,0, +Oct 30 09:55:23 1,2012/10/30 09:55:23,01606001116,THREAT,url,1,2012/04/10 04:37:05,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:06,23239,1,58795,80,0,0,0x200000,tcp,block-url,"movfree.com/",(9999),spyware-and-adware,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:56:23 1,2012/10/30 09:56:23,01606001116,THREAT,url,1,2012/04/10 04:36:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:52,22479,1,58753,80,0,0,0x200000,tcp,block-url,"gometascan.com/",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:57:33 1,2012/10/30 09:57:33,01606001116,THREAT,url,1,2012/04/10 04:36:39,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:40,21458,1,58708,80,0,0,0x200000,tcp,block-url,"antivirus-powerful-scannerv2.com/download/Install_11-1.exe",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:57:38 1,2012/10/30 09:57:38,01606001116,THREAT,url,1,2012/04/10 04:36:38,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:39,21577,1,58707,80,0,0,0x200000,tcp,block-url,"antivirus-powerful-scannerv2.com/1/?id=11-1&back==TQzyDTyMUQNMI=N",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,"basdzsdas.com/poker/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,"basdzsdas.com/poker/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,file,1,2012/04/10 04:19:59,173.236.179.57,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,"uLLGRaXP.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,"basdzsdas.com/poker/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:51:29,91.209.163.202,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:51:34,37983,1,80,61220,0,0,0x200000,tcp,deny,"FunkyEmoticons_setup.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:54:33,122.226.169.183,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:54:38,41989,1,80,61726,0,0,0x200000,tcp,deny,"52hxw.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,China,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,url,1,2012/04/10 05:01:00,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 05:01:00,49238,1,63007,80,0,0,0x200000,tcp,block-url,"softsellfast.com/test/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:45:17,109.201.131.15,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:45:23,21592,1,80,60212,0,0,0x200000,tcp,deny,"setup.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Netherlands,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:46:16,91.209.163.202,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:46:22,33760,1,80,60392,0,0,0x200000,tcp,deny,"Live-Player_setup.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:39,192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:39,28723,1,59709,80,0,0,0x200000,tcp,block-url,"boialex.narod.ru/config.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, +Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:42,192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:42,28932,1,59721,80,0,0,0x200000,tcp,block-url,"edw-melon.narod.ru/config.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, +Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:51,192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:51,28953,1,59752,80,0,0,0x200000,tcp,block-url,"maximtushin.narod.ru/config.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, +Mar 25 23:59:17 1,2013/03/25 23:59:17,01606001116,THREAT,file,1,2012/04/10 04:19:59,173.236.179.57,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,"uLLGRaXP.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,THREAT,url,1,2012/04/10 04:09:01,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:09:01,55402,1,63183,80,0,0,0x200000,tcp,block-url,"marketingsoluchion.biz/fkn/config.bin",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:27,192.168.0.6,207.46.140.46,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:32,25217,1,1047,80,0,0,0x200000,tcp,alert,"default.aspx",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:29,65.54.161.34,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:34,25653,1,80,1039,0,0,0x200000,tcp,alert,"sck.aspx",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:32,65.55.5.231,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:37,25717,3,80,1064,0,0,0x200000,tcp,alert,"ADSAdClient31.dll",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:33,192.168.0.6,65.54.71.11,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:38,25290,1,1048,80,0,0,0x200000,tcp,alert,"c.gif",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:37,74.125.239.17,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:42,25932,1,80,1071,0,0,0x200000,tcp,alert,"csi",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:50:12,192.168.0.2,208.85.40.48,0.0.0.0,0.0.0.0,rule1,picard,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:50:17,28264,1,57502,80,0,0,0x200000,tcp,alert,"internal-tuner.pandora.com",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:58:18,74.125.224.198,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:58:22,29312,1,80,57876,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,file,1,2012/04/09 08:22:27,188.190.124.75,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:22:31,26747,1,80,1082,0,0,0x200000,tcp,deny,"about.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Ukraine,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:11:43,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:11:48,19205,1,80,50986,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:02,74.125.239.3,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:07,19360,1,80,51716,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:39,74.125.239.3,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:44,19696,1,80,52119,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:16:03,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:16:08,19679,1,80,52411,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:18:14,192.168.0.2,74.125.239.6,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:18:19,19448,1,52366,80,0,0,0x200000,tcp,alert,"__utm.gif",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:25:04,74.125.224.193,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:25:09,20422,1,80,53026,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:36:04,74.125.239.20,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:36:09,21267,1,80,53809,0,0,0x200000,tcp,alert,"nav_logo107.png",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:08,208.80.154.225,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:13,24567,1,80,55912,0,0,0x200000,tcp,alert,"Eadweard_Muybridge",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:44,208.80.154.234,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:49,24646,1,80,55916,0,0,0x200000,tcp,alert,"load.php",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:16:57,65.54.75.25,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:17:01,25874,1,80,1046,0,0,0x200000,tcp,reset-both,"8fe44cb728c0f40750c64ee906eb72.css",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:06:41,74.125.224.206,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:06:46,2175,1,80,61734,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:12:52,74.125.224.195,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:12:57,3046,1,80,62292,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:07:49,207.178.96.34,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,rss,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:07:54,1560,1,80,64669,0,0,0x200000,tcp,alert,"appcast.xml",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:44,74.125.224.195,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:48:48,16852,1,80,65265,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:59,74.125.239.20,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:49:05,15948,1,80,64979,0,0,0x200000,tcp,alert,"csi",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:50:14,66.152.109.24,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:50:19,17028,1,80,49432,0,0,0x200000,tcp,alert,"index.php",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:51:34,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:51:39,15878,1,80,49722,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:53:41,192.168.0.2,74.125.224.201,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:53:47,16602,1,49681,80,0,0,0x200000,tcp,alert,"__utm.gif",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:35,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:54:41,17433,1,80,50108,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:55,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:55:00,17104,1,80,50387,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:44:49,192.168.0.2,208.85.40.48,0.0.0.0,0.0.0.0,rule1,jordy,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:44:55,63706,1,59781,80,0,0,0x200000,tcp,alert,"internal-tuner.pandora.com",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:45:45,74.125.224.201,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:45:50,65257,1,80,60005,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:49:17,74.125.224.201,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:49:22,537,1,80,60443,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:53:41,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:53:45,914,1,80,60822,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:23,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:28,1475,1,80,61105,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:52,74.125.224.198,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-analytics,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:57,883,1,80,60782,0,0,0x200000,tcp,alert,"ga.js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 04:03:55,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:04:00,1965,1,80,61470,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, diff --git a/x-pack/filebeat/module/palo_alto/log/test/pan_inc_threat.log-expected.json b/x-pack/filebeat/module/palo_alto/log/test/pan_inc_threat.log-expected.json new file mode 100644 index 000000000000..39a758fc5ca2 --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/log/test/pan_inc_threat.log-expected.json @@ -0,0 +1,6185 @@ +[ + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.ip": "192.168.0.2", + "client.port": 59309, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 0, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25149,1,59309,80,0,0,0x208000,tcp,alert,\"lorexx.cn/loader.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:mY2EPMYo0US42k87/2uTzjo/rGA=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25149", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "lorexx.cn/loader.exe", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59309, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "lorexx.cn/loader.exe" + }, + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.ip": "192.168.0.2", + "client.port": 59313, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 403, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26067,1,59313,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=2\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:0fIOSC1t62T9ExNKvZaxl657EVc=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26067", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "lsiu.info/evo/count.php?o=2", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59313, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "lsiu.info/evo/count.php?o=2" + }, + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.ip": "192.168.0.2", + "client.port": 59314, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 813, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26522,1,59314,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=5\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:bZl1JgwyPgfsbSrD+z8I/hpbdc4=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26522", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "lsiu.info/evo/count.php?o=5", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59314, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "lsiu.info/evo/count.php?o=5" + }, + { + "@timestamp": "2012-04-10T04:39:57.000Z", + "client.ip": "192.168.0.2", + "client.port": 59315, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 1223, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=7\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:ghLw4NDj0JmAhH9lVtlhdQpqEQ0=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25112", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "lsiu.info/evo/count.php?o=7", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59315, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "lsiu.info/evo/count.php?o=7" + }, + { + "@timestamp": "2012-04-10T04:39:57.000Z", + "client.ip": "192.168.0.2", + "client.port": 59316, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 1633, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/exploits/x18.php?o=2&t=1241403746&i=1365814122\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:aiB5YppFUGX0pM/1Xtp3qOSFXJw=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25179", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "lsiu.info/evo/exploits/x18.php?o=2&t=1241403746&i=1365814122", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59316, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "lsiu.info/evo/exploits/x18.php?o=2&t=1241403746&i=1365814122" + }, + { + "@timestamp": "2012-04-10T04:39:57.000Z", + "client.ip": "192.168.0.2", + "client.port": 59317, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 2076, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/exploits/x19.php?o=2&t=1241403746&i=1365814122\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:GOqfpUTezPkpm6axBI22kY90kU4=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25848", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "lsiu.info/evo/exploits/x19.php?o=2&t=1241403746&i=1365814122", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59317, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "lsiu.info/evo/exploits/x19.php?o=2&t=1241403746&i=1365814122" + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.ip": "192.168.0.2", + "client.port": 59302, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 2519, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24910,1,59302,80,0,0,0x208000,tcp,alert,\"liteautobestguide.cn/load.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:22ouAyA1O0KgUQOEKP20E7gNa2U=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24910", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "liteautobestguide.cn/load.php", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59302, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "liteautobestguide.cn/load.php" + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.ip": "192.168.0.2", + "client.port": 59301, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 2931, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26862,1,59301,80,0,0,0x208000,tcp,alert,\"liteautobestguide.cn/index.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:phQpgsVhj3YxNYzeNkqdzDgcMCg=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26862", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "liteautobestguide.cn/index.php", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59301, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "liteautobestguide.cn/index.php" + }, + { + "@timestamp": "2012-04-10T04:39:55.000Z", + "client.ip": "192.168.0.2", + "client.port": 59303, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 3344, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,22860,1,59303,80,0,0,0x208000,tcp,alert,\"litetopdetect.cn/index.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:6kV576B7jMsBLC62npA6Dgi/zMI=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "22860", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "litetopdetect.cn/index.php", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59303, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "litetopdetect.cn/index.php" + }, + { + "@timestamp": "2012-04-10T04:39:55.000Z", + "client.ip": "192.168.0.2", + "client.port": 59304, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 3753, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26360,1,59304,80,0,0,0x208000,tcp,alert,\"lkmpmlm.com/fff9999.php?aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:h+XKHvMK2Oz7QQvaJdhsJWE2c9E=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26360", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "lkmpmlm.com/fff9999.php?aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59304, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "lkmpmlm.com/fff9999.php?aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513" + }, + { + "@timestamp": "2012-04-10T04:39:52.000Z", + "client.ip": "192.168.0.2", + "client.port": 59297, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 4217, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25543,1,59297,80,0,0,0x208000,tcp,alert,\"girlteenxxxfreemov.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:Sa+u435/AIAAeEelFduJmiGLOv0=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25543", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "girlteenxxxfreemov.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59297, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "girlteenxxxfreemov.com/" + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.ip": "192.168.0.2", + "client.port": 59299, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 4623, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25437,1,59299,80,0,0,0x208000,tcp,alert,\"imagesrepository.com/resolution.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:C9009xCOuCuGvMPT4caMCizoYr0=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25437", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "imagesrepository.com/resolution.php", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59299, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "imagesrepository.com/resolution.php" + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.ip": "192.168.0.2", + "client.port": 59298, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 5041, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26338,1,59298,80,0,0,0x208000,tcp,alert,\"hottestfiles.com/search/search.php?q=xxx\",(9999),search-engines,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:BG6Rk6e+H9jRcZHXqRPFG4iA3uU=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26338", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "hottestfiles.com/search/search.php?q=xxx", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "search-engines", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59298, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "hottestfiles.com/search/search.php?q=xxx" + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.ip": "192.168.0.2", + "client.port": 59300, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 5466, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25713,1,59300,80,0,0,0x200000,tcp,block-url,\"infodist1.com/in.cgi?11¶meter=404\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:YDMNSbru670DK5EMT3E28WFJPz4=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25713", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "infodist1.com/in.cgi?11¶meter=404", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59300, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "infodist1.com/in.cgi?11¶meter=404" + }, + { + "@timestamp": "2012-04-10T04:39:51.000Z", + "client.ip": "192.168.0.2", + "client.port": 59295, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 5882, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25451,1,59295,80,0,0,0x208000,tcp,alert,\"cls-softwares.com/suc.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:AEtFqIuwxZ9TQ3w9m74nOrboCXE=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25451", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "cls-softwares.com/suc.php", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59295, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "cls-softwares.com/suc.php" + }, + { + "@timestamp": "2012-04-10T04:39:51.000Z", + "client.ip": "192.168.0.2", + "client.port": 59291, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 6290, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26414,1,59291,80,0,0,0x208000,tcp,alert,\"cls-softwares.com/softwarefortubeview.40013.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:AuQEAPptnfXLW8oL/ac3CM4Gnnw=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26414", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "cls-softwares.com/softwarefortubeview.40013.exe", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59291, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "cls-softwares.com/softwarefortubeview.40013.exe" + }, + { + "@timestamp": "2012-04-10T04:39:52.000Z", + "client.ip": "192.168.0.2", + "client.port": 59296, + "client.user.name": "crusher", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "78.159.99.224", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 6720, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,78.159.99.224,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26927,1,59296,80,0,0,0x200000,tcp,block-url,\"findmorepill.com/klik/search.php?q=xxx\",(9999),online-gambling,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Germany,0,", + "network.application": "web-browsing", + "network.community_id": "1:v73LbTZDPLO+1dzNRixeZAmolJ0=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26927", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "findmorepill.com/klik/search.php?q=xxx", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "online-gambling", + "related.ip": [ + "192.168.0.2", + "78.159.99.224", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "78.159.99.224", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59296, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "findmorepill.com/klik/search.php?q=xxx" + }, + { + "@timestamp": "2012-04-10T04:39:48.000Z", + "client.ip": "192.168.0.2", + "client.port": 59280, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 7132, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26127,1,59280,80,0,0,0x208000,tcp,alert,\"allowedwebsurfing.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:IRI0j5xLyLhwaONpy7gVZdl/Qow=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26127", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "allowedwebsurfing.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59280, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "allowedwebsurfing.com/" + }, + { + "@timestamp": "2012-04-10T04:39:49.000Z", + "client.ip": "192.168.0.2", + "client.port": 59281, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 7537, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,25306,1,59281,80,0,0,0x208000,tcp,alert,\"antivirus-remote.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:/tG+YfZ8qFKrUDfQ7EThCBXci9Y=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25306", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "antivirus-remote.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59281, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "antivirus-remote.com/" + }, + { + "@timestamp": "2012-04-10T04:39:49.000Z", + "client.ip": "192.168.0.2", + "client.port": 59282, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 7941, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24561,1,59282,80,0,0,0x208000,tcp,alert,\"bklinkov.ru/hi/start.cfg\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:Vfi4CxQayypb3DoxclNfeNjXdjo=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24561", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "bklinkov.ru/hi/start.cfg", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59282, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "bklinkov.ru/hi/start.cfg" + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.ip": "192.168.0.2", + "client.port": 59290, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 8348, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,15099,1,59290,80,0,0,0x208000,tcp,alert,\"blogsexnakedgirlxxx.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:2UbFMV1DsXMB0b/AUotNCCsHm0s=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "15099", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "blogsexnakedgirlxxx.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59290, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "blogsexnakedgirlxxx.com/" + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.ip": "192.168.0.2", + "client.port": 59286, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 8755, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24955,1,59286,80,0,0,0x208000,tcp,alert,\"bklinkov.ru/hi/start.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:M8DHGZjrHyuCRpC9MNNfDUke5g4=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24955", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "bklinkov.ru/hi/start.exe", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59286, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "bklinkov.ru/hi/start.exe" + }, + { + "@timestamp": "2012-04-10T04:39:47.000Z", + "client.ip": "192.168.0.2", + "client.port": 59275, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 9162, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25398,1,59275,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:AVMiOufq2owuhWpcu/TfRJ38tv4=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25398", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "-/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59275, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "-/" + }, + { + "@timestamp": "2012-04-10T04:39:47.000Z", + "client.ip": "192.168.0.2", + "client.port": 59277, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 9555, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25945,1,59277,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:/+Opb16c1ye6uLeu1/TNC+SGnYs=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25945", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "-/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59277, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "-/" + }, + { + "@timestamp": "2012-04-10T04:39:47.000Z", + "client.ip": "192.168.0.2", + "client.port": 59276, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 9948, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,27111,1,59276,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:uslltTePy/m8Gxhk/MgPbZfk6Rg=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "27111", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "-/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59276, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "-/" + }, + { + "@timestamp": "2012-04-10T04:39:48.000Z", + "client.ip": "192.168.0.2", + "client.port": 59278, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 10341, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25871,1,59278,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:WiUImNtgjkeNDi1Qigg7+Y6pDAg=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25871", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "-/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59278, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "-/" + }, + { + "@timestamp": "2012-04-10T04:39:48.000Z", + "client.ip": "192.168.0.2", + "client.port": 59279, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 10734, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26251,1,59279,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:FmIwID3HJ4Q0574SjlhMHApz/Hs=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26251", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "-/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59279, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "-/" + }, + { + "@timestamp": "2012-04-10T04:39:45.000Z", + "client.ip": "192.168.0.2", + "client.port": 59271, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 11127, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,24816,1,59271,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:6AuZBrHKsUJjLNgm/mJ5QToaPo8=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24816", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "-/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59271, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "-/" + }, + { + "@timestamp": "2012-04-10T04:39:45.000Z", + "client.ip": "192.168.0.2", + "client.port": 59269, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 11520, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25062,1,59269,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:NwAT+gtzMjRwKS71Tn+YaKwyOvI=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25062", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "-/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59269, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "-/" + }, + { + "@timestamp": "2012-04-10T04:39:45.000Z", + "client.ip": "192.168.0.2", + "client.port": 59270, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 11913, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,26266,1,59270,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:mTTbk9h6Dgx6lH3l4aEHguufZVE=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26266", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "-/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59270, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "-/" + }, + { + "@timestamp": "2012-04-10T04:39:46.000Z", + "client.ip": "192.168.0.2", + "client.port": 59274, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 12306, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,23898,1,59274,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:/0xM0KlMLwieymkDApfqS3/WWiQ=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "23898", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "-/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59274, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "-/" + }, + { + "@timestamp": "2012-04-10T04:39:46.000Z", + "client.ip": "192.168.0.2", + "client.port": 59273, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 12699, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25259,1,59273,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:VLKKVfau50s2qjTDcucU+VKCAqY=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25259", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "-/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59273, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "-/" + }, + { + "@timestamp": "2012-04-10T04:39:46.000Z", + "client.ip": "192.168.0.2", + "client.port": 59272, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 13092, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26466,1,59272,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:jAvA0C85T0GFKryKA312lLEtKIM=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26466", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "-/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59272, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "-/" + }, + { + "@timestamp": "2012-04-10T04:39:43.000Z", + "client.ip": "192.168.0.2", + "client.port": 59261, + "client.user.name": "crusher", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "69.43.161.167", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 13485, + "log.original": "Oct 30 09:46:47 1,2012/10/30 09:46:47,01606001116,THREAT,url,1,2012/04/10 04:39:43,192.168.0.2,69.43.161.167,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:44,4086,1,59261,80,0,0,0x200000,tcp,block-url,\"wantfinest.com/tds/in.cgi?default\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:Jqiwb/u74kolY3Y1yGkp+oMAxT4=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "4086", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "wantfinest.com/tds/in.cgi?default", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "unknown", + "related.ip": [ + "192.168.0.2", + "69.43.161.167", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "69.43.161.167", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59261, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "wantfinest.com/tds/in.cgi?default" + }, + { + "@timestamp": "2012-04-10T04:39:38.000Z", + "client.ip": "192.168.0.2", + "client.port": 59248, + "client.user.name": "crusher", + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "KR", + "destination.geo.location.lat": 37.5112, + "destination.geo.location.lon": 126.97409999999999, + "destination.ip": "202.31.187.154", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 13889, + "log.original": "Oct 30 09:47:02 1,2012/10/30 09:47:02,01606001116,THREAT,url,1,2012/04/10 04:39:38,192.168.0.2,202.31.187.154,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:39,26534,1,59248,80,0,0,0x200000,tcp,block-url,\"sameshitasiteverwas.com/traf/tds/in.cgi?2\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Korea Republic Of,0,", + "network.application": "web-browsing", + "network.community_id": "1:q84mXt2kLt843wk0Y5vtvJwq+bc=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26534", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "sameshitasiteverwas.com/traf/tds/in.cgi?2", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "202.31.187.154", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "202.31.187.154", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59248, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "sameshitasiteverwas.com/traf/tds/in.cgi?2" + }, + { + "@timestamp": "2012-04-10T04:39:39.000Z", + "client.ip": "192.168.0.2", + "client.port": 59251, + "client.user.name": "crusher", + "destination.geo.city_name": "Moscow", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "RU", + "destination.geo.location.lat": 55.7522, + "destination.geo.location.lon": 37.6156, + "destination.geo.region_iso_code": "RU-MOW", + "destination.geo.region_name": "Moscow", + "destination.ip": "89.111.176.67", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 14313, + "log.original": "Oct 30 09:47:02 1,2012/10/30 09:47:02,01606001116,THREAT,url,1,2012/04/10 04:39:39,192.168.0.2,89.111.176.67,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:40,26965,1,59251,80,0,0,0x200000,tcp,block-url,\"svarkon.ru/update.exe\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", + "network.application": "web-browsing", + "network.community_id": "1:1jDSU+BTdTOAQSrWGRbSjxehwNg=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26965", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "svarkon.ru/update.exe", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "89.111.176.67", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "89.111.176.67", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59251, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "svarkon.ru/update.exe" + }, + { + "@timestamp": "2012-04-10T04:39:36.000Z", + "client.ip": "192.168.0.2", + "client.port": 59244, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 14717, + "log.original": "Oct 30 09:47:12 1,2012/10/30 09:47:12,01606001116,THREAT,url,1,2012/04/10 04:39:36,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:37,26076,1,59244,80,0,0,0x200000,tcp,block-url,\"onlinescanxpp.com/land/eurl/1.php?code=\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:vGp9HpobYZmzzLGyDAG6oVAe4dg=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26076", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "onlinescanxpp.com/land/eurl/1.php?code=", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59244, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "onlinescanxpp.com/land/eurl/1.php?code=" + }, + { + "@timestamp": "2012-04-10T04:39:34.000Z", + "client.ip": "192.168.0.2", + "client.port": 59237, + "client.user.name": "crusher", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "208.73.210.29", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 15135, + "log.original": "Oct 30 09:47:17 1,2012/10/30 09:47:17,01606001116,THREAT,url,1,2012/04/10 04:39:34,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:35,26198,1,59237,80,0,0,0x200000,tcp,block-url,\"nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:8JiI5Ka3Oyz6yaLm3xObTqAo/Jw=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26198", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "208.73.210.29", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "208.73.210.29", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59237, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6" + }, + { + "@timestamp": "2012-04-10T04:39:35.000Z", + "client.ip": "192.168.0.2", + "client.port": 59238, + "client.user.name": "crusher", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "208.73.210.29", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 15712, + "log.original": "Oct 30 09:47:17 1,2012/10/30 09:47:17,01606001116,THREAT,url,1,2012/04/10 04:39:35,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:36,26056,1,59238,80,0,0,0x200000,tcp,block-url,\"nolagtime.com/gwc.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:lOdKYo+aMIHRMMJPawuXy8Bk2I0=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26056", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "nolagtime.com/gwc.txt", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "208.73.210.29", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "208.73.210.29", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59238, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "nolagtime.com/gwc.txt" + }, + { + "@timestamp": "2012-04-10T04:38:19.000Z", + "client.ip": "192.168.0.2", + "client.port": 59010, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 16111, + "log.original": "Oct 30 09:51:03 1,2012/10/30 09:51:03,01606001116,THREAT,url,1,2012/04/10 04:38:19,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:20,25465,1,59010,80,0,0,0x200000,tcp,block-url,\"karavan.us/bon/index.php\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:rDRkkTH2aHta89i52OraqG5WcDI=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25465", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "karavan.us/bon/index.php", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "unknown", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59010, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "karavan.us/bon/index.php" + }, + { + "@timestamp": "2012-04-10T04:38:14.000Z", + "client.ip": "192.168.0.2", + "client.port": 58969, + "client.user.name": "crusher", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "208.73.210.29", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 16508, + "log.original": "Oct 30 09:51:23 1,2012/10/30 09:51:23,01606001116,THREAT,url,1,2012/04/10 04:38:14,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:15,24316,1,58969,80,0,0,0x200000,tcp,block-url,\"findnolimits.com/go.php?sid=1\",(9999),dead-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:00fHGTkjtblnJQ9P4Wiw9QuDEpI=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24316", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "findnolimits.com/go.php?sid=1", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "dead-sites", + "related.ip": [ + "192.168.0.2", + "208.73.210.29", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "208.73.210.29", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58969, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "findnolimits.com/go.php?sid=1" + }, + { + "@timestamp": "2012-04-10T04:38:12.000Z", + "client.ip": "192.168.0.2", + "client.port": 58941, + "client.user.name": "crusher", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "RU", + "destination.geo.location.lat": 55.7386, + "destination.geo.location.lon": 37.6068, + "destination.ip": "89.108.64.156", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 16912, + "log.original": "Oct 30 09:51:33 1,2012/10/30 09:51:33,01606001116,THREAT,url,1,2012/04/10 04:38:12,192.168.0.2,89.108.64.156,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,17258,1,58941,80,0,0,0x200000,tcp,block-url,\"bizoplata.ru/moun.html\",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", + "network.application": "web-browsing", + "network.community_id": "1:sQ6YL9T0OZftMg71BK+1IHpXIRM=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "17258", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "bizoplata.ru/moun.html", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "parked-domains", + "related.ip": [ + "192.168.0.2", + "89.108.64.156", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "89.108.64.156", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58941, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "bizoplata.ru/moun.html" + }, + { + "@timestamp": "2012-04-10T04:38:12.000Z", + "client.ip": "192.168.0.2", + "client.port": 58942, + "client.user.name": "crusher", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "RU", + "destination.geo.location.lat": 55.7386, + "destination.geo.location.lon": 37.6068, + "destination.ip": "89.108.64.156", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 17318, + "log.original": "Oct 30 09:51:33 1,2012/10/30 09:51:33,01606001116,THREAT,url,1,2012/04/10 04:38:12,192.168.0.2,89.108.64.156,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,24735,1,58942,80,0,0,0x200000,tcp,block-url,\"bizoplata.ru/palast.html\",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", + "network.application": "web-browsing", + "network.community_id": "1:a3rlKRtYt43mps+uHBznJUtG3Qg=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24735", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "bizoplata.ru/palast.html", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "parked-domains", + "related.ip": [ + "192.168.0.2", + "89.108.64.156", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "89.108.64.156", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58942, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "bizoplata.ru/palast.html" + }, + { + "@timestamp": "2012-04-10T04:37:28.000Z", + "client.ip": "204.232.231.46", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 58849, + "destination.user.name": "crusher", + "ecs.version": "1.0.0", + "event.action": "spyware_detected", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "drop-all-packets", + "event.severity": 1, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "critical", + "log.offset": 17726, + "log.original": "Oct 30 09:53:33 1,2012/10/30 09:53:33,01606001116,THREAT,spyware,1,2012/04/10 04:37:28,204.232.231.46,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:33,23497,1,80,58849,0,0,0x200000,tcp,drop-all-packets,\"controller.php\",Bredolab.Gen Command and Control Traffic(13024),any,critical,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:gfZAOGdC3xAoPZCFZCwHJJ7Iin4=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "23497", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "controller.php", + "palo_alto.threat_id": "Bredolab.Gen Command and Control Traffic(13024)", + "palo_alto.url.category": "any", + "related.ip": [ + "204.232.231.46", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 58849, + "server.user.name": "crusher", + "service.type": "palo_alto", + "source.geo.city_name": "Charlotte", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 35.2344, + "source.geo.location.lon": -80.9091, + "source.geo.region_iso_code": "US-NC", + "source.geo.region_name": "North Carolina", + "source.ip": "204.232.231.46", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "controller.php" + }, + { + "@timestamp": "2012-04-10T04:37:32.000Z", + "client.ip": "192.168.0.2", + "client.port": 58856, + "client.user.name": "crusher", + "destination.geo.city_name": "Tecumseh", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "CA", + "destination.geo.location.lat": 42.2946, + "destination.geo.location.lon": -82.8667, + "destination.geo.region_iso_code": "CA-ON", + "destination.geo.region_name": "Ontario", + "destination.ip": "216.8.179.25", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 18156, + "log.original": "Oct 30 09:53:38 1,2012/10/30 09:53:38,01606001116,THREAT,url,1,2012/04/10 04:37:32,192.168.0.2,216.8.179.25,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:32,23711,1,58856,80,0,0,0x200000,tcp,block-url,\"www.15min.it/\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Canada,0,", + "network.application": "web-browsing", + "network.community_id": "1:VeoAydUSFUdh8ZddIqbsMY32sBU=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "23711", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "www.15min.it/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "216.8.179.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "216.8.179.25", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58856, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "www.15min.it/" + }, + { + "@timestamp": "2012-04-10T04:37:27.000Z", + "client.ip": "192.168.0.2", + "client.port": 58847, + "client.user.name": "crusher", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "69.43.161.154", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 18539, + "log.original": "Oct 30 09:53:48 1,2012/10/30 09:53:48,01606001116,THREAT,url,1,2012/04/10 04:37:27,192.168.0.2,69.43.161.154,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:27,23659,1,58847,80,0,0,0x200000,tcp,block-url,\"tubemov.com/\",(9999),adult-and-pornography,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:ZsFVG8FJVifp8WmzI9Zj/lo+dB4=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "23659", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "tubemov.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "adult-and-pornography", + "related.ip": [ + "192.168.0.2", + "69.43.161.154", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "69.43.161.154", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58847, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "tubemov.com/" + }, + { + "@timestamp": "2012-04-10T04:37:25.000Z", + "client.ip": "192.168.0.2", + "client.port": 58841, + "client.user.name": "crusher", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "VG", + "destination.geo.location.lat": 18.5, + "destination.geo.location.lon": -64.5, + "destination.ip": "208.91.196.252", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 18937, + "log.original": "Oct 30 09:53:58 1,2012/10/30 09:53:58,01606001116,THREAT,url,1,2012/04/10 04:37:25,192.168.0.2,208.91.196.252,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:25,23782,1,58841,80,0,0,0x200000,tcp,block-url,\"pagesinxt.com/?dn=teenstube.us&flrdr=yes&nxte=js\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Virgin Islands British,0,", + "network.application": "web-browsing", + "network.community_id": "1:NAfQ33YdKJSvbcxpFK8HIhI39lk=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "23782", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "pagesinxt.com/?dn=teenstube.us&flrdr=yes&nxte=js", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "208.91.196.252", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "208.91.196.252", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58841, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "pagesinxt.com/?dn=teenstube.us&flrdr=yes&nxte=js" + }, + { + "@timestamp": "2012-04-10T04:37:05.000Z", + "client.ip": "192.168.0.2", + "client.port": 58795, + "client.user.name": "crusher", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "208.73.210.29", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 19373, + "log.original": "Oct 30 09:55:23 1,2012/10/30 09:55:23,01606001116,THREAT,url,1,2012/04/10 04:37:05,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:06,23239,1,58795,80,0,0,0x200000,tcp,block-url,\"movfree.com/\",(9999),spyware-and-adware,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:AMcTUl91PN0z8TJr2QwdEOP+Fmo=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "23239", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "movfree.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "spyware-and-adware", + "related.ip": [ + "192.168.0.2", + "208.73.210.29", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "208.73.210.29", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58795, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "movfree.com/" + }, + { + "@timestamp": "2012-04-10T04:36:51.000Z", + "client.ip": "192.168.0.2", + "client.port": 58753, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 19768, + "log.original": "Oct 30 09:56:23 1,2012/10/30 09:56:23,01606001116,THREAT,url,1,2012/04/10 04:36:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:52,22479,1,58753,80,0,0,0x200000,tcp,block-url,\"gometascan.com/\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:7Tdwe73AJMSdJL4hxpQDyl5Lwn4=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "22479", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "gometascan.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58753, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "gometascan.com/" + }, + { + "@timestamp": "2012-04-10T04:36:39.000Z", + "client.ip": "192.168.0.2", + "client.port": 58708, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 20162, + "log.original": "Oct 30 09:57:33 1,2012/10/30 09:57:33,01606001116,THREAT,url,1,2012/04/10 04:36:39,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:40,21458,1,58708,80,0,0,0x200000,tcp,block-url,\"antivirus-powerful-scannerv2.com/download/Install_11-1.exe\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:q7ERSuCoAPSiI8xLXZCI+1M9B8I=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "21458", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "antivirus-powerful-scannerv2.com/download/Install_11-1.exe", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58708, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "antivirus-powerful-scannerv2.com/download/Install_11-1.exe" + }, + { + "@timestamp": "2012-04-10T04:36:38.000Z", + "client.ip": "192.168.0.2", + "client.port": 58707, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 20599, + "log.original": "Oct 30 09:57:38 1,2012/10/30 09:57:38,01606001116,THREAT,url,1,2012/04/10 04:36:38,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:39,21577,1,58707,80,0,0,0x200000,tcp,block-url,\"antivirus-powerful-scannerv2.com/1/?id=11-1&back==TQzyDTyMUQNMI=N\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:AsPpOgQhhKdBtPhY4zahdBuNcTc=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "21577", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "antivirus-powerful-scannerv2.com/1/?id=11-1&back==TQzyDTyMUQNMI=N", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58707, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "antivirus-powerful-scannerv2.com/1/?id=11-1&back==TQzyDTyMUQNMI=N" + }, + { + "@timestamp": "2012-04-10T04:36:27.000Z", + "client.ip": "192.168.0.2", + "client.port": 58603, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 21043, + "log.original": "Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:Inta5pHrKZ+nIMo9QJjgmv1raGE=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "1606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "21487", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "basdzsdas.com/poker/config.bin", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58603, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "basdzsdas.com/poker/config.bin" + }, + { + "@timestamp": "2012-04-10T04:36:27.000Z", + "client.ip": "192.168.0.2", + "client.port": 58603, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 21451, + "log.original": "Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:Inta5pHrKZ+nIMo9QJjgmv1raGE=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "1606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "21487", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "basdzsdas.com/poker/config.bin", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58603, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "basdzsdas.com/poker/config.bin" + }, + { + "@timestamp": "2012-04-10T04:19:59.000Z", + "client.ip": "173.236.179.57", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 54431, + "destination.user.name": "crusher", + "ecs.version": "1.0.0", + "event.action": "file_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "low", + "log.offset": 21859, + "log.original": "Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,file,1,2012/04/10 04:19:59,173.236.179.57,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,\"uLLGRaXP.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:to6WA2KM9vqO74DfMPJ8+v0cKPs=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "1606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "64856", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "uLLGRaXP.exe", + "palo_alto.threat_id": "Windows Executable (EXE)(52020)", + "palo_alto.url.category": "any", + "related.ip": [ + "173.236.179.57", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 54431, + "server.user.name": "crusher", + "service.type": "palo_alto", + "source.geo.city_name": "Brea", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 33.9269, + "source.geo.location.lon": -117.8612, + "source.geo.region_iso_code": "US-CA", + "source.geo.region_name": "California", + "source.ip": "173.236.179.57", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "uLLGRaXP.exe" + }, + { + "@timestamp": "2012-04-10T04:36:27.000Z", + "client.ip": "192.168.0.2", + "client.port": 58603, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 22250, + "log.original": "Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:Inta5pHrKZ+nIMo9QJjgmv1raGE=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "1606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "21487", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "basdzsdas.com/poker/config.bin", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58603, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "basdzsdas.com/poker/config.bin" + }, + { + "@timestamp": "2012-04-10T04:51:29.000Z", + "client.ip": "91.209.163.202", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 61220, + "destination.user.name": "crusher", + "ecs.version": "1.0.0", + "event.action": "file_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "low", + "log.offset": 22658, + "log.original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:51:29,91.209.163.202,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:51:34,37983,1,80,61220,0,0,0x200000,tcp,deny,\"FunkyEmoticons_setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:dHpseryW+AZk/t5IUvlyhaLSGI0=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "37983", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "FunkyEmoticons_setup.exe", + "palo_alto.threat_id": "Windows Executable (EXE)(52020)", + "palo_alto.url.category": "any", + "related.ip": [ + "91.209.163.202", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 61220, + "server.user.name": "crusher", + "service.type": "palo_alto", + "source.geo.country_iso_code": "European Union", + "source.ip": "91.209.163.202", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "FunkyEmoticons_setup.exe" + }, + { + "@timestamp": "2012-04-10T04:54:33.000Z", + "client.ip": "122.226.169.183", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 61726, + "destination.user.name": "crusher", + "ecs.version": "1.0.0", + "event.action": "file_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "low", + "log.offset": 23063, + "log.original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:54:33,122.226.169.183,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:54:38,41989,1,80,61726,0,0,0x200000,tcp,deny,\"52hxw.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,China,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:lIp7rPLlF21gCwZ63WafZ2HbNKA=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "41989", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "52hxw.exe", + "palo_alto.threat_id": "Windows Executable (EXE)(52020)", + "palo_alto.url.category": "any", + "related.ip": [ + "122.226.169.183", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 61726, + "server.user.name": "crusher", + "service.type": "palo_alto", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 30.2936, + "source.geo.location.lon": 120.1614, + "source.geo.region_iso_code": "CN-ZJ", + "source.geo.region_name": "Zhejiang", + "source.ip": "122.226.169.183", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "52hxw.exe" + }, + { + "@timestamp": "2012-04-10T05:01:00.000Z", + "client.ip": "192.168.0.2", + "client.port": 63007, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 23445, + "log.original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,url,1,2012/04/10 05:01:00,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 05:01:00,49238,1,63007,80,0,0,0x200000,tcp,block-url,\"softsellfast.com/test/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:n39Q6RPkLwPiDU/pfHT7uRZGkXY=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "49238", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "softsellfast.com/test/config.bin", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 63007, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "softsellfast.com/test/config.bin" + }, + { + "@timestamp": "2012-04-10T04:45:17.000Z", + "client.ip": "109.201.131.15", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 60212, + "destination.user.name": "crusher", + "ecs.version": "1.0.0", + "event.action": "file_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "low", + "log.offset": 23856, + "log.original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:45:17,109.201.131.15,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:45:23,21592,1,80,60212,0,0,0x200000,tcp,deny,\"setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Netherlands,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:69YGwS9/vtp36Khj80nU/Q0TTfM=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "21592", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "setup.exe", + "palo_alto.threat_id": "Windows Executable (EXE)(52020)", + "palo_alto.url.category": "any", + "related.ip": [ + "109.201.131.15", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 60212, + "server.user.name": "crusher", + "service.type": "palo_alto", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "NL", + "source.geo.location.lat": 52.3824, + "source.geo.location.lon": 4.8995, + "source.ip": "109.201.131.15", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "setup.exe" + }, + { + "@timestamp": "2012-04-10T04:46:16.000Z", + "client.ip": "91.209.163.202", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 60392, + "destination.user.name": "crusher", + "ecs.version": "1.0.0", + "event.action": "file_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "low", + "log.offset": 24243, + "log.original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:46:16,91.209.163.202,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:46:22,33760,1,80,60392,0,0,0x200000,tcp,deny,\"Live-Player_setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:MKMWzixtfYaSoShU7T3wN6MLk5g=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "33760", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "Live-Player_setup.exe", + "palo_alto.threat_id": "Windows Executable (EXE)(52020)", + "palo_alto.url.category": "any", + "related.ip": [ + "91.209.163.202", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 60392, + "server.user.name": "crusher", + "service.type": "palo_alto", + "source.geo.country_iso_code": "European Union", + "source.ip": "91.209.163.202", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "Live-Player_setup.exe" + }, + { + "@timestamp": "2012-04-10T04:42:39.000Z", + "client.ip": "192.168.0.2", + "client.port": 59709, + "client.user.name": "crusher", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "RU", + "destination.geo.location.lat": 55.7386, + "destination.geo.location.lon": 37.6068, + "destination.ip": "213.180.199.61", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 24645, + "log.original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:39,192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:39,28723,1,59709,80,0,0,0x200000,tcp,block-url,\"boialex.narod.ru/config.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", + "network.application": "web-browsing", + "network.community_id": "1:J4hfLZVy8UJEkW68RkW2hMu84Wk=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28723", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "boialex.narod.ru/config.txt", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "213.180.199.61", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "213.180.199.61", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59709, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "boialex.narod.ru/config.txt" + }, + { + "@timestamp": "2012-04-10T04:42:42.000Z", + "client.ip": "192.168.0.2", + "client.port": 59721, + "client.user.name": "crusher", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "RU", + "destination.geo.location.lat": 55.7386, + "destination.geo.location.lon": 37.6068, + "destination.ip": "213.180.199.61", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 25056, + "log.original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:42,192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:42,28932,1,59721,80,0,0,0x200000,tcp,block-url,\"edw-melon.narod.ru/config.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", + "network.application": "web-browsing", + "network.community_id": "1:1211QM61Juawz4PBXLQBL9Q2FNA=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28932", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "edw-melon.narod.ru/config.txt", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "213.180.199.61", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "213.180.199.61", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59721, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "edw-melon.narod.ru/config.txt" + }, + { + "@timestamp": "2012-04-10T04:42:51.000Z", + "client.ip": "192.168.0.2", + "client.port": 59752, + "client.user.name": "crusher", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "RU", + "destination.geo.location.lat": 55.7386, + "destination.geo.location.lon": 37.6068, + "destination.ip": "213.180.199.61", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 25469, + "log.original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:51,192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:51,28953,1,59752,80,0,0,0x200000,tcp,block-url,\"maximtushin.narod.ru/config.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", + "network.application": "web-browsing", + "network.community_id": "1:MQfJlERz16LAn6Hn1YhCNKLOjjA=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28953", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "maximtushin.narod.ru/config.txt", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "213.180.199.61", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "213.180.199.61", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59752, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "maximtushin.narod.ru/config.txt" + }, + { + "@timestamp": "2012-04-10T04:19:59.000Z", + "client.ip": "173.236.179.57", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 54431, + "destination.user.name": "crusher", + "ecs.version": "1.0.0", + "event.action": "file_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "low", + "log.offset": 25884, + "log.original": "Mar 25 23:59:17 1,2013/03/25 23:59:17,01606001116,THREAT,file,1,2012/04/10 04:19:59,173.236.179.57,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,\"uLLGRaXP.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:to6WA2KM9vqO74DfMPJ8+v0cKPs=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "64856", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "uLLGRaXP.exe", + "palo_alto.threat_id": "Windows Executable (EXE)(52020)", + "palo_alto.url.category": "any", + "related.ip": [ + "173.236.179.57", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 54431, + "server.user.name": "crusher", + "service.type": "palo_alto", + "source.geo.city_name": "Brea", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 33.9269, + "source.geo.location.lon": -117.8612, + "source.geo.region_iso_code": "US-CA", + "source.geo.region_name": "California", + "source.ip": "173.236.179.57", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "uLLGRaXP.exe" + }, + { + "@timestamp": "2012-04-10T04:09:01.000Z", + "client.ip": "192.168.0.2", + "client.port": 63183, + "client.user.name": "crusher", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 26276, + "log.original": "Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,THREAT,url,1,2012/04/10 04:09:01,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:09:01,55402,1,63183,80,0,0,0x200000,tcp,block-url,\"marketingsoluchion.biz/fkn/config.bin\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:uO6RhHsqSUg1LHv5h+n+FE4cqrE=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "55402", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "marketingsoluchion.biz/fkn/config.bin", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "unknown", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 63183, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "marketingsoluchion.biz/fkn/config.bin" + }, + { + "@timestamp": "2012-04-09T08:18:27.000Z", + "client.ip": "192.168.0.6", + "client.port": 1047, + "client.user.name": "jordy", + "destination.geo.city_name": "Hong Kong", + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "HK", + "destination.geo.location.lat": 22.2833, + "destination.geo.location.lon": 114.15, + "destination.geo.region_iso_code": "HK-HCW", + "destination.geo.region_name": "Central and Western District", + "destination.ip": "207.46.140.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 26686, + "log.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:27,192.168.0.6,207.46.140.46,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:32,25217,1,1047,80,0,0,0x200000,tcp,alert,\"default.aspx\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:KC3xpBK9CdouZqamG9S6Mjl6LIo=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25217", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "default.aspx", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.6", + "207.46.140.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "207.46.140.46", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.6", + "source.port": 1047, + "source.user.name": "jordy", + "tags": [ + "pan-os" + ], + "url.original": "default.aspx" + }, + { + "@timestamp": "2012-04-09T08:18:29.000Z", + "client.ip": "65.54.161.34", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.6", + "destination.port": 1039, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 27064, + "log.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:29,65.54.161.34,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:34,25653,1,80,1039,0,0,0x200000,tcp,alert,\"sck.aspx\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:qtNTXnMjHLAldLWQ5/jdyuCV6Yk=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "25653", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "sck.aspx", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "65.54.161.34", + "192.168.0.6", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.6", + "server.port": 1039, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.geo.city_name": "Redmond", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 47.6801, + "source.geo.location.lon": -122.1206, + "source.geo.region_iso_code": "US-WA", + "source.geo.region_name": "Washington", + "source.ip": "65.54.161.34", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "sck.aspx" + }, + { + "@timestamp": "2012-04-09T08:18:32.000Z", + "client.ip": "65.55.5.231", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.6", + "destination.port": 1064, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 27437, + "log.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:32,65.55.5.231,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:37,25717,3,80,1064,0,0,0x200000,tcp,alert,\"ADSAdClient31.dll\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:OSQCnxYE2CqKztyfnzJHya/llPw=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "25717", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "ADSAdClient31.dll", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "65.55.5.231", + "192.168.0.6", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.6", + "server.port": 1064, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.geo.city_name": "Redmond", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 47.6801, + "source.geo.location.lon": -122.1206, + "source.geo.region_iso_code": "US-WA", + "source.geo.region_name": "Washington", + "source.ip": "65.55.5.231", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "ADSAdClient31.dll" + }, + { + "@timestamp": "2012-04-09T08:18:33.000Z", + "client.ip": "192.168.0.6", + "client.port": 1048, + "client.user.name": "jordy", + "destination.geo.city_name": "Los Angeles", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 34.0544, + "destination.geo.location.lon": -118.244, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "65.54.71.11", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 27818, + "log.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:33,192.168.0.6,65.54.71.11,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:38,25290,1,1048,80,0,0,0x200000,tcp,alert,\"c.gif\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:MeB0cefg5kMN7f+LW+cirwH2nA8=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25290", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "c.gif", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.6", + "65.54.71.11", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "65.54.71.11", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.6", + "source.port": 1048, + "source.user.name": "jordy", + "tags": [ + "pan-os" + ], + "url.original": "c.gif" + }, + { + "@timestamp": "2012-04-09T08:18:37.000Z", + "client.ip": "74.125.239.17", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.6", + "destination.port": 1071, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 28187, + "log.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:37,74.125.239.17,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:42,25932,1,80,1071,0,0,0x200000,tcp,alert,\"csi\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:iDmf9CnG+CdUuHWmwVsmhee3/Qs=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "25932", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "csi", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "74.125.239.17", + "192.168.0.6", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.6", + "server.port": 1071, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.239.17", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "csi" + }, + { + "@timestamp": "2012-04-09T08:50:12.000Z", + "client.ip": "192.168.0.2", + "client.port": 57502, + "client.user.name": "picard", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "208.85.40.48", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 28556, + "log.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:50:12,192.168.0.2,208.85.40.48,0.0.0.0,0.0.0.0,rule1,picard,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:50:17,28264,1,57502,80,0,0,0x200000,tcp,alert,\"internal-tuner.pandora.com\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "pandora", + "network.community_id": "1:c67I85z1uJV7VW6M9MR5Q8fjHQM=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28264", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "internal-tuner.pandora.com", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "208.85.40.48", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "208.85.40.48", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 57502, + "source.user.name": "picard", + "tags": [ + "pan-os" + ], + "url.original": "internal-tuner.pandora.com" + }, + { + "@timestamp": "2012-04-09T08:58:18.000Z", + "client.ip": "74.125.224.198", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 57876, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 28944, + "log.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:58:18,74.125.224.198,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:58:22,29312,1,80,57876,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:w5GKumufuJCv3Gw8bvP3vTxap24=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "29312", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "js", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "74.125.224.198", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 57876, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.198", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T08:22:27.000Z", + "client.ip": "188.190.124.75", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.6", + "destination.port": 1082, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "file_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "low", + "log.offset": 29319, + "log.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,file,1,2012/04/09 08:22:27,188.190.124.75,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:22:31,26747,1,80,1082,0,0,0x200000,tcp,deny,\"about.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Ukraine,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:a7oyQr47OdJP8ZnG9SCELvH8aco=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "26747", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "about.exe", + "palo_alto.threat_id": "Windows Executable (EXE)(52020)", + "palo_alto.url.category": "any", + "related.ip": [ + "188.190.124.75", + "192.168.0.6", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.6", + "server.port": 1082, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.geo.country_iso_code": "Ukraine", + "source.ip": "188.190.124.75", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "about.exe" + }, + { + "@timestamp": "2012-04-09T07:11:43.000Z", + "client.ip": "74.125.224.200", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 50986, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 29699, + "log.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:11:43,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:11:48,19205,1,80,50986,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:yyAK8WOE46l0/k8dVOECI6qa2zQ=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "19205", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "js", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "74.125.224.200", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 50986, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.200", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T07:14:02.000Z", + "client.ip": "74.125.239.3", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 51716, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 30074, + "log.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:02,74.125.239.3,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:07,19360,1,80,51716,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:15fj8zz0nlNi/Fnz8ibhS9Ihqdg=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "19360", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "js", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "74.125.239.3", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 51716, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.239.3", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T07:14:39.000Z", + "client.ip": "74.125.239.3", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 52119, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 30447, + "log.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:39,74.125.239.3,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:44,19696,1,80,52119,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:fl9AVyrQeXPX/eoeKOy+6/UoR8M=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "19696", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "js", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "74.125.239.3", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 52119, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.239.3", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T07:16:03.000Z", + "client.ip": "74.125.224.200", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 52411, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 30820, + "log.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:16:03,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:16:08,19679,1,80,52411,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:cHzYL+SCc86AntedL6fbRx+2wzE=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "19679", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "js", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "74.125.224.200", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 52411, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.200", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T07:18:14.000Z", + "client.ip": "192.168.0.2", + "client.port": 52366, + "client.user.name": "picard", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "74.125.239.6", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 31195, + "log.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:18:14,192.168.0.2,74.125.239.6,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:18:19,19448,1,52366,80,0,0,0x200000,tcp,alert,\"__utm.gif\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "google-analytics", + "network.community_id": "1:pRuFj5DzdmtFceU+OTawbYPhbJg=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "19448", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "__utm.gif", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "74.125.239.6", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "74.125.239.6", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 52366, + "source.user.name": "picard", + "tags": [ + "pan-os" + ], + "url.original": "__utm.gif" + }, + { + "@timestamp": "2012-04-09T07:25:04.000Z", + "client.ip": "74.125.224.193", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 53026, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 31575, + "log.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:25:04,74.125.224.193,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:25:09,20422,1,80,53026,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:e27i7C6aBac+TOOJNFkXsvos7v0=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "20422", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "js", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "74.125.224.193", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 53026, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.193", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T07:36:04.000Z", + "client.ip": "74.125.239.20", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 53809, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 31950, + "log.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:36:04,74.125.239.20,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:36:09,21267,1,80,53809,0,0,0x200000,tcp,alert,\"nav_logo107.png\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:I0nRW7fXHKg0He8sWEMh90mqrd8=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "21267", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "nav_logo107.png", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "74.125.239.20", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 53809, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.239.20", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "nav_logo107.png" + }, + { + "@timestamp": "2012-04-09T08:08:08.000Z", + "client.ip": "208.80.154.225", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 55912, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 32333, + "log.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:08,208.80.154.225,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:13,24567,1,80,55912,0,0,0x200000,tcp,alert,\"Eadweard_Muybridge\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:W08oA4XVHxagaCryNLen9OoTnPk=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "24567", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "Eadweard_Muybridge", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "208.80.154.225", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 55912, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "208.80.154.225", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "Eadweard_Muybridge" + }, + { + "@timestamp": "2012-04-09T08:08:44.000Z", + "client.ip": "208.80.154.234", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 55916, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 32720, + "log.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:44,208.80.154.234,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:49,24646,1,80,55916,0,0,0x200000,tcp,alert,\"load.php\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:tvB7u/5+rW38IXXGXjbdYYdzJ5s=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "24646", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "load.php", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "208.80.154.234", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 55916, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "208.80.154.234", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "load.php" + }, + { + "@timestamp": "2012-04-09T08:16:57.000Z", + "client.ip": "65.54.75.25", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.6", + "destination.port": 1046, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 33097, + "log.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:16:57,65.54.75.25,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:17:01,25874,1,80,1046,0,0,0x200000,tcp,reset-both,\"8fe44cb728c0f40750c64ee906eb72.css\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:LvKTW1EWi7nem/oAlX14Sg2W9kU=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "25874", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "8fe44cb728c0f40750c64ee906eb72.css", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "65.54.75.25", + "192.168.0.6", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.6", + "server.port": 1046, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.geo.city_name": "Los Angeles", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 34.0544, + "source.geo.location.lon": -118.244, + "source.geo.region_iso_code": "US-CA", + "source.geo.region_name": "California", + "source.ip": "65.54.75.25", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "8fe44cb728c0f40750c64ee906eb72.css" + }, + { + "@timestamp": "2012-04-09T04:06:41.000Z", + "client.ip": "74.125.224.206", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 61734, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 33500, + "log.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:06:41,74.125.224.206,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:06:46,2175,1,80,61734,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:Iur0h7DmmxbVfmJ8EKqn0v73b88=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "2175", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "js", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "74.125.224.206", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 61734, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.206", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T04:12:52.000Z", + "client.ip": "74.125.224.195", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 62292, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 33873, + "log.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:12:52,74.125.224.195,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:12:57,3046,1,80,62292,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:n3f9RX9U3DOM57vpn8aB1QSo2Yw=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "3046", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "js", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "74.125.224.195", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 62292, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.195", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T06:07:49.000Z", + "client.ip": "207.178.96.34", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 64669, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 34246, + "log.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:07:49,207.178.96.34,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,rss,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:07:54,1560,1,80,64669,0,0,0x200000,tcp,alert,\"appcast.xml\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "rss", + "network.community_id": "1:K6mY9EnrwYs1/a01d++OZ3kna2g=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "1560", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "appcast.xml", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "207.178.96.34", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 64669, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.geo.city_name": "Wichita", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.6875, + "source.geo.location.lon": -97.338, + "source.geo.region_iso_code": "US-KS", + "source.geo.region_name": "Kansas", + "source.ip": "207.178.96.34", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "appcast.xml" + }, + { + "@timestamp": "2012-04-09T06:48:44.000Z", + "client.ip": "74.125.224.195", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 65265, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 34614, + "log.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:44,74.125.224.195,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:48:48,16852,1,80,65265,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:u89cWOeFF4sWlYYJHVB+nr6g6Qg=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "16852", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "js", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "74.125.224.195", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 65265, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.195", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T06:48:59.000Z", + "client.ip": "74.125.239.20", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 64979, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 34989, + "log.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:59,74.125.239.20,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:49:05,15948,1,80,64979,0,0,0x200000,tcp,alert,\"csi\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:QmMWJ0pdk04yRgDj9m6OAKnXpDY=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "15948", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "csi", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "74.125.239.20", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 64979, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.239.20", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "csi" + }, + { + "@timestamp": "2012-04-09T06:50:14.000Z", + "client.ip": "66.152.109.24", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 49432, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 35360, + "log.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:50:14,66.152.109.24,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:50:19,17028,1,80,49432,0,0,0x200000,tcp,alert,\"index.php\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:d3Kvg96HWrCNAfAK3vx2Uqglkdo=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "17028", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "index.php", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "66.152.109.24", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 49432, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "66.152.109.24", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "index.php" + }, + { + "@timestamp": "2012-04-09T06:51:34.000Z", + "client.ip": "74.125.224.200", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 49722, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 35737, + "log.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:51:34,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:51:39,15878,1,80,49722,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:+c2DVc+anjtRZ3iRsjbG51UM+JA=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "15878", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "js", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "74.125.224.200", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 49722, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.200", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T06:53:41.000Z", + "client.ip": "192.168.0.2", + "client.port": 49681, + "client.user.name": "picard", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "74.125.224.201", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 36112, + "log.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:53:41,192.168.0.2,74.125.224.201,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:53:47,16602,1,49681,80,0,0,0x200000,tcp,alert,\"__utm.gif\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "google-analytics", + "network.community_id": "1:5z6QdMj01RaYM1NdZtQSRQgE9gk=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "16602", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "__utm.gif", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "74.125.224.201", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "74.125.224.201", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 49681, + "source.user.name": "picard", + "tags": [ + "pan-os" + ], + "url.original": "__utm.gif" + }, + { + "@timestamp": "2012-04-09T06:54:35.000Z", + "client.ip": "74.125.224.200", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 50108, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 36494, + "log.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:35,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:54:41,17433,1,80,50108,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:Ut9W+vlgpMAH7M4p87nZ/gF7zO8=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "17433", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "js", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "74.125.224.200", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 50108, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.200", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T06:54:55.000Z", + "client.ip": "74.125.224.200", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 50387, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 36869, + "log.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:55,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:55:00,17104,1,80,50387,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:MNjszUBgbVupAxKdr7W7OIvU2lo=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "17104", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "js", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "74.125.224.200", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 50387, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.200", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T03:44:49.000Z", + "client.ip": "192.168.0.2", + "client.port": 59781, + "client.user.name": "jordy", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "208.85.40.48", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 37244, + "log.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:44:49,192.168.0.2,208.85.40.48,0.0.0.0,0.0.0.0,rule1,jordy,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:44:55,63706,1,59781,80,0,0,0x200000,tcp,alert,\"internal-tuner.pandora.com\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "pandora", + "network.community_id": "1:PzMJQoALQDxnDaqwOEEz4zxyhHU=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "63706", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "internal-tuner.pandora.com", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "208.85.40.48", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "208.85.40.48", + "server.port": 80, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59781, + "source.user.name": "jordy", + "tags": [ + "pan-os" + ], + "url.original": "internal-tuner.pandora.com" + }, + { + "@timestamp": "2012-04-09T03:45:45.000Z", + "client.ip": "74.125.224.201", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 60005, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 37631, + "log.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:45:45,74.125.224.201,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:45:50,65257,1,80,60005,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:ThkQfWduH5PZoI7qa/R4rWqT2VM=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "65257", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "js", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "74.125.224.201", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 60005, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.201", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T03:49:17.000Z", + "client.ip": "74.125.224.201", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 60443, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 38005, + "log.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:49:17,74.125.224.201,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:49:22,537,1,80,60443,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:Fd/TWc6RIS9q2bsgzztXrAAL4Ek=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "537", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "js", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "74.125.224.201", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 60443, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.201", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T03:53:41.000Z", + "client.ip": "74.125.224.200", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 60822, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 38377, + "log.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:53:41,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:53:45,914,1,80,60822,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:7gqxhjxtnxyQnsvGukcI+WZWzAY=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "914", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "js", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "74.125.224.200", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 60822, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.200", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T03:55:23.000Z", + "client.ip": "74.125.224.200", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 61105, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 38749, + "log.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:23,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:28,1475,1,80,61105,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:ZzHOd7AFzjbGqVCj9S3bTNHFX4Q=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "1475", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "js", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "74.125.224.200", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 61105, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.200", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T03:55:52.000Z", + "client.ip": "74.125.224.198", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 60782, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 39122, + "log.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:52,74.125.224.198,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-analytics,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:57,883,1,80,60782,0,0,0x200000,tcp,alert,\"ga.js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-analytics", + "network.community_id": "1:uH37XIov0Sgv5kARW8dP9vrOs7w=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "883", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "ga.js", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "74.125.224.198", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 60782, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.198", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "ga.js" + }, + { + "@timestamp": "2012-04-09T04:03:55.000Z", + "client.ip": "74.125.224.200", + "client.port": 80, + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 61470, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 39497, + "log.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 04:03:55,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:04:00,1965,1,80,61470,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:9jnjFXERN6VFakI1U/qwzyqifzg=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "1965", + "palo_alto.ruleset": "rule1", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "untrust", + "palo_alto.threat_file_or_url": "js", + "palo_alto.threat_id": "PII(60000)", + "palo_alto.url.category": "any", + "related.ip": [ + "74.125.224.200", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 61470, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.200", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/palo_alto/log/test/pan_inc_traffic.log b/x-pack/filebeat/module/palo_alto/log/test/pan_inc_traffic.log new file mode 100644 index 000000000000..70d2804a7127 --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/log/test/pan_inc_traffic.log @@ -0,0 +1,100 @@ +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,11449,1,59324,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:59,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25572,1,54448,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26208,1,53121,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,14931,1,59323,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25544,1,59322,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25308,1,55766,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26376,1,55072,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25118,1,59207,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26146,1,59209,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:28,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25272,1,59208,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,24069,1,59318,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26161,1,59206,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26000,1,59205,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,65184,1,56858,80,0,0,0x200000,tcp,allow,1910,1359,551,21,2012/04/10 04:29:54,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26522,1,59314,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26067,1,59313,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26573,1,52139,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26894,1,60592,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25258,1,57322,53,0,0,0x200000,udp,allow,164,66,98,2,2012/04/10 04:39:26,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25025,1,59204,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26138,1,59203,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,27175,1,59305,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26261,1,64005,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25022,1,58768,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,98.149.55.63,0.0.0.0,0.0.0.0,rule1,crusher,,skype,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24027,1,47752,13069,0,0,0x200000,udp,allow,1008,504,504,16,2012/04/10 04:37:50,125,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,8,8 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26360,1,59304,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26394,1,54533,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:55,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24917,1,59201,80,0,0,0x200000,tcp,allow,9967,837,9130,20,2012/04/10 04:39:24,1,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,10,10 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,22860,1,59303,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,14146,1,50876,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25876,1,57657,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24910,1,59302,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26862,1,59301,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26222,1,64844,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26329,1,52257,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,8.8.8.8,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25142,1,38796,53,0,0,0x0,udp,allow,206,95,111,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25095,1,59200,80,0,0,0x200000,tcp,allow,1503,597,906,13,2012/04/10 04:39:23,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,50.19.102.116,0.0.0.0,0.0.0.0,rule1,,,paloalto-wildfire-cloud,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,24787,1,48412,443,0,0,0x0,tcp,allow,5817,804,5013,17,2012/04/10 04:39:24,0,computer-and-internet-security,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,10,7 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,65.55.223.19,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25948,1,47752,40026,0,0,0x200000,udp,allow,286,187,99,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,65.55.223.24,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25444,1,47752,40029,0,0,0x200000,udp,allow,978,76,902,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,8.8.8.8,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25349,1,52189,53,0,0,0x0,udp,allow,227,86,141,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25713,1,59300,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,26499,1,54414,53,0,0,0x200000,udp,allow,73,73,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25437,1,59299,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24848,1,60399,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24924,1,59626,53,0,0,0x200000,udp,allow,482,166,316,4,2012/04/10 04:39:22,1,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,2,2 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25899,1,51542,53,0,0,0x200000,udp,allow,196,75,121,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26066,1,54182,53,0,0,0x200000,udp,allow,244,75,169,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24908,1,59199,80,0,0,0x200000,tcp,allow,1548,594,954,13,2012/04/10 04:39:23,0,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25105,1,59198,80,0,0,0x200000,tcp,allow,10135,1005,9130,22,2012/04/10 04:39:21,2,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,11964,1,56856,80,0,0,0x200000,tcp,allow,1918,1363,555,21,2012/04/10 04:29:51,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26502,1,52489,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26338,1,59298,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24919,1,60185,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26731,1,51817,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,65.55.223.31,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26504,1,47752,40043,0,0,0x200000,udp,allow,186,186,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25543,1,59297,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,21948,1,52537,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,26279,1,53155,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:52,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24894,1,59197,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:21,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24985,1,56995,53,0,0,0x200000,udp,allow,251,88,163,2,2012/04/10 04:39:22,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25380,1,59069,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24994,1,55697,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25451,1,59295,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:51,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,24866,1,59196,80,0,0,0x200000,tcp,allow,1500,578,922,13,2012/04/10 04:39:20,1,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26414,1,59291,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26131,1,52858,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26555,1,61383,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,15099,1,59290,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,8.5.1.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24980,1,59195,80,0,0,0x200000,tcp,allow,28096,1310,26786,39,2012/04/10 04:39:20,0,not-resolved,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,17,22 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26215,1,49812,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25881,1,50185,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24955,1,59286,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24961,1,52531,53,0,0,0x200000,udp,allow,244,75,169,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24226,1,59194,80,0,0,0x200000,tcp,allow,10097,1033,9064,21,2012/04/10 04:39:17,3,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,9 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25129,1,59192,80,0,0,0x200000,tcp,allow,10105,981,9124,22,2012/04/10 04:39:13,7,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25194,1,56463,53,0,0,0x200000,udp,allow,214,77,137,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26257,1,55849,53,0,0,0x200000,udp,allow,170,77,93,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24561,1,59282,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26150,1,57846,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25676,1,51008,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25306,1,59281,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26411,1,55252,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:49,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24844,1,56995,53,0,0,0x200000,udp,allow,176,176,0,2,2012/04/10 04:39:18,1,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,2,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26335,1,60989,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26127,1,59280,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25488,1,53766,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25269,1,56032,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:48,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25715,1,59193,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:17,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26251,1,59279,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25871,1,59278,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25945,1,59277,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,end,1,2012/04/10 04:39:47,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25310,1,60026,53,0,0,0x200000,udp,allow,166,166,0,2,2012/04/10 04:39:16,1,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,2,0 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,27111,1,59276,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25398,1,59275,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,23898,1,59274,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:46,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 diff --git a/x-pack/filebeat/module/palo_alto/log/test/pan_inc_traffic.log-expected.json b/x-pack/filebeat/module/palo_alto/log/test/pan_inc_traffic.log-expected.json new file mode 100644 index 000000000000..abb2a5a4419e --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/log/test/pan_inc_traffic.log-expected.json @@ -0,0 +1,6935 @@ +[ + { + "@timestamp": "2012-04-10T04:39:58.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59324, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:59.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:59.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 0, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,11449,1,59324,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:59,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:MaqerLAYuvMg6JWjWKmIMO6QJ6s=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "11449", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59324, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:58.000Z", + "client.bytes": 76, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 54448, + "client.user.name": "crusher", + "destination.bytes": 76, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:58.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:58.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 364, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25572,1,54448,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 76, + "network.community_id": "1:rmRctS0ZS56Ixay3V5beNERhPNc=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25572", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 54448, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:58.000Z", + "client.bytes": 76, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 53121, + "client.user.name": "crusher", + "destination.bytes": 76, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:58.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:58.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 717, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26208,1,53121,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 76, + "network.community_id": "1:NmeRH4O3xNBaUjzIOpdGXeAJ/sg=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26208", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 53121, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:58.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59323, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:58.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:58.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 1070, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,14931,1,59323,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:ej/0QPUwuraByxuNxWsOp2ouPuE=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "14931", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59323, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:58.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59322, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:58.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:58.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 1434, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25544,1,59322,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:XHKuVPA6enGOr0Qng8AJtYTgWAQ=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25544", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59322, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:58.000Z", + "client.bytes": 74, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 55766, + "client.user.name": "crusher", + "destination.bytes": 74, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:58.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:58.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 1798, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25308,1,55766,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 74, + "network.community_id": "1:bkpOCSg/r3P7zn1eVdfrSSHQMn0=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25308", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 55766, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:58.000Z", + "client.bytes": 74, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 55072, + "client.user.name": "crusher", + "destination.bytes": 74, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:58.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:58.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 2151, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26376,1,55072,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 74, + "network.community_id": "1:f08UBDqcNW5jC3R+i40XfD1g8l8=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26376", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 55072, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:58.000Z", + "client.bytes": 549, + "client.ip": "192.168.0.2", + "client.packets": 4, + "client.port": 59207, + "client.user.name": "crusher", + "destination.bytes": 549, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 1000000000, + "event.end": "2012-04-10T04:39:28.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:27.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 2504, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25118,1,59207,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "network.application": "web-browsing", + "network.bytes": 1355, + "network.community_id": "1:kGyE7FdnFLrk4Cc6NHaD5WeE81A=", + "network.direction": "outbound", + "network.packets": 10, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25118", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 806, + "server.ip": "204.232.231.46", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 806, + "source.ip": "192.168.0.2", + "source.packets": 4, + "source.port": 59207, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:58.000Z", + "client.bytes": 549, + "client.ip": "192.168.0.2", + "client.packets": 4, + "client.port": 59209, + "client.user.name": "crusher", + "destination.bytes": 549, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:28.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:28.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 2889, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26146,1,59209,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:28,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "network.application": "web-browsing", + "network.bytes": 1355, + "network.community_id": "1:pxN/AvFcFozLjRgniFdZmScORYQ=", + "network.direction": "outbound", + "network.packets": 10, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26146", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 806, + "server.ip": "204.232.231.46", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 806, + "source.ip": "192.168.0.2", + "source.packets": 4, + "source.port": 59209, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:58.000Z", + "client.bytes": 549, + "client.ip": "192.168.0.2", + "client.packets": 4, + "client.port": 59208, + "client.user.name": "crusher", + "destination.bytes": 549, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 1000000000, + "event.end": "2012-04-10T04:39:28.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:27.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 3274, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25272,1,59208,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "network.application": "web-browsing", + "network.bytes": 1355, + "network.community_id": "1:HmuQtYxq+NpgJ0zVEIpz7zLNOKM=", + "network.direction": "outbound", + "network.packets": 10, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25272", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 806, + "server.ip": "204.232.231.46", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 806, + "source.ip": "192.168.0.2", + "source.packets": 4, + "source.port": 59208, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:57.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59318, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:58.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:58.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 3659, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,24069,1,59318,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:I7NZAEypUvCTVa5iVWyAsWeEWgY=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24069", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59318, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:57.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59317, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:57.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:57.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 4023, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:GOqfpUTezPkpm6axBI22kY90kU4=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25848", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59317, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:57.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59316, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:57.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:57.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 4387, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:aiB5YppFUGX0pM/1Xtp3qOSFXJw=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25179", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59316, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:57.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59315, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:57.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:57.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 4751, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:ghLw4NDj0JmAhH9lVtlhdQpqEQ0=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25112", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59315, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:57.000Z", + "client.bytes": 549, + "client.ip": "192.168.0.2", + "client.packets": 4, + "client.port": 59206, + "client.user.name": "crusher", + "destination.bytes": 549, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:27.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:27.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 5115, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26161,1,59206,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "network.application": "web-browsing", + "network.bytes": 1355, + "network.community_id": "1:SIxV4kkvJlBljF+gLKAaihputgk=", + "network.direction": "outbound", + "network.packets": 10, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26161", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 806, + "server.ip": "204.232.231.46", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 806, + "source.ip": "192.168.0.2", + "source.packets": 4, + "source.port": 59206, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:57.000Z", + "client.bytes": 549, + "client.ip": "192.168.0.2", + "client.packets": 4, + "client.port": 59205, + "client.user.name": "crusher", + "destination.bytes": 549, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 1000000000, + "event.end": "2012-04-10T04:39:27.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:26.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 5500, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26000,1,59205,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "network.application": "web-browsing", + "network.bytes": 1355, + "network.community_id": "1:rpU2pqp4ioYKgiuDEfjZitnLkow=", + "network.direction": "outbound", + "network.packets": 10, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26000", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 806, + "server.ip": "204.232.231.46", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 806, + "source.ip": "192.168.0.2", + "source.packets": 4, + "source.port": 59205, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.bytes": 1359, + "client.ip": "192.168.0.2", + "client.packets": 3, + "client.port": 56858, + "client.user.name": "crusher", + "destination.bytes": 1359, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 18, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 512000000000, + "event.end": "2012-04-10T04:38:26.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:29:54.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 5885, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,65184,1,56858,80,0,0,0x200000,tcp,allow,1910,1359,551,21,2012/04/10 04:29:54,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3", + "network.application": "web-browsing", + "network.bytes": 1910, + "network.community_id": "1:JuKJfhPs1pDZMiwy04nz1EsD7PA=", + "network.direction": "outbound", + "network.packets": 21, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "65184", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 551, + "server.ip": "204.232.231.46", + "server.packets": 18, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 551, + "source.ip": "192.168.0.2", + "source.packets": 3, + "source.port": 56858, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59314, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:56.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:56.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 6267, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26522,1,59314,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:bZl1JgwyPgfsbSrD+z8I/hpbdc4=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26522", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59314, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59313, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:56.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:56.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 6631, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26067,1,59313,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:0fIOSC1t62T9ExNKvZaxl657EVc=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26067", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59313, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.bytes": 69, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 52139, + "client.user.name": "crusher", + "destination.bytes": 69, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:56.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:56.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 6995, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26573,1,52139,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 69, + "network.community_id": "1:vFErz1cKNExckY21peQ3YAc8Tmk=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26573", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 52139, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.bytes": 69, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 60592, + "client.user.name": "crusher", + "destination.bytes": 69, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:56.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:56.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 7348, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26894,1,60592,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 69, + "network.community_id": "1:i4rdWjY94ZjxNIBve+QH3YwdL04=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26894", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 60592, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59309, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:56.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:56.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 7701, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:mY2EPMYo0US42k87/2uTzjo/rGA=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25149", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59309, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.bytes": 66, + "client.ip": "192.168.0.2", + "client.packets": 1, + "client.port": 57322, + "client.user.name": "crusher", + "destination.bytes": 66, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:26.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:26.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 8065, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25258,1,57322,53,0,0,0x200000,udp,allow,164,66,98,2,2012/04/10 04:39:26,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "network.application": "dns", + "network.bytes": 164, + "network.community_id": "1:GjCL7PEzM4X3r7frQ42mW+tNEIQ=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25258", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 98, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 98, + "source.ip": "192.168.0.2", + "source.packets": 1, + "source.port": 57322, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.bytes": 549, + "client.ip": "192.168.0.2", + "client.packets": 4, + "client.port": 59204, + "client.user.name": "crusher", + "destination.bytes": 549, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:26.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:26.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 8418, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25025,1,59204,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "network.application": "web-browsing", + "network.bytes": 1355, + "network.community_id": "1:2+g5+FYJDJku+1Cl3ZbhVCYdAog=", + "network.direction": "outbound", + "network.packets": 10, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25025", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 806, + "server.ip": "204.232.231.46", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 806, + "source.ip": "192.168.0.2", + "source.packets": 4, + "source.port": 59204, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.bytes": 549, + "client.ip": "192.168.0.2", + "client.packets": 4, + "client.port": 59203, + "client.user.name": "crusher", + "destination.bytes": 549, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:26.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:26.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 8803, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26138,1,59203,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "network.application": "web-browsing", + "network.bytes": 1355, + "network.community_id": "1:+ENVPObTW4uBLTLg/Gs7oB3/t0E=", + "network.direction": "outbound", + "network.packets": 10, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26138", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 806, + "server.ip": "204.232.231.46", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 806, + "source.ip": "192.168.0.2", + "source.packets": 4, + "source.port": 59203, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:55.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59305, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:56.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:56.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 9188, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,27175,1,59305,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:TPp8b1ubMhxmeJWRt0DCagjd7jA=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "27175", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59305, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:55.000Z", + "client.bytes": 69, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 64005, + "client.user.name": "crusher", + "destination.bytes": 69, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:55.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:55.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 9552, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26261,1,64005,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 69, + "network.community_id": "1:9xSXx0HsnsbhZkZ6kFjNeIn1Aw8=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26261", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 64005, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:55.000Z", + "client.bytes": 69, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 58768, + "client.user.name": "crusher", + "destination.bytes": 69, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:55.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:55.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 9905, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25022,1,58768,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 69, + "network.community_id": "1:Ukie7FwgRVUkTl4/hKbkxseBqj0=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25022", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 58768, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:55.000Z", + "client.bytes": 504, + "client.ip": "192.168.0.2", + "client.packets": 8, + "client.port": 47752, + "client.user.name": "crusher", + "destination.bytes": 504, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "98.149.55.63", + "destination.packets": 8, + "destination.port": 13069, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 125000000000, + "event.end": "2012-04-10T04:39:55.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:37:50.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 10258, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,98.149.55.63,0.0.0.0,0.0.0.0,rule1,crusher,,skype,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24027,1,47752,13069,0,0,0x200000,udp,allow,1008,504,504,16,2012/04/10 04:37:50,125,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,8,8", + "network.application": "skype", + "network.bytes": 1008, + "network.community_id": "1:7+CQvC/DGk2fhUdWzglWwYXYMZE=", + "network.direction": "outbound", + "network.packets": 16, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24027", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "98.149.55.63", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 504, + "server.ip": "98.149.55.63", + "server.packets": 8, + "server.port": 13069, + "service.type": "palo_alto", + "source.bytes": 504, + "source.ip": "192.168.0.2", + "source.packets": 8, + "source.port": 47752, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:55.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59304, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:55.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:55.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 10624, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26360,1,59304,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:h+XKHvMK2Oz7QQvaJdhsJWE2c9E=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26360", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59304, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:55.000Z", + "client.bytes": 71, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 54533, + "client.user.name": "crusher", + "destination.bytes": 71, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:55.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:55.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 10988, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26394,1,54533,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 71, + "network.community_id": "1:x/kpg5sNW5nn7RkabTWPIKsvO58=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26394", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 54533, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:55.000Z", + "client.bytes": 837, + "client.ip": "192.168.0.2", + "client.packets": 10, + "client.port": 59201, + "client.user.name": "crusher", + "destination.bytes": 837, + "destination.geo.city_name": "Milan", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IT", + "destination.geo.location.lat": 45.4667, + "destination.geo.location.lon": 9.2, + "destination.geo.region_iso_code": "IT-MI", + "destination.geo.region_name": "Milan", + "destination.ip": "212.48.10.58", + "destination.packets": 10, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 1000000000, + "event.end": "2012-04-10T04:39:25.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:24.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 11341, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:55,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24917,1,59201,80,0,0,0x200000,tcp,allow,9967,837,9130,20,2012/04/10 04:39:24,1,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,10,10", + "network.application": "web-browsing", + "network.bytes": 9967, + "network.community_id": "1:GL6UBrkzpi/gQHrUyqxHb1jJeUU=", + "network.direction": "outbound", + "network.packets": 20, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24917", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "search-engines", + "related.ip": [ + "192.168.0.2", + "212.48.10.58", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 9130, + "server.ip": "212.48.10.58", + "server.packets": 10, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 9130, + "source.ip": "192.168.0.2", + "source.packets": 10, + "source.port": 59201, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59303, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:55.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:55.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 11713, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,22860,1,59303,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:6kV576B7jMsBLC62npA6Dgi/zMI=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "22860", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59303, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 76, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 50876, + "client.user.name": "crusher", + "destination.bytes": 76, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:54.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:54.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 12077, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,14146,1,50876,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 76, + "network.community_id": "1:TuGe54F1FJdU+mNdTf97Ced2UmI=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "14146", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 50876, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 76, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 57657, + "client.user.name": "crusher", + "destination.bytes": 76, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:54.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:54.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 12430, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25876,1,57657,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 76, + "network.community_id": "1:1yn57zVSr0UsUwbuL7XvzIWMbpM=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25876", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 57657, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59302, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:54.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:54.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 12783, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24910,1,59302,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:22ouAyA1O0KgUQOEKP20E7gNa2U=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24910", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59302, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59301, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:54.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:54.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 13147, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26862,1,59301,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:phQpgsVhj3YxNYzeNkqdzDgcMCg=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26862", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59301, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 80, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 64844, + "client.user.name": "crusher", + "destination.bytes": 80, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:54.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:54.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 13511, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26222,1,64844,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 80, + "network.community_id": "1:SxifLhXvL8EiCuMvSbDcRARZyRw=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26222", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 64844, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 80, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 52257, + "client.user.name": "crusher", + "destination.bytes": 80, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:54.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:54.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 13864, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26329,1,52257,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 80, + "network.community_id": "1:QYDqyZAUrBKpnIVn+epBn1ew/so=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26329", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 52257, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 95, + "client.ip": "192.168.0.100", + "client.packets": 1, + "client.port": 38796, + "destination.bytes": 95, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:24.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:24.000Z", + "fileset.name": "log", + "input.type": "log", + "log.offset": 14217, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,8.8.8.8,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25142,1,38796,53,0,0,0x0,udp,allow,206,95,111,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "network.application": "dns", + "network.bytes": 206, + "network.community_id": "1:shHCpyazCigToSNjn/e4N7P4biU=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25142", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.100", + "8.8.8.8", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 111, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 111, + "source.ip": "192.168.0.100", + "source.packets": 1, + "source.port": 38796, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 597, + "client.ip": "192.168.0.2", + "client.packets": 7, + "client.port": 59200, + "client.user.name": "crusher", + "destination.bytes": 597, + "destination.geo.city_name": "Latina", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IT", + "destination.geo.location.lat": 41.4661, + "destination.geo.location.lon": 12.9043, + "destination.geo.region_iso_code": "IT-LT", + "destination.geo.region_name": "Provincia di Latina", + "destination.ip": "62.211.68.12", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 1000000000, + "event.end": "2012-04-10T04:39:24.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:23.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 14556, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25095,1,59200,80,0,0,0x200000,tcp,allow,1503,597,906,13,2012/04/10 04:39:23,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", + "network.application": "web-browsing", + "network.bytes": 1503, + "network.community_id": "1:cDqhuLJdpDu0NsYQNFC3GAMS3GQ=", + "network.direction": "outbound", + "network.packets": 13, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25095", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "entertainment-and-arts", + "related.ip": [ + "192.168.0.2", + "62.211.68.12", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 906, + "server.ip": "62.211.68.12", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 906, + "source.ip": "192.168.0.2", + "source.packets": 7, + "source.port": 59200, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 804, + "client.ip": "192.168.0.100", + "client.packets": 7, + "client.port": 48412, + "destination.bytes": 804, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "50.19.102.116", + "destination.packets": 10, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:24.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:24.000Z", + "fileset.name": "log", + "input.type": "log", + "log.offset": 14933, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,50.19.102.116,0.0.0.0,0.0.0.0,rule1,,,paloalto-wildfire-cloud,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,24787,1,48412,443,0,0,0x0,tcp,allow,5817,804,5013,17,2012/04/10 04:39:24,0,computer-and-internet-security,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,10,7", + "network.application": "paloalto-wildfire-cloud", + "network.bytes": 5817, + "network.community_id": "1:uf1iUYRFFiUYttG2AFf4pcXOdjw=", + "network.direction": "outbound", + "network.packets": 17, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24787", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "computer-and-internet-security", + "related.ip": [ + "192.168.0.100", + "50.19.102.116", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 5013, + "server.ip": "50.19.102.116", + "server.packets": 10, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 5013, + "source.ip": "192.168.0.100", + "source.packets": 7, + "source.port": 48412, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 187, + "client.ip": "192.168.0.2", + "client.packets": 1, + "client.port": 47752, + "client.user.name": "crusher", + "destination.bytes": 187, + "destination.geo.city_name": "Washington", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.7163, + "destination.geo.location.lon": -78.1704, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "65.55.223.19", + "destination.packets": 1, + "destination.port": 40026, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:24.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:24.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 15331, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,65.55.223.19,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25948,1,47752,40026,0,0,0x200000,udp,allow,286,187,99,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "network.application": "skype-probe", + "network.bytes": 286, + "network.community_id": "1:XF4dVSWPB46mtqr78f9EFUDEn6I=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25948", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "65.55.223.19", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 99, + "server.ip": "65.55.223.19", + "server.packets": 1, + "server.port": 40026, + "service.type": "palo_alto", + "source.bytes": 99, + "source.ip": "192.168.0.2", + "source.packets": 1, + "source.port": 47752, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 76, + "client.ip": "192.168.0.2", + "client.packets": 1, + "client.port": 47752, + "client.user.name": "crusher", + "destination.bytes": 76, + "destination.geo.city_name": "Washington", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.7163, + "destination.geo.location.lon": -78.1704, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "65.55.223.24", + "destination.packets": 1, + "destination.port": 40029, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:24.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:24.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 15696, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,65.55.223.24,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25444,1,47752,40029,0,0,0x200000,udp,allow,978,76,902,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "network.application": "skype-probe", + "network.bytes": 978, + "network.community_id": "1:HEEGx0vjlpNA8Pw0s6pBr2v0rpo=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25444", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "65.55.223.24", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 902, + "server.ip": "65.55.223.24", + "server.packets": 1, + "server.port": 40029, + "service.type": "palo_alto", + "source.bytes": 902, + "source.ip": "192.168.0.2", + "source.packets": 1, + "source.port": 47752, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 86, + "client.ip": "192.168.0.100", + "client.packets": 1, + "client.port": 52189, + "destination.bytes": 86, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:24.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:24.000Z", + "fileset.name": "log", + "input.type": "log", + "log.offset": 16061, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,8.8.8.8,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25349,1,52189,53,0,0,0x0,udp,allow,227,86,141,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "network.application": "dns", + "network.bytes": 227, + "network.community_id": "1:1CvVfwyezBZcR2u+VcrEzfuQK9s=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25349", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.100", + "8.8.8.8", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 141, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 141, + "source.ip": "192.168.0.100", + "source.packets": 1, + "source.port": 52189, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59300, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:54.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:54.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 16400, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25713,1,59300,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:YDMNSbru670DK5EMT3E28WFJPz4=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25713", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59300, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.bytes": 73, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 54414, + "client.user.name": "crusher", + "destination.bytes": 73, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:53.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:53.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 16764, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,26499,1,54414,53,0,0,0x200000,udp,allow,73,73,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 73, + "network.community_id": "1:K6PPTb7ohj/4wQV86uCrgAF1mcY=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26499", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 54414, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59299, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:53.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:53.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 17117, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25437,1,59299,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:C9009xCOuCuGvMPT4caMCizoYr0=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25437", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59299, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.bytes": 80, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 60399, + "client.user.name": "crusher", + "destination.bytes": 80, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:53.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:53.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 17481, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24848,1,60399,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 80, + "network.community_id": "1:BKNHj3e0QZpWJwLNiG4yqJnbrxk=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24848", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 60399, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.bytes": 166, + "client.ip": "192.168.0.2", + "client.packets": 2, + "client.port": 59626, + "client.user.name": "crusher", + "destination.bytes": 166, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 2, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 1000000000, + "event.end": "2012-04-10T04:39:23.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:22.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 17834, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24924,1,59626,53,0,0,0x200000,udp,allow,482,166,316,4,2012/04/10 04:39:22,1,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,2,2", + "network.application": "dns", + "network.bytes": 482, + "network.community_id": "1:RQ3lmwvSayYq24fFbjpDDqDG+Dg=", + "network.direction": "outbound", + "network.packets": 4, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24924", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 316, + "server.ip": "205.171.2.25", + "server.packets": 2, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 316, + "source.ip": "192.168.0.2", + "source.packets": 2, + "source.port": 59626, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.bytes": 75, + "client.ip": "192.168.0.2", + "client.packets": 1, + "client.port": 51542, + "client.user.name": "crusher", + "destination.bytes": 75, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:23.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:23.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 18189, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25899,1,51542,53,0,0,0x200000,udp,allow,196,75,121,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "network.application": "dns", + "network.bytes": 196, + "network.community_id": "1:g5ixoTtR3QVz4le7g1L6PZ67CmU=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25899", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 121, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 121, + "source.ip": "192.168.0.2", + "source.packets": 1, + "source.port": 51542, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.bytes": 75, + "client.ip": "192.168.0.2", + "client.packets": 1, + "client.port": 54182, + "client.user.name": "crusher", + "destination.bytes": 75, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:23.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:23.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 18543, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26066,1,54182,53,0,0,0x200000,udp,allow,244,75,169,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "network.application": "dns", + "network.bytes": 244, + "network.community_id": "1:z0genl/l2JGIJaNTqaSLGCLTlo4=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26066", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 169, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 169, + "source.ip": "192.168.0.2", + "source.packets": 1, + "source.port": 54182, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.bytes": 594, + "client.ip": "192.168.0.2", + "client.packets": 7, + "client.port": 59199, + "client.user.name": "crusher", + "destination.bytes": 594, + "destination.geo.city_name": "Latina", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IT", + "destination.geo.location.lat": 41.4661, + "destination.geo.location.lon": 12.9043, + "destination.geo.region_iso_code": "IT-LT", + "destination.geo.region_name": "Provincia di Latina", + "destination.ip": "62.211.68.12", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:23.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:23.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 18897, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24908,1,59199,80,0,0,0x200000,tcp,allow,1548,594,954,13,2012/04/10 04:39:23,0,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", + "network.application": "web-browsing", + "network.bytes": 1548, + "network.community_id": "1:cIfWskY1iVpg8gxVVTX1K8A7+MA=", + "network.direction": "outbound", + "network.packets": 13, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24908", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.0.2", + "62.211.68.12", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 954, + "server.ip": "62.211.68.12", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 954, + "source.ip": "192.168.0.2", + "source.packets": 7, + "source.port": 59199, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.bytes": 1005, + "client.ip": "192.168.0.2", + "client.packets": 10, + "client.port": 59198, + "client.user.name": "crusher", + "destination.bytes": 1005, + "destination.geo.city_name": "Milan", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IT", + "destination.geo.location.lat": 45.4667, + "destination.geo.location.lon": 9.2, + "destination.geo.region_iso_code": "IT-MI", + "destination.geo.region_name": "Milan", + "destination.ip": "212.48.10.58", + "destination.packets": 12, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 2000000000, + "event.end": "2012-04-10T04:39:23.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:21.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 19272, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25105,1,59198,80,0,0,0x200000,tcp,allow,10135,1005,9130,22,2012/04/10 04:39:21,2,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10", + "network.application": "web-browsing", + "network.bytes": 10135, + "network.community_id": "1:UPWyVvocuULCMUmJlrn6XBha7JE=", + "network.direction": "outbound", + "network.packets": 22, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25105", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "search-engines", + "related.ip": [ + "192.168.0.2", + "212.48.10.58", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 9130, + "server.ip": "212.48.10.58", + "server.packets": 12, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 9130, + "source.ip": "192.168.0.2", + "source.packets": 10, + "source.port": 59198, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.bytes": 1363, + "client.ip": "192.168.0.2", + "client.packets": 3, + "client.port": 56856, + "client.user.name": "crusher", + "destination.bytes": 1363, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 18, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 512000000000, + "event.end": "2012-04-10T04:38:23.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:29:51.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 19646, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,11964,1,56856,80,0,0,0x200000,tcp,allow,1918,1363,555,21,2012/04/10 04:29:51,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3", + "network.application": "web-browsing", + "network.bytes": 1918, + "network.community_id": "1:jFqkUdvAr9S/yeKacw5dlE+0/o0=", + "network.direction": "outbound", + "network.packets": 21, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "11964", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 555, + "server.ip": "204.232.231.46", + "server.packets": 18, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 555, + "source.ip": "192.168.0.2", + "source.packets": 3, + "source.port": 56856, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.bytes": 80, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 52489, + "client.user.name": "crusher", + "destination.bytes": 80, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:53.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:53.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 20028, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26502,1,52489,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 80, + "network.community_id": "1:dQTHsEW3omlFoTmdZu1fchcTb9c=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26502", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 52489, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:52.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59298, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:53.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:53.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 20381, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26338,1,59298,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:BG6Rk6e+H9jRcZHXqRPFG4iA3uU=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26338", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59298, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:52.000Z", + "client.bytes": 76, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 60185, + "client.user.name": "crusher", + "destination.bytes": 76, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:52.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:52.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 20745, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24919,1,60185,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 76, + "network.community_id": "1:eLVg5C7+4Gz+x6GBj4MlJHk/vyk=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24919", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 60185, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:52.000Z", + "client.bytes": 76, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 51817, + "client.user.name": "crusher", + "destination.bytes": 76, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:52.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:52.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 21098, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26731,1,51817,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 76, + "network.community_id": "1:2v1FAVArMu9Fw0rZTZH/beAYGjs=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26731", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 51817, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:52.000Z", + "client.bytes": 186, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 47752, + "client.user.name": "crusher", + "destination.bytes": 186, + "destination.geo.city_name": "Washington", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.7163, + "destination.geo.location.lon": -78.1704, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "65.55.223.31", + "destination.packets": 1, + "destination.port": 40043, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:52.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:52.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 21451, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,65.55.223.31,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26504,1,47752,40043,0,0,0x200000,udp,allow,186,186,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "skype-probe", + "network.bytes": 186, + "network.community_id": "1:2fa34ze5XsRR97Shg/2DWoWt57c=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26504", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "65.55.223.31", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "65.55.223.31", + "server.packets": 1, + "server.port": 40043, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 47752, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:52.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59297, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:52.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:52.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 21817, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25543,1,59297,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:Sa+u435/AIAAeEelFduJmiGLOv0=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25543", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59297, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:52.000Z", + "client.bytes": 82, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 52537, + "client.user.name": "crusher", + "destination.bytes": 82, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:52.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:52.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 22181, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,21948,1,52537,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 82, + "network.community_id": "1:Uym9anPFBcnC+VaX8dVhkzw/pgg=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "21948", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 52537, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:52.000Z", + "client.bytes": 82, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 53155, + "client.user.name": "crusher", + "destination.bytes": 82, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:52.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:52.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 22534, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,26279,1,53155,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 82, + "network.community_id": "1:BWJpN5ucpEKzwxBd0yrkows1+X4=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26279", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 53155, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:52.000Z", + "client.bytes": 581, + "client.ip": "192.168.0.2", + "client.packets": 7, + "client.port": 59197, + "client.user.name": "crusher", + "destination.bytes": 581, + "destination.geo.city_name": "Latina", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IT", + "destination.geo.location.lat": 41.4661, + "destination.geo.location.lon": 12.9043, + "destination.geo.region_iso_code": "IT-LT", + "destination.geo.region_name": "Provincia di Latina", + "destination.ip": "62.211.68.12", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 1000000000, + "event.end": "2012-04-10T04:39:22.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:21.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 22887, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:52,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24894,1,59197,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:21,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", + "network.application": "web-browsing", + "network.bytes": 1487, + "network.community_id": "1:k2B753fAG7GMJoQhAbMrDsOfDxA=", + "network.direction": "outbound", + "network.packets": 13, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24894", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "entertainment-and-arts", + "related.ip": [ + "192.168.0.2", + "62.211.68.12", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 906, + "server.ip": "62.211.68.12", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 906, + "source.ip": "192.168.0.2", + "source.packets": 7, + "source.port": 59197, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:52.000Z", + "client.bytes": 88, + "client.ip": "192.168.0.2", + "client.packets": 1, + "client.port": 56995, + "client.user.name": "crusher", + "destination.bytes": 88, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:22.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:22.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 23264, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24985,1,56995,53,0,0,0x200000,udp,allow,251,88,163,2,2012/04/10 04:39:22,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "network.application": "dns", + "network.bytes": 251, + "network.community_id": "1:PkU1rpfXiwvVRig4MJMcDvEUEas=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24985", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 163, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 163, + "source.ip": "192.168.0.2", + "source.packets": 1, + "source.port": 56995, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:51.000Z", + "client.bytes": 76, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59069, + "client.user.name": "crusher", + "destination.bytes": 76, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:51.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:51.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 23618, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25380,1,59069,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 76, + "network.community_id": "1:BYZjFq0Mi2hPewpUDaO1jY2UNnA=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25380", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59069, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:51.000Z", + "client.bytes": 76, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 55697, + "client.user.name": "crusher", + "destination.bytes": 76, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:51.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:51.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 23971, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24994,1,55697,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 76, + "network.community_id": "1:l0WoNEsuwN4ml47IyB3IhM2NX6A=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24994", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 55697, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:51.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59295, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:51.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:51.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 24324, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25451,1,59295,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:AEtFqIuwxZ9TQ3w9m74nOrboCXE=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25451", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59295, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:51.000Z", + "client.bytes": 578, + "client.ip": "192.168.0.2", + "client.packets": 7, + "client.port": 59196, + "client.user.name": "crusher", + "destination.bytes": 578, + "destination.geo.city_name": "Latina", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IT", + "destination.geo.location.lat": 41.4661, + "destination.geo.location.lon": 12.9043, + "destination.geo.region_iso_code": "IT-LT", + "destination.geo.region_name": "Provincia di Latina", + "destination.ip": "62.211.68.12", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 1000000000, + "event.end": "2012-04-10T04:39:21.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:20.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 24688, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:51,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,24866,1,59196,80,0,0,0x200000,tcp,allow,1500,578,922,13,2012/04/10 04:39:20,1,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", + "network.application": "web-browsing", + "network.bytes": 1500, + "network.community_id": "1:t42FnU6e46qlRX0ij7ufkKPs3Co=", + "network.direction": "outbound", + "network.packets": 13, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24866", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.0.2", + "62.211.68.12", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 922, + "server.ip": "62.211.68.12", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 922, + "source.ip": "192.168.0.2", + "source.packets": 7, + "source.port": 59196, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59291, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:51.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:51.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 25063, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26414,1,59291,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:AuQEAPptnfXLW8oL/ac3CM4Gnnw=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26414", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59291, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 77, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 52858, + "client.user.name": "crusher", + "destination.bytes": 77, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:50.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:50.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 25427, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26131,1,52858,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 77, + "network.community_id": "1:ZVsgbE2ux52iF80QIxJN36vdI1M=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26131", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 52858, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 77, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 61383, + "client.user.name": "crusher", + "destination.bytes": 77, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:50.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:50.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 25780, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26555,1,61383,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 77, + "network.community_id": "1:p68po3QtexuC2kor01hJgMDKiPM=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26555", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 61383, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59290, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:50.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:50.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 26133, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,15099,1,59290,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:2UbFMV1DsXMB0b/AUotNCCsHm0s=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "15099", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59290, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 1310, + "client.ip": "192.168.0.2", + "client.packets": 22, + "client.port": 59195, + "client.user.name": "crusher", + "destination.bytes": 1310, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.5.1.1", + "destination.packets": 17, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:20.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:20.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 26497, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,8.5.1.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24980,1,59195,80,0,0,0x200000,tcp,allow,28096,1310,26786,39,2012/04/10 04:39:20,0,not-resolved,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,17,22", + "network.application": "web-browsing", + "network.bytes": 28096, + "network.community_id": "1:J6pba/4Qby485gtIOBCJnQ0T04E=", + "network.direction": "outbound", + "network.packets": 39, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24980", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "8.5.1.1", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 26786, + "server.ip": "8.5.1.1", + "server.packets": 17, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 26786, + "source.ip": "192.168.0.2", + "source.packets": 22, + "source.port": 59195, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 83, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 49812, + "client.user.name": "crusher", + "destination.bytes": 83, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:50.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:50.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 26873, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26215,1,49812,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 83, + "network.community_id": "1:iSTXT01g3/K5eC8sEHIzTaFShsA=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26215", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 49812, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 83, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 50185, + "client.user.name": "crusher", + "destination.bytes": 83, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:50.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:50.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 27226, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25881,1,50185,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 83, + "network.community_id": "1:3UaggcKnXvkcjpVHqbTU3mCMT5E=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25881", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 50185, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59286, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:50.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:50.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 27579, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24955,1,59286,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:M8DHGZjrHyuCRpC9MNNfDUke5g4=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24955", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59286, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 75, + "client.ip": "192.168.0.2", + "client.packets": 1, + "client.port": 52531, + "client.user.name": "crusher", + "destination.bytes": 75, + "destination.ip": "192.168.0.1", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:20.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:20.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 27943, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24961,1,52531,53,0,0,0x200000,udp,allow,244,75,169,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1", + "network.application": "dns", + "network.bytes": 244, + "network.community_id": "1:aqHtUqeIwO72eo1M5ATE45cIze8=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24961", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "192.168.0.1", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 169, + "server.ip": "192.168.0.1", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 169, + "source.ip": "192.168.0.2", + "source.packets": 1, + "source.port": 52531, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 1033, + "client.ip": "192.168.0.2", + "client.packets": 9, + "client.port": 59194, + "client.user.name": "crusher", + "destination.bytes": 1033, + "destination.geo.city_name": "Milan", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IT", + "destination.geo.location.lat": 45.4667, + "destination.geo.location.lon": 9.2, + "destination.geo.region_iso_code": "IT-MI", + "destination.geo.region_name": "Milan", + "destination.ip": "212.48.10.58", + "destination.packets": 12, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 3000000000, + "event.end": "2012-04-10T04:39:20.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:17.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 28310, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24226,1,59194,80,0,0,0x200000,tcp,allow,10097,1033,9064,21,2012/04/10 04:39:17,3,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,9", + "network.application": "web-browsing", + "network.bytes": 10097, + "network.community_id": "1:ZM81iQMHQAIwuZHdw5tm5lXF25A=", + "network.direction": "outbound", + "network.packets": 21, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24226", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "search-engines", + "related.ip": [ + "192.168.0.2", + "212.48.10.58", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 9064, + "server.ip": "212.48.10.58", + "server.packets": 12, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 9064, + "source.ip": "192.168.0.2", + "source.packets": 9, + "source.port": 59194, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 981, + "client.ip": "192.168.0.2", + "client.packets": 10, + "client.port": 59192, + "client.user.name": "crusher", + "destination.bytes": 981, + "destination.geo.city_name": "Milan", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IT", + "destination.geo.location.lat": 45.4667, + "destination.geo.location.lon": 9.2, + "destination.geo.region_iso_code": "IT-MI", + "destination.geo.region_name": "Milan", + "destination.ip": "212.48.10.58", + "destination.packets": 12, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 7000000000, + "event.end": "2012-04-10T04:39:20.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:13.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 28683, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25129,1,59192,80,0,0,0x200000,tcp,allow,10105,981,9124,22,2012/04/10 04:39:13,7,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10", + "network.application": "web-browsing", + "network.bytes": 10105, + "network.community_id": "1:yYl3JBOjYyGDcmf0pDc+hxky9gU=", + "network.direction": "outbound", + "network.packets": 22, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25129", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "search-engines", + "related.ip": [ + "192.168.0.2", + "212.48.10.58", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 9124, + "server.ip": "212.48.10.58", + "server.packets": 12, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 9124, + "source.ip": "192.168.0.2", + "source.packets": 10, + "source.port": 59192, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 77, + "client.ip": "192.168.0.2", + "client.packets": 1, + "client.port": 56463, + "client.user.name": "crusher", + "destination.bytes": 77, + "destination.ip": "192.168.0.1", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:20.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:20.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 29056, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25194,1,56463,53,0,0,0x200000,udp,allow,214,77,137,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1", + "network.application": "dns", + "network.bytes": 214, + "network.community_id": "1:VW3f2r1OUrbsOCF06MDfY/o+epU=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25194", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "192.168.0.1", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 137, + "server.ip": "192.168.0.1", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 137, + "source.ip": "192.168.0.2", + "source.packets": 1, + "source.port": 56463, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 77, + "client.ip": "192.168.0.2", + "client.packets": 1, + "client.port": 55849, + "client.user.name": "crusher", + "destination.bytes": 77, + "destination.ip": "192.168.0.1", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:20.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:20.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 29423, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26257,1,55849,53,0,0,0x200000,udp,allow,170,77,93,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1", + "network.application": "dns", + "network.bytes": 170, + "network.community_id": "1:yvOxIP48drmX6OmaQqFTRaGanko=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26257", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "192.168.0.1", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 93, + "server.ip": "192.168.0.1", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 93, + "source.ip": "192.168.0.2", + "source.packets": 1, + "source.port": 55849, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:49.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59282, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:49.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:49.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 29789, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24561,1,59282,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:Vfi4CxQayypb3DoxclNfeNjXdjo=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24561", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59282, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:49.000Z", + "client.bytes": 71, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 57846, + "client.user.name": "crusher", + "destination.bytes": 71, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:49.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:49.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 30153, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26150,1,57846,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 71, + "network.community_id": "1:cWkoifFGPLq+ZcxaNzzYym9H7jI=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26150", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 57846, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:49.000Z", + "client.bytes": 71, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 51008, + "client.user.name": "crusher", + "destination.bytes": 71, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:49.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:49.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 30506, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25676,1,51008,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 71, + "network.community_id": "1:SicjKSp4oQCovx4rjFSg+IThGYA=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25676", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 51008, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:49.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59281, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:49.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:49.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 30859, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25306,1,59281,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:/tG+YfZ8qFKrUDfQ7EThCBXci9Y=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25306", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59281, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:49.000Z", + "client.bytes": 80, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 55252, + "client.user.name": "crusher", + "destination.bytes": 80, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:49.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:49.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 31223, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26411,1,55252,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 80, + "network.community_id": "1:cp0HVI5MHMB+G4/hIuKGoX1WWac=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26411", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 55252, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:49.000Z", + "client.bytes": 176, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 56995, + "client.user.name": "crusher", + "destination.bytes": 176, + "destination.ip": "192.168.0.1", + "destination.packets": 2, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 1000000000, + "event.end": "2012-04-10T04:39:19.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:18.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 31576, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:49,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24844,1,56995,53,0,0,0x200000,udp,allow,176,176,0,2,2012/04/10 04:39:18,1,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,2,0", + "network.application": "dns", + "network.bytes": 176, + "network.community_id": "1:X6pWtJqspZOnEXaF1nKblB/B3f4=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24844", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "192.168.0.1", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "192.168.0.1", + "server.packets": 2, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 56995, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:49.000Z", + "client.bytes": 80, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 60989, + "client.user.name": "crusher", + "destination.bytes": 80, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:49.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:49.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 31942, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26335,1,60989,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 80, + "network.community_id": "1:bIf8k1Z5+8sNSsr63qo8XknzQDo=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26335", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 60989, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:48.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59280, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:48.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:48.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 32295, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26127,1,59280,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:IRI0j5xLyLhwaONpy7gVZdl/Qow=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26127", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59280, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:48.000Z", + "client.bytes": 81, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 53766, + "client.user.name": "crusher", + "destination.bytes": 81, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:48.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:48.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 32659, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25488,1,53766,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 81, + "network.community_id": "1:VJaNvIgkNIXRerGHtYQC0HUPZh8=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25488", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 53766, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:48.000Z", + "client.bytes": 81, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 56032, + "client.user.name": "crusher", + "destination.bytes": 81, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:48.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:48.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 33012, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25269,1,56032,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 81, + "network.community_id": "1:fMeKYeqX7mnB812D1vOtHs7BRO4=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25269", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 56032, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:48.000Z", + "client.bytes": 581, + "client.ip": "192.168.0.2", + "client.packets": 7, + "client.port": 59193, + "client.user.name": "crusher", + "destination.bytes": 581, + "destination.geo.city_name": "Latina", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IT", + "destination.geo.location.lat": 41.4661, + "destination.geo.location.lon": 12.9043, + "destination.geo.region_iso_code": "IT-LT", + "destination.geo.region_name": "Provincia di Latina", + "destination.ip": "62.211.68.12", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 1000000000, + "event.end": "2012-04-10T04:39:18.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:17.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 33365, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:48,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25715,1,59193,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:17,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", + "network.application": "web-browsing", + "network.bytes": 1487, + "network.community_id": "1:2482BoM8NEujTrlI4lp2vfAxmus=", + "network.direction": "outbound", + "network.packets": 13, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25715", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "entertainment-and-arts", + "related.ip": [ + "192.168.0.2", + "62.211.68.12", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 906, + "server.ip": "62.211.68.12", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 906, + "source.ip": "192.168.0.2", + "source.packets": 7, + "source.port": 59193, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:48.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59279, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:48.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:48.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 33742, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26251,1,59279,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:FmIwID3HJ4Q0574SjlhMHApz/Hs=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "26251", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59279, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:47.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59278, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:48.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:48.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 34106, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25871,1,59278,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:WiUImNtgjkeNDi1Qigg7+Y6pDAg=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25871", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59278, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:47.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59277, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:47.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:47.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 34470, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25945,1,59277,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:/+Opb16c1ye6uLeu1/TNC+SGnYs=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25945", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59277, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:47.000Z", + "client.bytes": 166, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 60026, + "client.user.name": "crusher", + "destination.bytes": 166, + "destination.ip": "192.168.0.1", + "destination.packets": 2, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 1000000000, + "event.end": "2012-04-10T04:39:17.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:16.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 34834, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,end,1,2012/04/10 04:39:47,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25310,1,60026,53,0,0,0x200000,udp,allow,166,166,0,2,2012/04/10 04:39:16,1,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,2,0", + "network.application": "dns", + "network.bytes": 166, + "network.community_id": "1:h46cgrbWRw4seDnSlCbWxjLRmqs=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25310", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "192.168.0.1", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "192.168.0.1", + "server.packets": 2, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 60026, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:47.000Z", + "client.bytes": 351, + "client.ip": "192.168.0.2", + "client.packets": 1, + "client.port": 59276, + "client.user.name": "crusher", + "destination.bytes": 351, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 3, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:47.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:47.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 35200, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,27111,1,59276,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1", + "network.application": "web-browsing", + "network.bytes": 429, + "network.community_id": "1:uslltTePy/m8Gxhk/MgPbZfk6Rg=", + "network.direction": "outbound", + "network.packets": 4, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "27111", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 78, + "server.ip": "204.232.231.46", + "server.packets": 3, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 78, + "source.ip": "192.168.0.2", + "source.packets": 1, + "source.port": 59276, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:47.000Z", + "client.bytes": 351, + "client.ip": "192.168.0.2", + "client.packets": 1, + "client.port": 59275, + "client.user.name": "crusher", + "destination.bytes": 351, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 3, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:47.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:47.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 35567, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25398,1,59275,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1", + "network.application": "web-browsing", + "network.bytes": 429, + "network.community_id": "1:AVMiOufq2owuhWpcu/TfRJ38tv4=", + "network.direction": "outbound", + "network.packets": 4, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25398", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 78, + "server.ip": "204.232.231.46", + "server.packets": 3, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 78, + "source.ip": "192.168.0.2", + "source.packets": 1, + "source.port": 59275, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:46.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59274, + "client.user.name": "crusher", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2012-04-10T04:39:46.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:46.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 35934, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,23898,1,59274,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:46,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:/0xM0KlMLwieymkDApfqS3/WWiQ=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "0.0.0.0", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "23898", + "palo_alto.ruleset": "rule1", + "palo_alto.sequence_number": 0, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "0.0.0.0", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59274, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/palo_alto/log/test/threat.log b/x-pack/filebeat/module/palo_alto/log/test/threat.log new file mode 100644 index 000000000000..2b6854cf5a5e --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/log/test/threat.log @@ -0,0 +1,76 @@ +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28219,1,52983,443,28249,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7727,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27723,1,52986,443,63898,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7728,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28172,1,52985,443,7515,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7729,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28151,1,52987,443,3225,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7730,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28076,1,52988,443,60449,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7731,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28173,1,52990,443,60559,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7732,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28186,1,52989,443,47414,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7733,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28192,1,52992,443,37673,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7734,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27011,1,52991,443,8232,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7735,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28240,1,52994,443,32982,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7736,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28143,1,52993,443,10473,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7737,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28272,1,52995,443,20446,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7738,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28146,1,52996,443,34699,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7739,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28278,1,52997,443,22820,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7740,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28185,1,52998,443,41060,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7741,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28201,1,52999,443,9058,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7742,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28148,1,53001,443,54846,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7743,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28121,1,53002,443,52731,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7744,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28228,1,53003,443,15165,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7745,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,23.72.137.131,192.168.1.63,23.72.137.131,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28196,1,53004,443,53918,443,0x403000,tcp,block-url,"b.scorecardresearch.com/",(9999),business-and-economy,informational,client-to-server,7746,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28007,1,53000,443,40792,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7747,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28117,1,53006,443,54044,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7748,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28109,1,53007,443,19544,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7749,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28260,1,53008,443,13462,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7750,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28275,1,53010,443,44892,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7752,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28266,1,53011,443,16487,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7753,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28294,1,53012,443,23952,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7754,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28248,1,53013,443,2810,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7755,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28274,1,53014,443,13272,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7756,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28285,1,53022,443,8663,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7762,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28306,1,53023,443,55738,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7763,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28116,1,53024,443,10650,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7764,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28214,1,53025,443,44087,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7765,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28080,1,53026,443,15915,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7766,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:53 PA-220 1,2018/11/30 16:44:53,012801096514,THREAT,url,2049,2018/11/30 16:44:53,192.168.15.224,151.101.2.2,192.168.1.63,151.101.2.2,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:53,28318,1,53041,443,41165,443,0x403000,tcp,block-url,"cdn.taboola.com/",(9999),business-and-economy,informational,client-to-server,7768,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:54 PA-220 1,2018/11/30 16:44:54,012801096514,THREAT,url,2049,2018/11/30 16:44:54,192.168.15.224,54.192.7.152,192.168.1.63,54.192.7.152,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:54,28300,1,53040,443,54133,443,0x403000,tcp,block-url,"rules.quantcount.com/",(9999),business-and-economy,informational,client-to-server,7769,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28339,1,53093,443,8485,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7770,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28299,1,53094,443,12496,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7771,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28303,1,53095,443,17029,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7772,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28390,1,53096,443,23696,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7773,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28433,1,53097,443,34769,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7774,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28380,1,53099,443,22486,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7775,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28363,1,53100,443,12894,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7776,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28349,1,53101,443,62348,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7777,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28411,1,53104,443,6224,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7778,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28397,1,53107,443,44120,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7779,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28347,1,53108,443,44228,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7780,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28443,1,53109,443,31322,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7781,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:14 PA-220 1,2018/11/30 16:45:13,012801096514,THREAT,url,2049,2018/11/30 16:45:13,192.168.15.224,216.58.194.98,192.168.1.63,216.58.194.98,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:13,28439,1,53118,443,1672,443,0x403000,tcp,block-url,"www.googleadservices.com/",(9999),business-and-economy,informational,client-to-server,7782,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,25958,1,53126,443,20801,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7783,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28429,1,53127,443,24533,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7784,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28465,1,53128,443,30150,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7785,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28504,1,53129,443,36305,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7786,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28458,1,53130,443,42682,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7787,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28491,1,53131,443,22530,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7788,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28520,1,53132,443,43713,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7789,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28335,1,53133,443,60608,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7790,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28414,1,53134,443,9302,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7791,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:17 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28488,1,53135,443,11634,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7792,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28469,1,53152,443,30818,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7793,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28556,1,53155,443,64260,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7794,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28558,1,53158,443,7071,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7795,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28531,1,53160,443,4512,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7796,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28580,1,53161,443,3422,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7797,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28477,1,53162,443,4651,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7798,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28484,1,53163,443,19068,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7799,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28609,1,53164,443,5831,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7800,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28564,1,53165,443,7084,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7801,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28542,1,53166,443,18633,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7802,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28590,1,53167,443,25557,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7803,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28455,1,53150,443,20661,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7804,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28585,1,53185,443,65438,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7805,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28462,1,53187,443,53101,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7806,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28839,1,53188,443,35463,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7807,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:30 PA-220 1,2018/11/30 16:45:29,012801096514,THREAT,url,2049,2018/11/30 16:45:29,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:29,28400,1,53178,443,45769,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7808,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, diff --git a/x-pack/filebeat/module/palo_alto/log/test/threat.log-expected.json b/x-pack/filebeat/module/palo_alto/log/test/threat.log-expected.json new file mode 100644 index 000000000000..8f5fab57bc8c --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/log/test/threat.log-expected.json @@ -0,0 +1,4728 @@ +[ + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52984, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 0, + "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:mDxnuNGkonQEEYcMT0Dur/FCt/I=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28191", + "palo_alto.network.nat.community_id": "1:qjpdroY6VaRSEUbSXzSWtUX00kc=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 37679, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52984, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52983, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 546, + "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28219,1,52983,443,28249,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7727,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:svoGHRUXQeOT1QlGYhMbEalRiPU=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28219", + "palo_alto.network.nat.community_id": "1:j6so5fl9DGKhDhaNmjI+6ipOFyc=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 28249, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52983, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52986, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 1092, + "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27723,1,52986,443,63898,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7728,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:cl1ZW9fCG1bKgQuAww26hYqxyq0=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "27723", + "palo_alto.network.nat.community_id": "1:c4Xs8aAPhIYB760P+BLmrzOvjv4=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 63898, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52986, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52985, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 1638, + "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28172,1,52985,443,7515,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7729,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:0KdQcz2+OQg8Kuyqn3tvtzrtAtk=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28172", + "palo_alto.network.nat.community_id": "1:RU/nMZByVkBbsckJ18XtpXhQlPg=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 7515, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52985, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52987, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 2183, + "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28151,1,52987,443,3225,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7730,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:ZuULYSnnlQSsdqWsfJBHQTPqbJo=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28151", + "palo_alto.network.nat.community_id": "1:FTVZK5v5Nqts17X+FJm/bQk1rwM=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 3225, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52987, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52988, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 2728, + "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28076,1,52988,443,60449,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7731,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:ovf/7i/MclKhY1UKalpHzmmlthk=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28076", + "palo_alto.network.nat.community_id": "1:iHTY/vpQo2TsRYJW2n+lqb0w5f4=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 60449, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52988, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52990, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 3274, + "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28173,1,52990,443,60559,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7732,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:K7vLQF60EynWhcmrB6/wjEG8qzI=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28173", + "palo_alto.network.nat.community_id": "1:f+u5A73xp5gqmRCSN2kCCSbvBRg=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 60559, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52990, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52989, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 3820, + "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28186,1,52989,443,47414,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7733,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:nMc/XZ2HhyrMMpTfW7UK0Q7QRJM=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28186", + "palo_alto.network.nat.community_id": "1:v4+MIeqiGJJ9Z3SUTNLFEoYtw74=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 47414, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52989, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52992, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 4366, + "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28192,1,52992,443,37673,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7734,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:UDkY52oWrSsYAqwPSTAKyKhwzvQ=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28192", + "palo_alto.network.nat.community_id": "1:BilmVEwf9nQIXodvin3X6lZuVAc=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 37673, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52992, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52991, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 4912, + "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27011,1,52991,443,8232,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7735,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:pWCQCkwDKmw2APwAJ2GcT6QNXQg=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "27011", + "palo_alto.network.nat.community_id": "1:CmZ6KkZzaxpkJHXJn0lNskvvZLA=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 8232, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52991, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52994, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 5457, + "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28240,1,52994,443,32982,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7736,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:3V7ODANn0gD6PFiGWb7LVZcr3TY=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28240", + "palo_alto.network.nat.community_id": "1:Xy6vXuBmLPx1/PDpu/KMI1ZPnW0=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 32982, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52994, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52993, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 6003, + "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28143,1,52993,443,10473,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7737,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:7WQBEq/QCPNFLId7r93vN98nPHQ=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28143", + "palo_alto.network.nat.community_id": "1:nmxmtIja0z/MV5rgbBnScsKtW0U=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 10473, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52993, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52995, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 6549, + "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28272,1,52995,443,20446,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7738,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:r3rve3ghPTa/BACcRlan0FEgZFw=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28272", + "palo_alto.network.nat.community_id": "1:XNlHvX7cDGGCkvSS/aFHGg/RnAk=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 20446, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52995, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52996, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 7095, + "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28146,1,52996,443,34699,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7739,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:2A2PtRAEa2EIbgp0B+6pQMVyM1o=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28146", + "palo_alto.network.nat.community_id": "1:DqCF4BufQU/spPG8UYok6IrChWo=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 34699, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52996, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52997, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 7641, + "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28278,1,52997,443,22820,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7740,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:ttgSlbqHs+GKueSexHsquCbfjCk=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28278", + "palo_alto.network.nat.community_id": "1:lJHLfl+/x95GohXozN52zokIxvA=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 22820, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52997, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:37.000Z", + "client.ip": "192.168.15.224", + "client.port": 52998, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 8187, + "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28185,1,52998,443,41060,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7741,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:h4Yhxi4lfeFiizTNiugYzEk9CM4=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28185", + "palo_alto.network.nat.community_id": "1:OVE3ctnTt5X1L6qNDr4QILL0dFg=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 41060, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52998, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:37.000Z", + "client.ip": "192.168.15.224", + "client.port": 52999, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 8733, + "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28201,1,52999,443,9058,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7742,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:SsYXkesHdCi9Tx1qsjfCIH8mHm4=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28201", + "palo_alto.network.nat.community_id": "1:bzhUSIQYpz+jY7TA+j8UmFOdJ08=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 9058, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52999, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:37.000Z", + "client.ip": "192.168.15.224", + "client.port": 53001, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 9278, + "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28148,1,53001,443,54846,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7743,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:84WYKtahMlLwf+ZletWf/DNnE30=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28148", + "palo_alto.network.nat.community_id": "1:NRiTxPYsIvfOnUXhwuF5KPucNf8=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 54846, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53001, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:37.000Z", + "client.ip": "192.168.15.224", + "client.port": 53002, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 9824, + "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28121,1,53002,443,52731,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7744,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:X4Zvg9D/bP0EYECRSLna3za4r68=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28121", + "palo_alto.network.nat.community_id": "1:9noBCzeHKSZpuQWETkS7W5mOTT0=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 52731, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53002, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:38.000Z", + "client.ip": "192.168.15.224", + "client.port": 53003, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 10370, + "log.original": "Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28228,1,53003,443,15165,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7745,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:greC2ffRfw5diAvjZvd+je5rhrk=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28228", + "palo_alto.network.nat.community_id": "1:NQ3UU1pIt7hTJ2TYkbe6yjIVIsw=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 15165, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53003, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:38.000Z", + "client.ip": "192.168.15.224", + "client.port": 53004, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "23.72.137.131", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 10916, + "log.original": "Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,23.72.137.131,192.168.1.63,23.72.137.131,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28196,1,53004,443,53918,443,0x403000,tcp,block-url,\"b.scorecardresearch.com/\",(9999),business-and-economy,informational,client-to-server,7746,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:EcYXcH6rGmgtHGDCjUQcmM+hR0c=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "23.72.137.131", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28196", + "palo_alto.network.nat.community_id": "1:pzcUv98hFdzW07/5bQ15jcEOAAM=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 53918, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "b.scorecardresearch.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "23.72.137.131", + "192.168.1.63", + "23.72.137.131" + ], + "server.ip": "23.72.137.131", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53004, + "tags": [ + "pan-os" + ], + "url.original": "b.scorecardresearch.com/" + }, + { + "@timestamp": "2018-11-30T16:44:38.000Z", + "client.ip": "192.168.15.224", + "client.port": 53000, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 11463, + "log.original": "Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28007,1,53000,443,40792,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7747,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:OX20k3mW9JzBo4RmzVjTtvOawu4=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28007", + "palo_alto.network.nat.community_id": "1:iHNZW72XqbNDDHf4ziF4MHkPsq8=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 40792, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53000, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53006, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 12009, + "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28117,1,53006,443,54044,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7748,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:oWKucHrzLhzCpDmWJPLBELyMrzw=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28117", + "palo_alto.network.nat.community_id": "1:WmnET8BZufXJpdVk04PIVGj+Kgk=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 54044, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53006, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53007, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 12555, + "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28109,1,53007,443,19544,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7749,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:63h3SPrH4/pr2GMJEkpg++zeJMU=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28109", + "palo_alto.network.nat.community_id": "1:qCp/BEY5ANYRj3J+xhPpjW00kTA=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 19544, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53007, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53008, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 13101, + "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28260,1,53008,443,13462,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7750,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:MpnxD3AYYy43RYm8rBQmgxv2NQ0=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28260", + "palo_alto.network.nat.community_id": "1:QTdF07Qsc5riXT20oN+YWQ2Yt6U=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 13462, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53008, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53010, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 13647, + "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28275,1,53010,443,44892,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7752,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:kibVei9WSdxBMV8iUIg8nZMCiss=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28275", + "palo_alto.network.nat.community_id": "1:v9tvyVPSkJni3/nd8jUVgcsqqQk=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 44892, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53010, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53011, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 14193, + "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28266,1,53011,443,16487,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7753,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:l33FK2i+ASkvlnDYQYRCH4evHcI=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28266", + "palo_alto.network.nat.community_id": "1:00oN9bToRGtVdpy+GQ742sbkpfI=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 16487, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53011, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53012, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 14739, + "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28294,1,53012,443,23952,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7754,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:cSD3ZfDTv0BFEStL/v2rRm0wow0=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28294", + "palo_alto.network.nat.community_id": "1:AmJtkqyAyzgRUMxNGxjT3hhwb8c=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 23952, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53012, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53013, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 15285, + "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28248,1,53013,443,2810,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7755,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:l8cnTJWO0qdKrXtvCBWHbQUpvgE=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28248", + "palo_alto.network.nat.community_id": "1:CzGrIa22/gNrIvkcJMIh6eWNjFI=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 2810, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53013, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53014, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 15830, + "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28274,1,53014,443,13272,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7756,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:2dLIQC1NuJw/6kPkSukOc7rN5UE=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28274", + "palo_alto.network.nat.community_id": "1:b3MpSidntZseAvCtO89765ETlyI=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 13272, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53014, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53022, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 16376, + "log.original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28285,1,53022,443,8663,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7762,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:39KkS/Y1cEc0OLIWR3+26TPoFhQ=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28285", + "palo_alto.network.nat.community_id": "1:wug3mTERsDOMF1R52vDi6SpWbMc=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 8663, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53022, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53023, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 16921, + "log.original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28306,1,53023,443,55738,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7763,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:IFLzwMkLmz8UfCYPFfRgTIBIzSI=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28306", + "palo_alto.network.nat.community_id": "1:ktdKYACJa2q76tdS55sj5QaeMBs=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 55738, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53023, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53024, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 17467, + "log.original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28116,1,53024,443,10650,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7764,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:spPQtp0F92JeXKXtvGndU6vymNo=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28116", + "palo_alto.network.nat.community_id": "1:sWvGFBOOisURcvYe5nB5HUSa6B8=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 10650, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53024, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53025, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 18013, + "log.original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28214,1,53025,443,44087,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7765,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:xBwOt7zrEs9oyuV1oEHKLKXdg1Q=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28214", + "palo_alto.network.nat.community_id": "1:LHZawFx+zgZPTd01rJqX/31kNmE=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 44087, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53025, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53026, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 18559, + "log.original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28080,1,53026,443,15915,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7766,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:z5jHjldbSP1U0TqDWR9Uox2k3Js=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "152.195.55.192", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28080", + "palo_alto.network.nat.community_id": "1:XcghkvaiKIQS/KgINx7Mb5Vvn3M=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 15915, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53026, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:53.000Z", + "client.ip": "192.168.15.224", + "client.port": 53041, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "151.101.2.2", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 19105, + "log.original": "Nov 30 16:44:53 PA-220 1,2018/11/30 16:44:53,012801096514,THREAT,url,2049,2018/11/30 16:44:53,192.168.15.224,151.101.2.2,192.168.1.63,151.101.2.2,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:53,28318,1,53041,443,41165,443,0x403000,tcp,block-url,\"cdn.taboola.com/\",(9999),business-and-economy,informational,client-to-server,7768,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:tQxUFWF1PJh9XS+U53oZgNQELoA=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "151.101.2.2", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28318", + "palo_alto.network.nat.community_id": "1:XdO4yHx+1HZM4GcutRTyur9ixdM=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 41165, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "cdn.taboola.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "151.101.2.2", + "192.168.1.63", + "151.101.2.2" + ], + "server.ip": "151.101.2.2", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53041, + "tags": [ + "pan-os" + ], + "url.original": "cdn.taboola.com/" + }, + { + "@timestamp": "2018-11-30T16:44:54.000Z", + "client.ip": "192.168.15.224", + "client.port": 53040, + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6103, + "destination.geo.location.lon": -122.3341, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "54.192.7.152", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 19640, + "log.original": "Nov 30 16:44:54 PA-220 1,2018/11/30 16:44:54,012801096514,THREAT,url,2049,2018/11/30 16:44:54,192.168.15.224,54.192.7.152,192.168.1.63,54.192.7.152,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:54,28300,1,53040,443,54133,443,0x403000,tcp,block-url,\"rules.quantcount.com/\",(9999),business-and-economy,informational,client-to-server,7769,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:J9ymoylt3wkbcwWFUbTc1FK8W6k=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "54.192.7.152", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28300", + "palo_alto.network.nat.community_id": "1:kCzU3MoZUMh7VlhTewngoP1twbw=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 54133, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "rules.quantcount.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.192.7.152", + "192.168.1.63", + "54.192.7.152" + ], + "server.ip": "54.192.7.152", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53040, + "tags": [ + "pan-os" + ], + "url.original": "rules.quantcount.com/" + }, + { + "@timestamp": "2018-11-30T16:44:58.000Z", + "client.ip": "192.168.15.224", + "client.port": 53093, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.4.120.175", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 20182, + "log.original": "Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28339,1,53093,443,8485,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7770,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:DDpR8PTbIvvnd+7Hcre+jZQVtaY=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "52.4.120.175", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28339", + "palo_alto.network.nat.community_id": "1:fj3W3hxHPqT4snZlcRibDiqLNvs=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 8485, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "52.4.120.175", + "192.168.1.63", + "52.4.120.175" + ], + "server.ip": "52.4.120.175", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53093, + "tags": [ + "pan-os" + ], + "url.original": "srv-2018-11-30-22.config.parsely.com/" + }, + { + "@timestamp": "2018-11-30T16:44:58.000Z", + "client.ip": "192.168.15.224", + "client.port": 53094, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.4.120.175", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 20739, + "log.original": "Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28299,1,53094,443,12496,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7771,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:1dccHKUcnMkeYh68uGS1Jhl6+Hk=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "52.4.120.175", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28299", + "palo_alto.network.nat.community_id": "1:HLMiinoD9jzLzaYU394wqKksBUE=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 12496, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "52.4.120.175", + "192.168.1.63", + "52.4.120.175" + ], + "server.ip": "52.4.120.175", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53094, + "tags": [ + "pan-os" + ], + "url.original": "srv-2018-11-30-22.config.parsely.com/" + }, + { + "@timestamp": "2018-11-30T16:44:58.000Z", + "client.ip": "192.168.15.224", + "client.port": 53095, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.4.120.175", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 21297, + "log.original": "Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28303,1,53095,443,17029,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7772,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:URFNGbFKOwT3Iaugo33D1mB/ndw=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "52.4.120.175", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28303", + "palo_alto.network.nat.community_id": "1:pNMLPgDpZv2+S840jW/Ggq8ng2I=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 17029, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "52.4.120.175", + "192.168.1.63", + "52.4.120.175" + ], + "server.ip": "52.4.120.175", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53095, + "tags": [ + "pan-os" + ], + "url.original": "srv-2018-11-30-22.config.parsely.com/" + }, + { + "@timestamp": "2018-11-30T16:44:58.000Z", + "client.ip": "192.168.15.224", + "client.port": 53096, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.4.120.175", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 21855, + "log.original": "Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28390,1,53096,443,23696,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7773,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:/KMTfFetIlydTraxch89t5PYve0=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "52.4.120.175", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28390", + "palo_alto.network.nat.community_id": "1:l6AkSmB92aDAHpLhiSCR28J+ANI=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 23696, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "52.4.120.175", + "192.168.1.63", + "52.4.120.175" + ], + "server.ip": "52.4.120.175", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53096, + "tags": [ + "pan-os" + ], + "url.original": "srv-2018-11-30-22.config.parsely.com/" + }, + { + "@timestamp": "2018-11-30T16:44:59.000Z", + "client.ip": "192.168.15.224", + "client.port": 53097, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.4.120.175", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 22413, + "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28433,1,53097,443,34769,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7774,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:Z8gFtZEJJ5xho2+kyaSyoXp1O/I=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "52.4.120.175", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28433", + "palo_alto.network.nat.community_id": "1:33ah/rOB1xL3Yy0FUH0sEGuRvx8=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 34769, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "52.4.120.175", + "192.168.1.63", + "52.4.120.175" + ], + "server.ip": "52.4.120.175", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53097, + "tags": [ + "pan-os" + ], + "url.original": "srv-2018-11-30-22.config.parsely.com/" + }, + { + "@timestamp": "2018-11-30T16:44:59.000Z", + "client.ip": "192.168.15.224", + "client.port": 53099, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.4.120.175", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 22971, + "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28380,1,53099,443,22486,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7775,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:dS0Vb9L/suztc58TuCJc5kLrnd4=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "52.4.120.175", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28380", + "palo_alto.network.nat.community_id": "1:zOzoB9ZSg+/QZ7bt4sM6/I2TOXc=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 22486, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "52.4.120.175", + "192.168.1.63", + "52.4.120.175" + ], + "server.ip": "52.4.120.175", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53099, + "tags": [ + "pan-os" + ], + "url.original": "srv-2018-11-30-22.config.parsely.com/" + }, + { + "@timestamp": "2018-11-30T16:44:59.000Z", + "client.ip": "192.168.15.224", + "client.port": 53100, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.4.120.175", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 23529, + "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28363,1,53100,443,12894,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7776,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:ZWPOx8XRihDI9+WqUDIHe1OyInQ=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "52.4.120.175", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28363", + "palo_alto.network.nat.community_id": "1:l+VVTNzHKEhzOIqE/8PVt4xidPQ=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 12894, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "52.4.120.175", + "192.168.1.63", + "52.4.120.175" + ], + "server.ip": "52.4.120.175", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53100, + "tags": [ + "pan-os" + ], + "url.original": "srv-2018-11-30-22.config.parsely.com/" + }, + { + "@timestamp": "2018-11-30T16:45:00.000Z", + "client.ip": "192.168.15.224", + "client.port": 53101, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.4.120.175", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 24087, + "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28349,1,53101,443,62348,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7777,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:T7UcACShDtZytIaufQKjiQ8jkhM=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "52.4.120.175", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28349", + "palo_alto.network.nat.community_id": "1:/GTSxrH684FoBXpyEBepCy2M81Q=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 62348, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "52.4.120.175", + "192.168.1.63", + "52.4.120.175" + ], + "server.ip": "52.4.120.175", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53101, + "tags": [ + "pan-os" + ], + "url.original": "srv-2018-11-30-22.config.parsely.com/" + }, + { + "@timestamp": "2018-11-30T16:45:00.000Z", + "client.ip": "192.168.15.224", + "client.port": 53104, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.4.120.175", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 24645, + "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28411,1,53104,443,6224,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7778,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:v2q2MvHECPCP6FDhZOfU9EhWDmw=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "52.4.120.175", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28411", + "palo_alto.network.nat.community_id": "1:z/innn6bIUB0vbGtF+NoTKxtaCQ=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 6224, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "52.4.120.175", + "192.168.1.63", + "52.4.120.175" + ], + "server.ip": "52.4.120.175", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53104, + "tags": [ + "pan-os" + ], + "url.original": "srv-2018-11-30-22.config.parsely.com/" + }, + { + "@timestamp": "2018-11-30T16:45:00.000Z", + "client.ip": "192.168.15.224", + "client.port": 53107, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.4.120.175", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 25202, + "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28397,1,53107,443,44120,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7779,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:/FL+10fyEBLqVR4oJrH3NBEx/pg=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "52.4.120.175", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28397", + "palo_alto.network.nat.community_id": "1:7H4lb05cbTOpCa4pIgruj3M2WrY=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 44120, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "52.4.120.175", + "192.168.1.63", + "52.4.120.175" + ], + "server.ip": "52.4.120.175", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53107, + "tags": [ + "pan-os" + ], + "url.original": "srv-2018-11-30-22.config.parsely.com/" + }, + { + "@timestamp": "2018-11-30T16:45:00.000Z", + "client.ip": "192.168.15.224", + "client.port": 53108, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.4.120.175", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 25760, + "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28347,1,53108,443,44228,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7780,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:abQPCp6V8x2Fumiz5x/+vZnuNfM=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "52.4.120.175", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28347", + "palo_alto.network.nat.community_id": "1:G3GfJYWnCjo8Ato/aBgr49UKGTI=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 44228, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "52.4.120.175", + "192.168.1.63", + "52.4.120.175" + ], + "server.ip": "52.4.120.175", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53108, + "tags": [ + "pan-os" + ], + "url.original": "srv-2018-11-30-22.config.parsely.com/" + }, + { + "@timestamp": "2018-11-30T16:45:00.000Z", + "client.ip": "192.168.15.224", + "client.port": 53109, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.4.120.175", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 26318, + "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28443,1,53109,443,31322,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7781,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:Ix3Fldb6W5hQx30Bw7Vd5/lm8hw=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "52.4.120.175", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28443", + "palo_alto.network.nat.community_id": "1:Ni0ZlLTDuNH8F3hFm9nLZkj/SKI=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 31322, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "52.4.120.175", + "192.168.1.63", + "52.4.120.175" + ], + "server.ip": "52.4.120.175", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53109, + "tags": [ + "pan-os" + ], + "url.original": "srv-2018-11-30-22.config.parsely.com/" + }, + { + "@timestamp": "2018-11-30T16:45:13.000Z", + "client.ip": "192.168.15.224", + "client.port": 53118, + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.386, + "destination.geo.location.lon": -122.0838, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "216.58.194.98", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 26876, + "log.original": "Nov 30 16:45:14 PA-220 1,2018/11/30 16:45:13,012801096514,THREAT,url,2049,2018/11/30 16:45:13,192.168.15.224,216.58.194.98,192.168.1.63,216.58.194.98,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:13,28439,1,53118,443,1672,443,0x403000,tcp,block-url,\"www.googleadservices.com/\",(9999),business-and-economy,informational,client-to-server,7782,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:iBwlaPm6awPJaLJMdMMVOH9f5RU=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "216.58.194.98", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28439", + "palo_alto.network.nat.community_id": "1:WQC21tSR1QNUhWYgrcbgaLyTkos=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 1672, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "www.googleadservices.com/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "216.58.194.98", + "192.168.1.63", + "216.58.194.98" + ], + "server.ip": "216.58.194.98", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53118, + "tags": [ + "pan-os" + ], + "url.original": "www.googleadservices.com/" + }, + { + "@timestamp": "2018-11-30T16:45:15.000Z", + "client.ip": "192.168.15.224", + "client.port": 53126, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "23.72.145.245", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 27423, + "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,25958,1,53126,443,20801,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7783,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:0TIOUPyQekmpFSgX6VlMP7asdJs=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "23.72.145.245", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "25958", + "palo_alto.network.nat.community_id": "1:hYoXMUwV0cAKhYUb4hSHsLUSo1s=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 20801, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "23.72.145.245", + "192.168.1.63", + "23.72.145.245" + ], + "server.ip": "23.72.145.245", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53126, + "tags": [ + "pan-os" + ], + "url.original": "service.maxymiser.net/" + }, + { + "@timestamp": "2018-11-30T16:45:15.000Z", + "client.ip": "192.168.15.224", + "client.port": 53127, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "23.72.145.245", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 27968, + "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28429,1,53127,443,24533,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7784,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:5CeaDtLLJAW4qpNe5rR3zJ3u1KM=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "23.72.145.245", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28429", + "palo_alto.network.nat.community_id": "1:al192CljLcXBQ5a9fXhiLM+uAKg=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 24533, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "23.72.145.245", + "192.168.1.63", + "23.72.145.245" + ], + "server.ip": "23.72.145.245", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53127, + "tags": [ + "pan-os" + ], + "url.original": "service.maxymiser.net/" + }, + { + "@timestamp": "2018-11-30T16:45:15.000Z", + "client.ip": "192.168.15.224", + "client.port": 53128, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "23.72.145.245", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 28513, + "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28465,1,53128,443,30150,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7785,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:HYgrk1tiJGzjAjdHLQJ54QqqEH0=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "23.72.145.245", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28465", + "palo_alto.network.nat.community_id": "1:qI8dj7I/HOk1zkz/wkZBjQ/igsw=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 30150, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "23.72.145.245", + "192.168.1.63", + "23.72.145.245" + ], + "server.ip": "23.72.145.245", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53128, + "tags": [ + "pan-os" + ], + "url.original": "service.maxymiser.net/" + }, + { + "@timestamp": "2018-11-30T16:45:15.000Z", + "client.ip": "192.168.15.224", + "client.port": 53129, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "23.72.145.245", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 29058, + "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28504,1,53129,443,36305,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7786,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:8k83tpdWoK7nNJrq4t81UXuScHA=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "23.72.145.245", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28504", + "palo_alto.network.nat.community_id": "1:NTrpQ6lfrWcfRCXSB/tQ49z7sOQ=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 36305, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "23.72.145.245", + "192.168.1.63", + "23.72.145.245" + ], + "server.ip": "23.72.145.245", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53129, + "tags": [ + "pan-os" + ], + "url.original": "service.maxymiser.net/" + }, + { + "@timestamp": "2018-11-30T16:45:16.000Z", + "client.ip": "192.168.15.224", + "client.port": 53130, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "23.72.145.245", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 29603, + "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28458,1,53130,443,42682,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7787,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:Ob0VEjF8YeGq1hR7SbX0pZ+5/EI=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "23.72.145.245", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28458", + "palo_alto.network.nat.community_id": "1:93oplAL+YibXq75Qng9iomHp97k=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 42682, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "23.72.145.245", + "192.168.1.63", + "23.72.145.245" + ], + "server.ip": "23.72.145.245", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53130, + "tags": [ + "pan-os" + ], + "url.original": "service.maxymiser.net/" + }, + { + "@timestamp": "2018-11-30T16:45:16.000Z", + "client.ip": "192.168.15.224", + "client.port": 53131, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "23.72.145.245", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 30148, + "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28491,1,53131,443,22530,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7788,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:WlDGM7WbDrN83JffZtwB6PNK3Y8=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "23.72.145.245", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28491", + "palo_alto.network.nat.community_id": "1:uhEHJXnnMaxBL0QYfNxS8lxZkls=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 22530, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "23.72.145.245", + "192.168.1.63", + "23.72.145.245" + ], + "server.ip": "23.72.145.245", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53131, + "tags": [ + "pan-os" + ], + "url.original": "service.maxymiser.net/" + }, + { + "@timestamp": "2018-11-30T16:45:16.000Z", + "client.ip": "192.168.15.224", + "client.port": 53132, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "23.72.145.245", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 30693, + "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28520,1,53132,443,43713,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7789,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:U5qBRasQ13RQONeFOyA2+9QbWK8=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "23.72.145.245", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28520", + "palo_alto.network.nat.community_id": "1:KtlZO5BbsoCg/ymqE05xAvw/iIA=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 43713, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "23.72.145.245", + "192.168.1.63", + "23.72.145.245" + ], + "server.ip": "23.72.145.245", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53132, + "tags": [ + "pan-os" + ], + "url.original": "service.maxymiser.net/" + }, + { + "@timestamp": "2018-11-30T16:45:16.000Z", + "client.ip": "192.168.15.224", + "client.port": 53133, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "23.72.145.245", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 31238, + "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28335,1,53133,443,60608,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7790,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:S99EiT3uXg1VHeNM5TVPoeW1Zrk=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "23.72.145.245", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28335", + "palo_alto.network.nat.community_id": "1:4MqfykfAOpIQmtvXcxzLNXqgyTs=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 60608, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "23.72.145.245", + "192.168.1.63", + "23.72.145.245" + ], + "server.ip": "23.72.145.245", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53133, + "tags": [ + "pan-os" + ], + "url.original": "service.maxymiser.net/" + }, + { + "@timestamp": "2018-11-30T16:45:16.000Z", + "client.ip": "192.168.15.224", + "client.port": 53134, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "23.72.145.245", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 31783, + "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28414,1,53134,443,9302,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7791,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:IMZ08eMrtDP/qCq8+cruyYo5r98=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "23.72.145.245", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28414", + "palo_alto.network.nat.community_id": "1:Qj+AYB26PhFUPHkeHTP+u0XmR3A=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 9302, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "23.72.145.245", + "192.168.1.63", + "23.72.145.245" + ], + "server.ip": "23.72.145.245", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53134, + "tags": [ + "pan-os" + ], + "url.original": "service.maxymiser.net/" + }, + { + "@timestamp": "2018-11-30T16:45:16.000Z", + "client.ip": "192.168.15.224", + "client.port": 53135, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "23.72.145.245", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 32327, + "log.original": "Nov 30 16:45:17 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28488,1,53135,443,11634,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7792,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:Z6zBvBoA+0NQryjJ96nYaFcOuXw=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "23.72.145.245", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28488", + "palo_alto.network.nat.community_id": "1:BQw3RXiNvT4NW4kw0J5Ol6rFN5A=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 11634, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "23.72.145.245", + "192.168.1.63", + "23.72.145.245" + ], + "server.ip": "23.72.145.245", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53135, + "tags": [ + "pan-os" + ], + "url.original": "service.maxymiser.net/" + }, + { + "@timestamp": "2018-11-30T16:45:26.000Z", + "client.ip": "192.168.15.224", + "client.port": 53152, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 32872, + "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28469,1,53152,443,30818,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7793,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:Qo8vSWzvn9QN5ADlmHxjJft+bxA=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "54.209.101.70", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28469", + "palo_alto.network.nat.community_id": "1:1XJhGS1EujYy5wSCA64wjjK7hwA=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 30818, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53152, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:26.000Z", + "client.ip": "192.168.15.224", + "client.port": 53155, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 33417, + "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28556,1,53155,443,64260,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7794,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:N2DPhwTnklulMwYKpcc4j0nLwu4=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "54.209.101.70", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28556", + "palo_alto.network.nat.community_id": "1:YHN6cU700Mp7622M1rIzbnPQ+ik=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 64260, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53155, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:26.000Z", + "client.ip": "192.168.15.224", + "client.port": 53158, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 33962, + "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28558,1,53158,443,7071,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7795,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:j5m21kfahBuP4jLMiqVnsVTJZ+Q=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "54.209.101.70", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28558", + "palo_alto.network.nat.community_id": "1:o5UB5uvp2ThXPXChyc7lgvBMH0s=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 7071, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53158, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:26.000Z", + "client.ip": "192.168.15.224", + "client.port": 53160, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 34506, + "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28531,1,53160,443,4512,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7796,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:8jQcqVCl+Q8N6jDNJlJwuydmDsA=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "54.209.101.70", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28531", + "palo_alto.network.nat.community_id": "1:RRfOKybSMc/qYj1QHLEpuh+r0Eg=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 4512, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53160, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:26.000Z", + "client.ip": "192.168.15.224", + "client.port": 53161, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 35050, + "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28580,1,53161,443,3422,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7797,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:zcJ3HhZj3urz6vGwVhseviLv7kY=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "54.209.101.70", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28580", + "palo_alto.network.nat.community_id": "1:KhCfFcRk3sovsTfN9pRRfgjsP84=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 3422, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53161, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:27.000Z", + "client.ip": "192.168.15.224", + "client.port": 53162, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 35594, + "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28477,1,53162,443,4651,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7798,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:DJHoN3ahXiIF4S4aGocL7KS/AhY=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "54.209.101.70", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28477", + "palo_alto.network.nat.community_id": "1:hZhkH3fz7n30Q+zsXnQejsna14Q=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 4651, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53162, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:27.000Z", + "client.ip": "192.168.15.224", + "client.port": 53163, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 36138, + "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28484,1,53163,443,19068,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7799,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:oQCUvcNDUq8NlFsOiIljRD/md2E=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "54.209.101.70", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28484", + "palo_alto.network.nat.community_id": "1:lFuLGvzKiGz77tAPKRWLQ7eIBNw=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 19068, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53163, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:27.000Z", + "client.ip": "192.168.15.224", + "client.port": 53164, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 36683, + "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28609,1,53164,443,5831,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7800,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:DjIyvY/MLQ8U4RrMwFVhfq30m6g=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "54.209.101.70", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28609", + "palo_alto.network.nat.community_id": "1:lXgqW6uer7QCnFv+5qVbgX4vM6E=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 5831, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53164, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:27.000Z", + "client.ip": "192.168.15.224", + "client.port": 53165, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 37227, + "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28564,1,53165,443,7084,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7801,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:fsi7g4zFbrFG09Mvo8P/WofCEKc=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "54.209.101.70", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28564", + "palo_alto.network.nat.community_id": "1:SDf7YJ4JLx2oja8SY0iCD/f9ZYk=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 7084, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53165, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:27.000Z", + "client.ip": "192.168.15.224", + "client.port": 53166, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 37771, + "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28542,1,53166,443,18633,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7802,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:wICcAfDG87s8YdjIhDgBqv6mTws=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "54.209.101.70", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28542", + "palo_alto.network.nat.community_id": "1:/wf94ECkqPez+fxVgk+3KErtaBQ=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 18633, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53166, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:27.000Z", + "client.ip": "192.168.15.224", + "client.port": 53167, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 38316, + "log.original": "Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28590,1,53167,443,25557,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7803,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:L9I6mLjr15WmWcGfC1vPrN0NmY0=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "54.209.101.70", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28590", + "palo_alto.network.nat.community_id": "1:lGMn2sEJLK3qbOX02axD1srH/FY=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 25557, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53167, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:27.000Z", + "client.ip": "192.168.15.224", + "client.port": 53150, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 38861, + "log.original": "Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28455,1,53150,443,20661,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7804,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:pvzPjqjqA6kLTjxiRDVSDxuidwg=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "54.209.101.70", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28455", + "palo_alto.network.nat.community_id": "1:O1zDnt5d52xTreiMgL/sHMRHiXA=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 20661, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53150, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:28.000Z", + "client.ip": "192.168.15.224", + "client.port": 53185, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 39406, + "log.original": "Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28585,1,53185,443,65438,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7805,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:hu8p8gkxiimZqTLhIkgVfSePEqk=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "54.209.101.70", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28585", + "palo_alto.network.nat.community_id": "1:CwNRTMQumfdoC3msd4z5PIYkKLU=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 65438, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53185, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:28.000Z", + "client.ip": "192.168.15.224", + "client.port": 53187, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 39951, + "log.original": "Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28462,1,53187,443,53101,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7806,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:z12wzV1bKYppHPfC9LypWH+RtE4=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "54.209.101.70", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28462", + "palo_alto.network.nat.community_id": "1:0YBp8myYbHSoKWG2HvxutMfose0=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 53101, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53187, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:28.000Z", + "client.ip": "192.168.15.224", + "client.port": 53188, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 40496, + "log.original": "Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28839,1,53188,443,35463,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7807,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:eJYKKiIqzYxe5ja/6/hDB3CgzSI=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "54.209.101.70", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28839", + "palo_alto.network.nat.community_id": "1:CQrsQ2CJN8/aVtRj6kkSqGiLA4w=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 35463, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53188, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:29.000Z", + "client.ip": "192.168.15.224", + "client.port": 53178, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.log", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 41041, + "log.original": "Nov 30 16:45:30 PA-220 1,2018/11/30 16:45:29,012801096514,THREAT,url,2049,2018/11/30 16:45:29,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:29,28400,1,53178,443,45769,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7808,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": "1:f+00RNTWn2IGrM2JmEAnEPoRwDg=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "54.209.101.70", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "28400", + "palo_alto.network.nat.community_id": "1:vbknc+k7pE33+aNpIggpIzlC7MY=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 45769, + "palo_alto.source.zone": "trust", + "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.threat_id": "(9999)", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53178, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/palo_alto/log/test/traffic.log b/x-pack/filebeat/module/palo_alto/log/test/traffic.log new file mode 100644 index 000000000000..c3e74310f06b --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/log/test/traffic.log @@ -0,0 +1,100 @@ +Nov 30 16:09:08 PA-220 1,2018/11/30 16:09:07,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:07,192.168.15.207,184.51.253.152,192.168.1.63,184.51.253.152,new_outbound_from_trust,,,apple-maps,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:07,22751,1,55113,443,16418,443,0x400053,tcp,allow,7734,1758,5976,36,2018/11/30 15:59:04,586,computer-and-internet-info,0,32091112,0x0,192.168.0.0-192.168.255.255,United States,0,16,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24223,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:08:55,0,any,0,32091113,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.207,17.253.3.202,192.168.1.63,17.253.3.202,new_outbound_from_trust,,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24138,1,55114,80,51990,80,0x40001c,tcp,allow,1574,539,1035,11,2018/11/30 16:08:51,1,computer-and-internet-info,0,32091114,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,24043,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:01,0,any,0,32091115,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.196,216.58.194.99,192.168.1.63,216.58.194.99,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23003,1,46774,443,15252,443,0x400019,udp,allow,3627,2014,1613,8,2018/11/30 16:07:13,0,any,0,32091116,0x0,192.168.0.0-192.168.255.255,United States,0,5,3,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,209.234.224.22,192.168.1.63,209.234.224.22,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23919,1,52408,443,40763,443,0x400053,tcp,allow,41753,20642,21111,113,2018/11/30 16:07:33,85,web-advertisements,0,32091117,0x0,192.168.0.0-192.168.255.255,United States,0,62,51,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,21394,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:07,0,any,0,32091118,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,172.217.2.238,192.168.1.63,172.217.2.238,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,23698,1,59190,443,52881,443,0x400019,udp,allow,7097,3365,3732,16,2018/11/30 16:07:04,15,any,0,32091119,0x0,192.168.0.0-192.168.255.255,United States,0,7,9,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:23 PA-220 1,2018/11/30 16:09:22,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:22,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:22,24179,1,49728,53,26654,53,0x400019,udp,allow,301,80,221,2,2018/11/30 16:08:50,0,any,0,32091120,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:24 PA-220 1,2018/11/30 16:09:23,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:23,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:23,23933,1,50500,53,2486,53,0x400019,udp,allow,298,77,221,2,2018/11/30 16:08:51,0,any,0,32091121,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,17.249.60.78,192.168.1.63,17.249.60.78,new_outbound_from_trust,,,apple-push-notifications,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,22662,1,55112,443,42021,443,0x400053,tcp,allow,9978,4509,5469,32,2018/11/30 15:58:59,593,computer-and-internet-info,0,32091122,0x0,192.168.0.0-192.168.255.255,United States,0,16,16,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24161,1,57632,53,24377,53,0x400019,udp,allow,297,73,224,2,2018/11/30 16:08:52,0,any,0,32091123,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24107,1,50271,53,48792,53,0x400019,udp,allow,186,69,117,2,2018/11/30 16:08:52,0,any,0,32091124,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24063,1,54061,53,2987,53,0x400019,udp,allow,392,85,307,2,2018/11/30 16:08:52,0,any,0,32091125,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24145,1,52701,53,6945,53,0x400019,udp,allow,440,75,365,2,2018/11/30 16:08:52,0,any,0,32091126,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24245,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:13,0,any,0,32091127,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24167,1,62503,53,42208,53,0x400019,udp,allow,258,97,161,2,2018/11/30 16:08:54,1,any,0,32091128,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,98.138.49.44,192.168.1.63,98.138.49.44,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24212,1,52442,443,14660,443,0x40001c,tcp,allow,9891,2086,7805,27,2018/11/30 16:08:54,17,web-advertisements,0,32091129,0x0,192.168.0.0-192.168.255.255,United States,0,14,13,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,72.30.3.43,192.168.1.63,72.30.3.43,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24149,1,52441,443,16483,443,0x40001c,tcp,allow,8460,2354,6106,24,2018/11/30 16:08:54,17,web-advertisements,0,32091130,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24185,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:15,0,any,0,32091131,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.224,172.217.9.142,192.168.1.63,172.217.9.142,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,23856,1,52355,80,5570,80,0x40001c,tcp,allow,5790,2545,3245,36,2018/11/30 16:07:16,116,computer-and-internet-info,0,32091132,0x0,192.168.0.0-192.168.255.255,United States,0,19,17,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24173,1,50196,53,24430,53,0x400019,udp,allow,261,82,179,2,2018/11/30 16:08:57,0,any,0,32091133,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:31 PA-220 1,2018/11/30 16:09:30,012801096514,TRAFFIC,start,2049,2018/11/30 16:09:30,192.168.15.224,54.84.80.198,192.168.1.63,54.84.80.198,new_outbound_from_trust,,,traps-management-service,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:30,24257,1,52454,443,12122,443,0x400053,tcp,allow,6295,1758,4537,25,2018/11/30 16:09:13,0,computer-and-internet-info,0,32091134,0x0,192.168.0.0-192.168.255.255,United States,0,13,12,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:33 PA-220 1,2018/11/30 16:09:32,012801096514,TRAFFIC,drop,2049,2018/11/30 16:09:32,192.168.15.224,199.167.55.52,192.168.1.63,199.167.55.52,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:32,24090,1,52445,4282,49145,4282,0x400019,tcp,allow,624,624,0,8,2018/11/30 16:09:12,13,any,0,32091135,0x0,192.168.0.0-192.168.255.255,United States,0,8,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:34 PA-220 1,2018/11/30 16:09:33,012801096514,TRAFFIC,deny,2049,2018/11/30 16:09:33,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:33,24242,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:19,0,any,0,32091136,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:35 PA-220 1,2018/11/30 16:09:34,012801096514,TRAFFIC,,2049,2018/11/30 16:09:34,192.168.15.210,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:34,24190,1,35485,53,33110,53,0x400019,udp,allow,215,85,130,2,2018/11/30 16:09:02,0,any,0,32091137,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:38 PA-220 1,2018/11/30 16:09:37,012801096514,TRAFFIC,test,2049,2018/11/30 16:09:37,192.168.15.224,172.217.9.142,192.168.1.63,172.217.9.142,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:37,23892,1,62730,443,9299,443,0x400019,udp,allow,4867,2876,1991,12,2018/11/30 16:07:20,15,any,0,32091138,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,151.101.2.2,192.168.1.63,151.101.2.2,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,24360,1,52506,443,47194,443,0x40001c,tcp,allow,1623,1100,523,13,2018/11/30 16:09:21,0,business-and-economy,0,32091139,0x0,192.168.0.0-192.168.255.255,United States,0,8,5,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,216.58.194.66,192.168.1.63,216.58.194.66,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,23952,1,60596,443,62921,443,0x400019,udp,allow,4405,1977,2428,9,2018/11/30 16:07:36,0,any,0,32091140,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24328,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:25,0,any,0,32091141,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.210,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24385,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:25,0,any,0,32091142,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,184.51.253.193,192.168.1.63,184.51.253.193,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24172,1,52514,443,41958,443,0x40001c,tcp,allow,7231,2228,5003,22,2018/11/30 16:09:22,0,web-advertisements,0,32091143,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24131,1,55155,53,51374,53,0x400019,udp,allow,267,96,171,2,2018/11/30 16:09:08,0,any,0,32091144,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,199.167.55.52,192.168.1.63,199.167.55.52,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24393,1,52445,4282,25566,4282,0x400019,tcp,allow,78,78,0,1,2018/11/30 16:09:33,0,any,0,32091145,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,199.167.52.219,192.168.1.63,199.167.52.219,new_outbound_from_trust,,,tanium,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24976,1,52516,17472,63757,17472,0x40005e,tcp,allow,3402,1086,2316,20,2018/11/30 16:09:25,0,any,0,32091146,0x0,192.168.0.0-192.168.255.255,United States,0,11,9,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,52.71.117.196,192.168.1.63,52.71.117.196,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24348,1,52511,443,3803,443,0x400053,tcp,allow,16594,2628,13966,38,2018/11/30 16:09:21,4,computer-and-internet-info,0,32091147,0x0,192.168.0.0-192.168.255.255,United States,0,19,19,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24046,1,3018,53,34994,53,0x400019,udp,allow,323,79,244,2,2018/11/30 16:09:12,0,any,0,32091148,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24196,1,16569,53,38064,53,0x400019,udp,allow,300,95,205,2,2018/11/30 16:09:12,0,any,0,32091149,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.186.194.41,192.168.1.63,35.186.194.41,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24264,1,52479,443,42924,443,0x400053,tcp,allow,6598,4296,2302,44,2018/11/30 16:09:19,8,insufficient-content,0,32091150,0x0,192.168.0.0-192.168.255.255,United States,0,24,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.201.124.9,192.168.1.63,35.201.124.9,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24248,1,52478,443,58977,443,0x400053,tcp,allow,65588,58831,6757,104,2018/11/30 16:09:19,8,insufficient-content,0,32091151,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,63,41,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,100.24.131.237,192.168.1.63,100.24.131.237,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24268,1,52502,443,64732,443,0x400053,tcp,allow,13076,4069,9007,32,2018/11/30 16:09:21,6,business-and-economy,0,32091152,0x0,192.168.0.0-192.168.255.255,United States,0,17,15,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,184.51.252.247,192.168.1.63,184.51.252.247,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24175,1,52458,443,58292,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091153,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.190.88.148,192.168.1.63,35.190.88.148,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24312,1,52484,443,32209,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091154,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.186.243.83,192.168.1.63,35.186.243.83,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24164,1,52482,443,38822,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091155,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,untrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24198,1,33769,53,16044,53,0x400019,udp,allow,266,84,182,2,2018/11/30 16:09:12,0,any,0,32091156,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24184,1,14106,53,56614,53,0x400019,udp,allow,164,74,90,2,2018/11/30 16:09:12,0,any,0,32091157,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,100.24.165.74,192.168.1.63,100.24.165.74,new_outbound_from_trust,,,ssl,vsys1,untrust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24314,1,52503,443,53168,443,0x400053,tcp,allow,9400,2731,6669,30,2018/11/30 16:09:21,6,business-and-economy,0,32091158,0x0,192.168.0.0-192.168.255.255,United States,0,17,13,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,184.51.252.247,192.168.1.63,184.51.252.247,new_outbound_from_trust,,,ssl,vsys1,xtrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24204,1,52459,443,28012,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091159,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.201.94.140,192.168.1.63,35.201.94.140,new_outbound_from_trust,,,ssl,vsys1,trust,xuntrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24234,1,52483,443,16050,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091160,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,,,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24390,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:31,0,any,0,32091161,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24093,1,38663,53,61722,53,0x400019,udp,allow,228,84,144,2,2018/11/30 16:09:13,0,any,0,32091162,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24117,1,50443,53,14247,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091163,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24142,1,54215,53,33580,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091164,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24195,1,35827,53,13498,53,0x400019,udp,allow,252,83,169,2,2018/11/30 16:09:13,0,any,0,32091165,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24124,1,60609,53,20365,53,0x400019,udp,allow,232,100,132,2,2018/11/30 16:09:13,0,any,0,32091166,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24153,1,3248,53,61464,53,0x400019,udp,allow,206,79,127,2,2018/11/30 16:09:13,0,any,0,32091167,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24122,1,49284,53,42877,53,0x400019,udp,allow,194,89,105,2,2018/11/30 16:09:13,0,any,0,32091168,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24171,1,57732,53,5918,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:13,0,any,0,32091169,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24069,1,49195,53,28944,53,0x400019,udp,allow,212,78,134,2,2018/11/30 16:09:13,0,any,0,32091170,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24282,1,17266,53,13415,53,0x400019,udp,allow,252,73,179,2,2018/11/30 16:09:13,0,any,0,32091171,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24218,1,48631,53,2489,53,0x400019,udp,allow,308,90,218,2,2018/11/30 16:09:13,0,any,0,32091172,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24200,1,58540,53,49328,53,0x400019,udp,allow,249,77,172,2,2018/11/30 16:09:13,0,any,0,32091173,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24224,1,42678,53,36036,53,0x400019,udp,allow,379,74,305,2,2018/11/30 16:09:13,0,any,0,32091174,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,66.28.0.45,192.168.1.63,66.28.0.45,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24240,1,16576,53,33744,53,0x400019,udp,allow,603,76,527,2,2018/11/30 16:09:14,0,any,0,32091175,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24183,1,39830,53,45809,53,0x400019,udp,allow,242,89,153,2,2018/11/30 16:09:14,0,any,0,32091176,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24211,1,6185,53,3675,53,0x400019,udp,allow,240,71,169,2,2018/11/30 16:09:14,0,any,0,32091177,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24253,1,8781,53,5787,53,0x400019,udp,allow,208,80,128,2,2018/11/30 16:09:14,0,any,0,32091178,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24221,1,16788,53,12342,53,0x400019,udp,allow,253,72,181,2,2018/11/30 16:09:14,0,any,0,32091179,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24310,1,45307,53,18729,53,0x400019,udp,allow,197,76,121,2,2018/11/30 16:09:14,0,any,0,32091180,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,23.52.174.25,192.168.1.63,23.52.174.25,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24326,1,52520,80,57858,80,0x400053,tcp,allow,1927,681,1246,11,2018/11/30 16:09:29,0,computer-and-internet-info,0,32091181,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24201,1,8503,53,2722,53,0x400019,udp,allow,394,79,315,2,2018/11/30 16:09:13,1,any,0,32091182,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24130,1,6910,53,6674,53,0x400019,udp,allow,212,82,130,2,2018/11/30 16:09:14,0,any,0,32091183,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,54.230.5.228,192.168.1.63,54.230.5.228,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24237,1,52475,443,37427,443,0x40001c,tcp,allow,642,354,288,9,2018/11/30 16:09:17,12,any,0,32091184,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24108,1,14342,53,22408,53,0x400019,udp,allow,225,76,149,2,2018/11/30 16:09:14,0,any,0,32091185,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24247,1,48197,53,27899,53,0x400019,udp,allow,273,71,202,2,2018/11/30 16:09:15,0,any,0,32091186,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24098,1,32296,53,52939,53,0x400019,udp,allow,270,75,195,2,2018/11/30 16:09:15,0,any,0,32091187,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.195,208.83.246.20,192.168.1.63,208.83.246.20,new_outbound_from_trust,,,ntp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24263,1,33870,123,42907,123,0x400053,udp,allow,180,90,90,2,2018/11/30 16:09:15,0,any,0,32091188,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24258,1,54659,53,19658,53,0x400019,udp,drop ICMP,340,148,192,4,2018/11/30 16:09:16,0,any,0,32091189,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24155,1,57446,53,64352,53,0x400019,udp,reset client,291,83,208,2,2018/11/30 16:09:16,0,any,0,32091190,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24232,1,22655,53,60126,53,0x400019,udp,reset server,184,84,100,2,2018/11/30 16:09:16,0,any,0,32091191,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,35.185.88.112,192.168.1.63,35.185.88.112,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24330,1,52509,443,59771,443,0x40001a,tcp,reset both,9290,2053,7237,24,2018/11/30 16:09:21,10,business-and-economy,0,32091192,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,23960,1,27192,53,35748,53,0x400019,udp,allow,202,93,109,2,2018/11/30 16:09:16,0,any,0,32091193,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24236,1,30221,53,63701,53,0x400019,udp,allow,200,84,116,2,2018/11/30 16:09:16,0,any,0,32091194,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24276,1,30570,53,57872,53,0x400019,udp,allow,160,64,96,2,2018/11/30 16:09:16,0,any,0,32091195,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24299,1,52497,443,37581,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091196,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24229,1,52498,443,19226,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091197,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24283,1,52496,443,61721,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091198,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,104.254.150.9,192.168.1.63,104.254.150.9,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24369,1,52510,443,10098,443,0x40001a,tcp,allow,10511,2691,7820,22,2018/11/30 16:09:21,11,web-advertisements,0,32091199,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24354,1,52495,443,4564,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091200,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,52.0.218.108,192.168.1.63,52.0.218.108,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24254,1,52486,443,32104,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091201,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,52.6.117.19,192.168.1.63,52.6.117.19,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24246,1,52489,443,14172,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091202,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,34.238.96.22,192.168.1.63,34.238.96.22,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24343,1,52490,443,10286,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091203,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,130.211.47.17,192.168.1.63,130.211.47.17,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24262,1,52493,443,30799,443,0x40001c,tcp,allow,556,276,280,8,2018/11/30 16:09:20,12,any,0,32091204,0x0,192.168.0.0-192.168.255.255,United States,0,4,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:51 PA-220 1,2018/11/30 16:09:51,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:51,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:51,24281,1,59320,53,13490,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:18,0,any,0,32091205,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24424,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:37,0,any,0,32091206,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24230,1,13076,53,53751,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091207,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24243,1,5511,53,21643,53,0x400019,udp,allow,242,72,170,2,2018/11/30 16:09:19,0,any,0,32091208,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24077,1,9799,53,22446,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091209,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24266,1,39169,53,22301,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091210,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24269,1,42476,53,58124,53,0x400019,udp,allow,238,72,166,2,2018/11/30 16:09:19,0,any,0,32091211,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 diff --git a/x-pack/filebeat/module/palo_alto/log/test/traffic.log-expected.json b/x-pack/filebeat/module/palo_alto/log/test/traffic.log-expected.json new file mode 100644 index 000000000000..0824df10014d --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/log/test/traffic.log-expected.json @@ -0,0 +1,6864 @@ +[ + { + "@timestamp": "2018-11-30T16:09:07.000Z", + "client.bytes": 1758, + "client.ip": "192.168.15.207", + "client.packets": 20, + "client.port": 55113, + "destination.bytes": 1758, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "184.51.253.152", + "destination.packets": 16, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 586000000000, + "event.end": "2018-11-30T16:08:50.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T15:59:04.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 0, + "log.original": "Nov 30 16:09:08 PA-220 1,2018/11/30 16:09:07,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:07,192.168.15.207,184.51.253.152,192.168.1.63,184.51.253.152,new_outbound_from_trust,,,apple-maps,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:07,22751,1,55113,443,16418,443,0x400053,tcp,allow,7734,1758,5976,36,2018/11/30 15:59:04,586,computer-and-internet-info,0,32091112,0x0,192.168.0.0-192.168.255.255,United States,0,16,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "apple-maps", + "network.bytes": 7734, + "network.community_id": "1:MhgXJlTEvCKgoyqMC+Xo7qMVGqc=", + "network.direction": "outbound", + "network.packets": 36, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "184.51.253.152", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "22751", + "palo_alto.network.nat.community_id": "1:D1fZ8H3SfYS5p3yDzVdiwbnGJlU=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091112, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 16418, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "computer-and-internet-info", + "related.ip": [ + "192.168.15.207", + "184.51.253.152", + "192.168.1.63", + "184.51.253.152" + ], + "server.bytes": 5976, + "server.ip": "184.51.253.152", + "server.packets": 16, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 5976, + "source.ip": "192.168.15.207", + "source.packets": 20, + "source.port": 55113, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:09.000Z", + "client.bytes": 588, + "client.ip": "192.168.15.224", + "client.packets": 6, + "client.port": 0, + "destination.bytes": 588, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 6, + "destination.port": 0, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:08:55.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:08:55.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 503, + "log.original": "Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24223,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:08:55,0,any,0,32091113,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ping", + "network.bytes": 1176, + "network.community_id": "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "network.direction": "outbound", + "network.packets": 12, + "network.transport": "icmp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24223", + "palo_alto.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091113, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 588, + "server.ip": "8.8.8.8", + "server.packets": 6, + "server.port": 0, + "service.type": "palo_alto", + "source.bytes": 588, + "source.ip": "192.168.15.224", + "source.packets": 6, + "source.port": 0, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:09.000Z", + "client.bytes": 539, + "client.ip": "192.168.15.207", + "client.packets": 5, + "client.port": 55114, + "destination.bytes": 539, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "17.253.3.202", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 1000000000, + "event.end": "2018-11-30T16:08:52.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:08:51.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 947, + "log.original": "Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.207,17.253.3.202,192.168.1.63,17.253.3.202,new_outbound_from_trust,,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24138,1,55114,80,51990,80,0x40001c,tcp,allow,1574,539,1035,11,2018/11/30 16:08:51,1,computer-and-internet-info,0,32091114,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "web-browsing", + "network.bytes": 1574, + "network.community_id": "1:L9wP4JYo+V/38JhXYBMQf/hWYoQ=", + "network.direction": "outbound", + "network.packets": 11, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "17.253.3.202", + "palo_alto.destination.nat.port": 80, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24138", + "palo_alto.network.nat.community_id": "1:VnGCPYRgvHZCFJBmPOwtCg7/sMY=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091114, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 51990, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "computer-and-internet-info", + "related.ip": [ + "192.168.15.207", + "17.253.3.202", + "192.168.1.63", + "17.253.3.202" + ], + "server.bytes": 1035, + "server.ip": "17.253.3.202", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 1035, + "source.ip": "192.168.15.207", + "source.packets": 5, + "source.port": 55114, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:15.000Z", + "client.bytes": 588, + "client.ip": "192.168.15.224", + "client.packets": 6, + "client.port": 0, + "destination.bytes": 588, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 6, + "destination.port": 0, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:01.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:01.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 1441, + "log.original": "Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,24043,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:01,0,any,0,32091115,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ping", + "network.bytes": 1176, + "network.community_id": "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "network.direction": "outbound", + "network.packets": 12, + "network.transport": "icmp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24043", + "palo_alto.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091115, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 588, + "server.ip": "8.8.8.8", + "server.packets": 6, + "server.port": 0, + "service.type": "palo_alto", + "source.bytes": 588, + "source.ip": "192.168.15.224", + "source.packets": 6, + "source.port": 0, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:15.000Z", + "client.bytes": 2014, + "client.ip": "192.168.15.196", + "client.packets": 3, + "client.port": 46774, + "destination.bytes": 2014, + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.386, + "destination.geo.location.lon": -122.0838, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "216.58.194.99", + "destination.packets": 5, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:07:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:07:13.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 1885, + "log.original": "Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.196,216.58.194.99,192.168.1.63,216.58.194.99,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23003,1,46774,443,15252,443,0x400019,udp,allow,3627,2014,1613,8,2018/11/30 16:07:13,0,any,0,32091116,0x0,192.168.0.0-192.168.255.255,United States,0,5,3,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "quic", + "network.bytes": 3627, + "network.community_id": "1:bfDHy9SG4Mhm/ohGXQNZR3yF5sI=", + "network.direction": "outbound", + "network.packets": 8, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "216.58.194.99", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "23003", + "palo_alto.network.nat.community_id": "1:pvg9sIAzBs2eyqMclcdCIYEBO1Q=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091116, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 15252, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.196", + "216.58.194.99", + "192.168.1.63", + "216.58.194.99" + ], + "server.bytes": 1613, + "server.ip": "216.58.194.99", + "server.packets": 5, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 1613, + "source.ip": "192.168.15.196", + "source.packets": 3, + "source.port": 46774, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:15.000Z", + "client.bytes": 20642, + "client.ip": "192.168.15.224", + "client.packets": 51, + "client.port": 52408, + "destination.bytes": 20642, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "209.234.224.22", + "destination.packets": 62, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 85000000000, + "event.end": "2018-11-30T16:08:58.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:07:33.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 2353, + "log.original": "Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,209.234.224.22,192.168.1.63,209.234.224.22,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23919,1,52408,443,40763,443,0x400053,tcp,allow,41753,20642,21111,113,2018/11/30 16:07:33,85,web-advertisements,0,32091117,0x0,192.168.0.0-192.168.255.255,United States,0,62,51,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 41753, + "network.community_id": "1:A+0qkq/2rxZS/+I/sm0SFOWOkwY=", + "network.direction": "outbound", + "network.packets": 113, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "209.234.224.22", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "23919", + "palo_alto.network.nat.community_id": "1:u81/Ahz4HsL4LAVrUEiPkbXlX9A=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091117, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 40763, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "web-advertisements", + "related.ip": [ + "192.168.15.224", + "209.234.224.22", + "192.168.1.63", + "209.234.224.22" + ], + "server.bytes": 21111, + "server.ip": "209.234.224.22", + "server.packets": 62, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 21111, + "source.ip": "192.168.15.224", + "source.packets": 51, + "source.port": 52408, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:21.000Z", + "client.bytes": 588, + "client.ip": "192.168.15.224", + "client.packets": 6, + "client.port": 0, + "destination.bytes": 588, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 6, + "destination.port": 0, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:07.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:07.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 2844, + "log.original": "Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,21394,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:07,0,any,0,32091118,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ping", + "network.bytes": 1176, + "network.community_id": "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "network.direction": "outbound", + "network.packets": 12, + "network.transport": "icmp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "21394", + "palo_alto.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091118, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 588, + "server.ip": "8.8.8.8", + "server.packets": 6, + "server.port": 0, + "service.type": "palo_alto", + "source.bytes": 588, + "source.ip": "192.168.15.224", + "source.packets": 6, + "source.port": 0, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:21.000Z", + "client.bytes": 3365, + "client.ip": "192.168.15.224", + "client.packets": 9, + "client.port": 59190, + "destination.bytes": 3365, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "172.217.2.238", + "destination.packets": 7, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 15000000000, + "event.end": "2018-11-30T16:07:19.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:07:04.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 3288, + "log.original": "Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,172.217.2.238,192.168.1.63,172.217.2.238,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,23698,1,59190,443,52881,443,0x400019,udp,allow,7097,3365,3732,16,2018/11/30 16:07:04,15,any,0,32091119,0x0,192.168.0.0-192.168.255.255,United States,0,7,9,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "quic", + "network.bytes": 7097, + "network.community_id": "1:q1tj6dPFkb+U8mUSdFp3CbUFXUk=", + "network.direction": "outbound", + "network.packets": 16, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "172.217.2.238", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "23698", + "palo_alto.network.nat.community_id": "1:DoBKpBbAds/XQwbKPGjMrcuHTGo=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091119, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 52881, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "172.217.2.238", + "192.168.1.63", + "172.217.2.238" + ], + "server.bytes": 3732, + "server.ip": "172.217.2.238", + "server.packets": 7, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 3732, + "source.ip": "192.168.15.224", + "source.packets": 9, + "source.port": 59190, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:22.000Z", + "client.bytes": 80, + "client.ip": "192.168.15.207", + "client.packets": 1, + "client.port": 49728, + "destination.bytes": 80, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:08:50.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:08:50.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 3758, + "log.original": "Nov 30 16:09:23 PA-220 1,2018/11/30 16:09:22,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:22,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:22,24179,1,49728,53,26654,53,0x400019,udp,allow,301,80,221,2,2018/11/30 16:08:50,0,any,0,32091120,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 301, + "network.community_id": "1:l1lEn2QIKjwJgww02PEndRveudE=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24179", + "palo_alto.network.nat.community_id": "1:viuINkmqZ3Q7wH9NHmhVu6rZuOs=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091120, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 26654, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.207", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 221, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 221, + "source.ip": "192.168.15.207", + "source.packets": 1, + "source.port": 49728, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:23.000Z", + "client.bytes": 77, + "client.ip": "192.168.15.207", + "client.packets": 1, + "client.port": 50500, + "destination.bytes": 77, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:08:51.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:08:51.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 4207, + "log.original": "Nov 30 16:09:24 PA-220 1,2018/11/30 16:09:23,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:23,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:23,23933,1,50500,53,2486,53,0x400019,udp,allow,298,77,221,2,2018/11/30 16:08:51,0,any,0,32091121,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 298, + "network.community_id": "1:RK6Ut4Rb0DTrl9IRf27cop79UwI=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "23933", + "palo_alto.network.nat.community_id": "1:wR8JpmqlhC4f7BvxdzxRlKdkPiQ=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091121, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 2486, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.207", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 221, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 221, + "source.ip": "192.168.15.207", + "source.packets": 1, + "source.port": 50500, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:24.000Z", + "client.bytes": 4509, + "client.ip": "192.168.15.207", + "client.packets": 16, + "client.port": 55112, + "destination.bytes": 4509, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "17.249.60.78", + "destination.packets": 16, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 593000000000, + "event.end": "2018-11-30T16:08:52.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T15:58:59.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 4655, + "log.original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,17.249.60.78,192.168.1.63,17.249.60.78,new_outbound_from_trust,,,apple-push-notifications,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,22662,1,55112,443,42021,443,0x400053,tcp,allow,9978,4509,5469,32,2018/11/30 15:58:59,593,computer-and-internet-info,0,32091122,0x0,192.168.0.0-192.168.255.255,United States,0,16,16,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "apple-push-notifications", + "network.bytes": 9978, + "network.community_id": "1:89DsXq0JlAcm8a60Q9a+OELsT0Y=", + "network.direction": "outbound", + "network.packets": 32, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "17.249.60.78", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "22662", + "palo_alto.network.nat.community_id": "1:JuPhgq+FyomxcGW/tt851C0l4Hg=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091122, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 42021, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "computer-and-internet-info", + "related.ip": [ + "192.168.15.207", + "17.249.60.78", + "192.168.1.63", + "17.249.60.78" + ], + "server.bytes": 5469, + "server.ip": "17.249.60.78", + "server.packets": 16, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 5469, + "source.ip": "192.168.15.207", + "source.packets": 16, + "source.port": 55112, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:24.000Z", + "client.bytes": 73, + "client.ip": "192.168.15.207", + "client.packets": 1, + "client.port": 57632, + "destination.bytes": 73, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:08:52.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:08:52.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 5180, + "log.original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24161,1,57632,53,24377,53,0x400019,udp,allow,297,73,224,2,2018/11/30 16:08:52,0,any,0,32091123,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 297, + "network.community_id": "1:5lGtGtzRH+NHOqMOFVuXwxg5nCo=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24161", + "palo_alto.network.nat.community_id": "1:rsDXUIQYGBC2VYTxep2/bVIc3Xs=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091123, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 24377, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.207", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 224, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 224, + "source.ip": "192.168.15.207", + "source.packets": 1, + "source.port": 57632, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:24.000Z", + "client.bytes": 69, + "client.ip": "192.168.15.207", + "client.packets": 1, + "client.port": 50271, + "destination.bytes": 69, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:08:52.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:08:52.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 5629, + "log.original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24107,1,50271,53,48792,53,0x400019,udp,allow,186,69,117,2,2018/11/30 16:08:52,0,any,0,32091124,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 186, + "network.community_id": "1:WbAIgVVT23pzqAJkSDF68HGSPY4=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24107", + "palo_alto.network.nat.community_id": "1:ewaPydF3S4wOU8oEi8ykj+ETSIY=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091124, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 48792, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.207", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 117, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 117, + "source.ip": "192.168.15.207", + "source.packets": 1, + "source.port": 50271, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:24.000Z", + "client.bytes": 85, + "client.ip": "192.168.15.207", + "client.packets": 1, + "client.port": 54061, + "destination.bytes": 85, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:08:52.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:08:52.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 6078, + "log.original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24063,1,54061,53,2987,53,0x400019,udp,allow,392,85,307,2,2018/11/30 16:08:52,0,any,0,32091125,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 392, + "network.community_id": "1:b+lWViOjpbOZConz3JzrSDR609Q=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24063", + "palo_alto.network.nat.community_id": "1:+6FjOLCCWY+JDxSWKn7tYpAXksA=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091125, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 2987, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.207", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 307, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 307, + "source.ip": "192.168.15.207", + "source.packets": 1, + "source.port": 54061, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:24.000Z", + "client.bytes": 75, + "client.ip": "192.168.15.207", + "client.packets": 1, + "client.port": 52701, + "destination.bytes": 75, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:08:52.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:08:52.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 6526, + "log.original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24145,1,52701,53,6945,53,0x400019,udp,allow,440,75,365,2,2018/11/30 16:08:52,0,any,0,32091126,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 440, + "network.community_id": "1:dnGaTG13rwIh66+Pj0GQSdJMhu8=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24145", + "palo_alto.network.nat.community_id": "1:rR5F8eZHI1nwmznedxqG9e8vUQE=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091126, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 6945, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.207", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 365, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 365, + "source.ip": "192.168.15.207", + "source.packets": 1, + "source.port": 52701, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:27.000Z", + "client.bytes": 588, + "client.ip": "192.168.15.224", + "client.packets": 6, + "client.port": 0, + "destination.bytes": 588, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 6, + "destination.port": 0, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 6974, + "log.original": "Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24245,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:13,0,any,0,32091127,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ping", + "network.bytes": 1176, + "network.community_id": "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "network.direction": "outbound", + "network.packets": 12, + "network.transport": "icmp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24245", + "palo_alto.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091127, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 588, + "server.ip": "8.8.8.8", + "server.packets": 6, + "server.port": 0, + "service.type": "palo_alto", + "source.bytes": 588, + "source.ip": "192.168.15.224", + "source.packets": 6, + "source.port": 0, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:27.000Z", + "client.bytes": 97, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 62503, + "destination.bytes": 97, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 1000000000, + "event.end": "2018-11-30T16:08:55.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:08:54.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 7418, + "log.original": "Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24167,1,62503,53,42208,53,0x400019,udp,allow,258,97,161,2,2018/11/30 16:08:54,1,any,0,32091128,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 258, + "network.community_id": "1:Jof66SUOY3j4C+WrZwbgtKls1/Y=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24167", + "palo_alto.network.nat.community_id": "1:81Mi4MwpmNYtUrc7CMJH0MPRelU=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091128, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 42208, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 161, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 161, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 62503, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:28.000Z", + "client.bytes": 2086, + "client.ip": "192.168.15.224", + "client.packets": 13, + "client.port": 52442, + "destination.bytes": 2086, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "98.138.49.44", + "destination.packets": 14, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 17000000000, + "event.end": "2018-11-30T16:09:11.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:08:54.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 7867, + "log.original": "Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,98.138.49.44,192.168.1.63,98.138.49.44,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24212,1,52442,443,14660,443,0x40001c,tcp,allow,9891,2086,7805,27,2018/11/30 16:08:54,17,web-advertisements,0,32091129,0x0,192.168.0.0-192.168.255.255,United States,0,14,13,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 9891, + "network.community_id": "1:08BinpWe/JWymiOV0oCsRR8Lo4Q=", + "network.direction": "outbound", + "network.packets": 27, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "98.138.49.44", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24212", + "palo_alto.network.nat.community_id": "1:FfbVY/+5Mds7zDjSs5/Yfw5bxNQ=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091129, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 14660, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "web-advertisements", + "related.ip": [ + "192.168.15.224", + "98.138.49.44", + "192.168.1.63", + "98.138.49.44" + ], + "server.bytes": 7805, + "server.ip": "98.138.49.44", + "server.packets": 14, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 7805, + "source.ip": "192.168.15.224", + "source.packets": 13, + "source.port": 52442, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:28.000Z", + "client.bytes": 2354, + "client.ip": "192.168.15.224", + "client.packets": 11, + "client.port": 52441, + "destination.bytes": 2354, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "72.30.3.43", + "destination.packets": 13, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 17000000000, + "event.end": "2018-11-30T16:09:11.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:08:54.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 8350, + "log.original": "Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,72.30.3.43,192.168.1.63,72.30.3.43,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24149,1,52441,443,16483,443,0x40001c,tcp,allow,8460,2354,6106,24,2018/11/30 16:08:54,17,web-advertisements,0,32091130,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 8460, + "network.community_id": "1:2NNXjZpDcB9oYU1TRLRSU5v7hoQ=", + "network.direction": "outbound", + "network.packets": 24, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "72.30.3.43", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24149", + "palo_alto.network.nat.community_id": "1:TGvDRLypWuNWkuMsAxPzc5TSbAo=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091130, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 16483, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "web-advertisements", + "related.ip": [ + "192.168.15.224", + "72.30.3.43", + "192.168.1.63", + "72.30.3.43" + ], + "server.bytes": 6106, + "server.ip": "72.30.3.43", + "server.packets": 13, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 6106, + "source.ip": "192.168.15.224", + "source.packets": 11, + "source.port": 52441, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:29.000Z", + "client.bytes": 196, + "client.ip": "192.168.15.196", + "client.packets": 2, + "client.port": 0, + "destination.bytes": 196, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 2, + "destination.port": 0, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:15.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:15.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 8829, + "log.original": "Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24185,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:15,0,any,0,32091131,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ping", + "network.bytes": 392, + "network.community_id": "1:/l9vT9UwjkUeC6vNW93wy71+TBk=", + "network.direction": "outbound", + "network.packets": 4, + "network.transport": "icmp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24185", + "palo_alto.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091131, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.196", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 196, + "server.ip": "8.8.8.8", + "server.packets": 2, + "server.port": 0, + "service.type": "palo_alto", + "source.bytes": 196, + "source.ip": "192.168.15.196", + "source.packets": 2, + "source.port": 0, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:29.000Z", + "client.bytes": 2545, + "client.ip": "192.168.15.224", + "client.packets": 17, + "client.port": 52355, + "destination.bytes": 2545, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "172.217.9.142", + "destination.packets": 19, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 116000000000, + "event.end": "2018-11-30T16:09:12.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:07:16.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 9271, + "log.original": "Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.224,172.217.9.142,192.168.1.63,172.217.9.142,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,23856,1,52355,80,5570,80,0x40001c,tcp,allow,5790,2545,3245,36,2018/11/30 16:07:16,116,computer-and-internet-info,0,32091132,0x0,192.168.0.0-192.168.255.255,United States,0,19,17,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ocsp", + "network.bytes": 5790, + "network.community_id": "1:JJQ4CQTTE3x7lV+Npo80V7dd6ts=", + "network.direction": "outbound", + "network.packets": 36, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "172.217.9.142", + "palo_alto.destination.nat.port": 80, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "23856", + "palo_alto.network.nat.community_id": "1:NNgF+9vrbBFNpCI3JhUT4YWepd4=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091132, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 5570, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "computer-and-internet-info", + "related.ip": [ + "192.168.15.224", + "172.217.9.142", + "192.168.1.63", + "172.217.9.142" + ], + "server.bytes": 3245, + "server.ip": "172.217.9.142", + "server.packets": 19, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 3245, + "source.ip": "192.168.15.224", + "source.packets": 17, + "source.port": 52355, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:29.000Z", + "client.bytes": 82, + "client.ip": "192.168.15.207", + "client.packets": 1, + "client.port": 50196, + "destination.bytes": 82, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:08:57.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:08:57.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 9763, + "log.original": "Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24173,1,50196,53,24430,53,0x400019,udp,allow,261,82,179,2,2018/11/30 16:08:57,0,any,0,32091133,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 261, + "network.community_id": "1:URR/wC9NPuHbnjGQ1Y7LffVYlTc=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24173", + "palo_alto.network.nat.community_id": "1:9T+RKr8xDB21pvAf/Fihyq72sLY=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091133, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 24430, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.207", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 179, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 179, + "source.ip": "192.168.15.207", + "source.packets": 1, + "source.port": 50196, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:30.000Z", + "client.bytes": 1758, + "client.ip": "192.168.15.224", + "client.packets": 12, + "client.port": 52454, + "destination.bytes": 1758, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.84.80.198", + "destination.packets": 13, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 10212, + "log.original": "Nov 30 16:09:31 PA-220 1,2018/11/30 16:09:30,012801096514,TRAFFIC,start,2049,2018/11/30 16:09:30,192.168.15.224,54.84.80.198,192.168.1.63,54.84.80.198,new_outbound_from_trust,,,traps-management-service,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:30,24257,1,52454,443,12122,443,0x400053,tcp,allow,6295,1758,4537,25,2018/11/30 16:09:13,0,computer-and-internet-info,0,32091134,0x0,192.168.0.0-192.168.255.255,United States,0,13,12,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "traps-management-service", + "network.bytes": 6295, + "network.community_id": "1:OnS/uikvrbdse63UYQtmHKrEk7k=", + "network.direction": "outbound", + "network.packets": 25, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "54.84.80.198", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24257", + "palo_alto.network.nat.community_id": "1:k69UBIONLgCiGo9UhMOEY0pQnZ4=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091134, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 12122, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "computer-and-internet-info", + "related.ip": [ + "192.168.15.224", + "54.84.80.198", + "192.168.1.63", + "54.84.80.198" + ], + "server.bytes": 4537, + "server.ip": "54.84.80.198", + "server.packets": 13, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 4537, + "source.ip": "192.168.15.224", + "source.packets": 12, + "source.port": 52454, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:32.000Z", + "client.bytes": 624, + "client.ip": "192.168.15.224", + "client.packets": 0, + "client.port": 52445, + "destination.bytes": 624, + "destination.geo.city_name": "Santa Clara", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.3961, + "destination.geo.location.lon": -121.9617, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "199.167.55.52", + "destination.packets": 8, + "destination.port": 4282, + "ecs.version": "1.0.0", + "event.action": "flow_dropped", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 13000000000, + "event.end": "2018-11-30T16:09:25.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:12.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 10725, + "log.original": "Nov 30 16:09:33 PA-220 1,2018/11/30 16:09:32,012801096514,TRAFFIC,drop,2049,2018/11/30 16:09:32,192.168.15.224,199.167.55.52,192.168.1.63,199.167.55.52,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:32,24090,1,52445,4282,49145,4282,0x400019,tcp,allow,624,624,0,8,2018/11/30 16:09:12,13,any,0,32091135,0x0,192.168.0.0-192.168.255.255,United States,0,8,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "incomplete", + "network.bytes": 624, + "network.community_id": "1:wFD93203ukPDpbZjVJE5SAMYrw4=", + "network.direction": "outbound", + "network.packets": 8, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "199.167.55.52", + "palo_alto.destination.nat.port": 4282, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24090", + "palo_alto.network.nat.community_id": "1:07q7McJtir76GhJwAJffz+C0sNo=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091135, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 49145, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "199.167.55.52", + "192.168.1.63", + "199.167.55.52" + ], + "server.bytes": 0, + "server.ip": "199.167.55.52", + "server.packets": 8, + "server.port": 4282, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.15.224", + "source.packets": 0, + "source.port": 52445, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:33.000Z", + "client.bytes": 588, + "client.ip": "192.168.15.224", + "client.packets": 6, + "client.port": 0, + "destination.bytes": 588, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 6, + "destination.port": 0, + "ecs.version": "1.0.0", + "event.action": "flow_denied", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:19.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:19.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 11198, + "log.original": "Nov 30 16:09:34 PA-220 1,2018/11/30 16:09:33,012801096514,TRAFFIC,deny,2049,2018/11/30 16:09:33,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:33,24242,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:19,0,any,0,32091136,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ping", + "network.bytes": 1176, + "network.community_id": "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "network.direction": "outbound", + "network.packets": 12, + "network.transport": "icmp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24242", + "palo_alto.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091136, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 588, + "server.ip": "8.8.8.8", + "server.packets": 6, + "server.port": 0, + "service.type": "palo_alto", + "source.bytes": 588, + "source.ip": "192.168.15.224", + "source.packets": 6, + "source.port": 0, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:34.000Z", + "client.bytes": 85, + "client.ip": "192.168.15.210", + "client.packets": 1, + "client.port": 35485, + "destination.bytes": 85, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:02.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:02.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 11643, + "log.original": "Nov 30 16:09:35 PA-220 1,2018/11/30 16:09:34,012801096514,TRAFFIC,,2049,2018/11/30 16:09:34,192.168.15.210,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:34,24190,1,35485,53,33110,53,0x400019,udp,allow,215,85,130,2,2018/11/30 16:09:02,0,any,0,32091137,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 215, + "network.community_id": "1:XjmNQR0k4Z9rGS6dXH+3mvmrqzA=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24190", + "palo_alto.network.nat.community_id": "1:JM1EdN05nKTy8Sq9WGpY15fCNJk=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091137, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 33110, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.210", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 130, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 130, + "source.ip": "192.168.15.210", + "source.packets": 1, + "source.port": 35485, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:37.000Z", + "client.bytes": 2876, + "client.ip": "192.168.15.224", + "client.packets": 6, + "client.port": 62730, + "destination.bytes": 2876, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "172.217.9.142", + "destination.packets": 6, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 15000000000, + "event.end": "2018-11-30T16:07:35.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:07:20.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 12089, + "log.original": "Nov 30 16:09:38 PA-220 1,2018/11/30 16:09:37,012801096514,TRAFFIC,test,2049,2018/11/30 16:09:37,192.168.15.224,172.217.9.142,192.168.1.63,172.217.9.142,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:37,23892,1,62730,443,9299,443,0x400019,udp,allow,4867,2876,1991,12,2018/11/30 16:07:20,15,any,0,32091138,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "quic", + "network.bytes": 4867, + "network.community_id": "1:lVJii2BraOSOIissazAe7/enqkQ=", + "network.direction": "outbound", + "network.packets": 12, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "172.217.9.142", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "23892", + "palo_alto.network.nat.community_id": "1:3vS12CJ5QBY6RbGXOUPYKL9E0+U=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091138, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 9299, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "172.217.9.142", + "192.168.1.63", + "172.217.9.142" + ], + "server.bytes": 1991, + "server.ip": "172.217.9.142", + "server.packets": 6, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 1991, + "source.ip": "192.168.15.224", + "source.packets": 6, + "source.port": 62730, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:38.000Z", + "client.bytes": 1100, + "client.ip": "192.168.15.224", + "client.packets": 5, + "client.port": 52506, + "destination.bytes": 1100, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "151.101.2.2", + "destination.packets": 8, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:21.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:21.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 12559, + "log.original": "Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,151.101.2.2,192.168.1.63,151.101.2.2,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,24360,1,52506,443,47194,443,0x40001c,tcp,allow,1623,1100,523,13,2018/11/30 16:09:21,0,business-and-economy,0,32091139,0x0,192.168.0.0-192.168.255.255,United States,0,8,5,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 1623, + "network.community_id": "1:Te0H9rrEbN0bNEjgdC1n6hD8kQU=", + "network.direction": "outbound", + "network.packets": 13, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "151.101.2.2", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24360", + "palo_alto.network.nat.community_id": "1:l6nFWeOSs/2aQaVCfYhfQ09l0ko=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091139, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 47194, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "151.101.2.2", + "192.168.1.63", + "151.101.2.2" + ], + "server.bytes": 523, + "server.ip": "151.101.2.2", + "server.packets": 8, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 523, + "source.ip": "192.168.15.224", + "source.packets": 5, + "source.port": 52506, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:38.000Z", + "client.bytes": 1977, + "client.ip": "192.168.15.224", + "client.packets": 4, + "client.port": 60596, + "destination.bytes": 1977, + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.386, + "destination.geo.location.lon": -122.0838, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "216.58.194.66", + "destination.packets": 5, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:07:36.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:07:36.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 13050, + "log.original": "Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,216.58.194.66,192.168.1.63,216.58.194.66,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,23952,1,60596,443,62921,443,0x400019,udp,allow,4405,1977,2428,9,2018/11/30 16:07:36,0,any,0,32091140,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "quic", + "network.bytes": 4405, + "network.community_id": "1:5umxbSgQhlPOZM9gbu1iBMqzRr8=", + "network.direction": "outbound", + "network.packets": 9, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "216.58.194.66", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "23952", + "palo_alto.network.nat.community_id": "1:hVpNmZPedeB/gYRm9U4/gS+LNkQ=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091140, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 62921, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "216.58.194.66", + "192.168.1.63", + "216.58.194.66" + ], + "server.bytes": 2428, + "server.ip": "216.58.194.66", + "server.packets": 5, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 2428, + "source.ip": "192.168.15.224", + "source.packets": 4, + "source.port": 60596, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:39.000Z", + "client.bytes": 588, + "client.ip": "192.168.15.224", + "client.packets": 6, + "client.port": 0, + "destination.bytes": 588, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 6, + "destination.port": 0, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:25.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:25.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 13518, + "log.original": "Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24328,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:25,0,any,0,32091141,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ping", + "network.bytes": 1176, + "network.community_id": "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "network.direction": "outbound", + "network.packets": 12, + "network.transport": "icmp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24328", + "palo_alto.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091141, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 588, + "server.ip": "8.8.8.8", + "server.packets": 6, + "server.port": 0, + "service.type": "palo_alto", + "source.bytes": 588, + "source.ip": "192.168.15.224", + "source.packets": 6, + "source.port": 0, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:39.000Z", + "client.bytes": 196, + "client.ip": "192.168.15.210", + "client.packets": 2, + "client.port": 0, + "destination.bytes": 196, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 2, + "destination.port": 0, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:25.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:25.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 13962, + "log.original": "Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.210,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24385,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:25,0,any,0,32091142,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ping", + "network.bytes": 392, + "network.community_id": "1:7LdGPOlsucPADJQxcTlIy8FSIxU=", + "network.direction": "outbound", + "network.packets": 4, + "network.transport": "icmp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24385", + "palo_alto.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091142, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.210", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 196, + "server.ip": "8.8.8.8", + "server.packets": 2, + "server.port": 0, + "service.type": "palo_alto", + "source.bytes": 196, + "source.ip": "192.168.15.210", + "source.packets": 2, + "source.port": 0, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:39.000Z", + "client.bytes": 2228, + "client.ip": "192.168.15.224", + "client.packets": 10, + "client.port": 52514, + "destination.bytes": 2228, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "184.51.253.193", + "destination.packets": 12, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:22.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:22.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 14404, + "log.original": "Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,184.51.253.193,192.168.1.63,184.51.253.193,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24172,1,52514,443,41958,443,0x40001c,tcp,allow,7231,2228,5003,22,2018/11/30 16:09:22,0,web-advertisements,0,32091143,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 7231, + "network.community_id": "1:zaX+BV1nxniPCPzIGKhVpm2i7CE=", + "network.direction": "outbound", + "network.packets": 22, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "184.51.253.193", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24172", + "palo_alto.network.nat.community_id": "1:zBrhHOnlJT7YZV7WXiPAQBEhScI=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091143, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 41958, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "web-advertisements", + "related.ip": [ + "192.168.15.224", + "184.51.253.193", + "192.168.1.63", + "184.51.253.193" + ], + "server.bytes": 5003, + "server.ip": "184.51.253.193", + "server.packets": 12, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 5003, + "source.ip": "192.168.15.224", + "source.packets": 10, + "source.port": 52514, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:40.000Z", + "client.bytes": 96, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 55155, + "destination.bytes": 96, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:08.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:08.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 14890, + "log.original": "Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24131,1,55155,53,51374,53,0x400019,udp,allow,267,96,171,2,2018/11/30 16:09:08,0,any,0,32091144,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 267, + "network.community_id": "1:BengLCKQRlHSjje1eFQLdxgTKJc=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24131", + "palo_alto.network.nat.community_id": "1:QjiWUuclXv+JzWhbuYDyyP+YyTk=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091144, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 51374, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 171, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 171, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 55155, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:40.000Z", + "client.bytes": 78, + "client.ip": "192.168.15.224", + "client.packets": 0, + "client.port": 52445, + "destination.bytes": 78, + "destination.geo.city_name": "Santa Clara", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.3961, + "destination.geo.location.lon": -121.9617, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "199.167.55.52", + "destination.packets": 1, + "destination.port": 4282, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:33.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:33.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 15339, + "log.original": "Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,199.167.55.52,192.168.1.63,199.167.55.52,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24393,1,52445,4282,25566,4282,0x400019,tcp,allow,78,78,0,1,2018/11/30 16:09:33,0,any,0,32091145,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "incomplete", + "network.bytes": 78, + "network.community_id": "1:wFD93203ukPDpbZjVJE5SAMYrw4=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "199.167.55.52", + "palo_alto.destination.nat.port": 4282, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24393", + "palo_alto.network.nat.community_id": "1:WSYAeVnYXY4WmfLFYEEo/atQJE8=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091145, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 25566, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "199.167.55.52", + "192.168.1.63", + "199.167.55.52" + ], + "server.bytes": 0, + "server.ip": "199.167.55.52", + "server.packets": 1, + "server.port": 4282, + "service.type": "palo_alto", + "source.bytes": 0, + "source.ip": "192.168.15.224", + "source.packets": 0, + "source.port": 52445, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:42.000Z", + "client.bytes": 1086, + "client.ip": "192.168.15.224", + "client.packets": 9, + "client.port": 52516, + "destination.bytes": 1086, + "destination.geo.city_name": "Santa Clara", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.3961, + "destination.geo.location.lon": -121.9617, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "199.167.52.219", + "destination.packets": 11, + "destination.port": 17472, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:25.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:25.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 15808, + "log.original": "Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,199.167.52.219,192.168.1.63,199.167.52.219,new_outbound_from_trust,,,tanium,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24976,1,52516,17472,63757,17472,0x40005e,tcp,allow,3402,1086,2316,20,2018/11/30 16:09:25,0,any,0,32091146,0x0,192.168.0.0-192.168.255.255,United States,0,11,9,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "tanium", + "network.bytes": 3402, + "network.community_id": "1:9oIDq1tuilAK1JGhtfp35vZpz4w=", + "network.direction": "outbound", + "network.packets": 20, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "199.167.52.219", + "palo_alto.destination.nat.port": 17472, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24976", + "palo_alto.network.nat.community_id": "1:XrQuj5ypAzAqGAy0lpIvWQVVZ2E=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091146, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 63757, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "199.167.52.219", + "192.168.1.63", + "199.167.52.219" + ], + "server.bytes": 2316, + "server.ip": "199.167.52.219", + "server.packets": 11, + "server.port": 17472, + "service.type": "palo_alto", + "source.bytes": 2316, + "source.ip": "192.168.15.224", + "source.packets": 9, + "source.port": 52516, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:42.000Z", + "client.bytes": 2628, + "client.ip": "192.168.15.224", + "client.packets": 19, + "client.port": 52511, + "destination.bytes": 2628, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.71.117.196", + "destination.packets": 19, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 4000000000, + "event.end": "2018-11-30T16:09:25.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:21.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 16297, + "log.original": "Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,52.71.117.196,192.168.1.63,52.71.117.196,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24348,1,52511,443,3803,443,0x400053,tcp,allow,16594,2628,13966,38,2018/11/30 16:09:21,4,computer-and-internet-info,0,32091147,0x0,192.168.0.0-192.168.255.255,United States,0,19,19,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 16594, + "network.community_id": "1:lrruE+4dZreV0/+v9V1CpxRnfsE=", + "network.direction": "outbound", + "network.packets": 38, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "52.71.117.196", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24348", + "palo_alto.network.nat.community_id": "1:EG9O/WtvoWuYwaB1MXJTgr43kac=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091147, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 3803, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "computer-and-internet-info", + "related.ip": [ + "192.168.15.224", + "52.71.117.196", + "192.168.1.63", + "52.71.117.196" + ], + "server.bytes": 13966, + "server.ip": "52.71.117.196", + "server.packets": 19, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 13966, + "source.ip": "192.168.15.224", + "source.packets": 19, + "source.port": 52511, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 79, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 3018, + "destination.bytes": 79, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:12.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:12.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 16802, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24046,1,3018,53,34994,53,0x400019,udp,allow,323,79,244,2,2018/11/30 16:09:12,0,any,0,32091148,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 323, + "network.community_id": "1:b/0kdGUcINh0ryiR0w0QTg0t0jQ=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24046", + "palo_alto.network.nat.community_id": "1:eI0W7/EQJgRBimA1ZM4XVOSKMqo=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091148, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 34994, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 244, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 244, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 3018, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 95, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 16569, + "destination.bytes": 95, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:12.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:12.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 17250, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24196,1,16569,53,38064,53,0x400019,udp,allow,300,95,205,2,2018/11/30 16:09:12,0,any,0,32091149,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 300, + "network.community_id": "1:SsNvr7qdck7W52PZqREypGPIglo=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24196", + "palo_alto.network.nat.community_id": "1:uSrPYHIl4eJpdC+J0IAMuGStuNc=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091149, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 38064, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 205, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 205, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 16569, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 4296, + "client.ip": "192.168.15.224", + "client.packets": 20, + "client.port": 52479, + "destination.bytes": 4296, + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.419200000000004, + "destination.geo.location.lon": -122.0574, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "35.186.194.41", + "destination.packets": 24, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 8000000000, + "event.end": "2018-11-30T16:09:27.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:19.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 17699, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.186.194.41,192.168.1.63,35.186.194.41,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24264,1,52479,443,42924,443,0x400053,tcp,allow,6598,4296,2302,44,2018/11/30 16:09:19,8,insufficient-content,0,32091150,0x0,192.168.0.0-192.168.255.255,United States,0,24,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 6598, + "network.community_id": "1:oy06sQtSbOzvWgK/dr7N5HKE5Ng=", + "network.direction": "outbound", + "network.packets": 44, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "35.186.194.41", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24264", + "palo_alto.network.nat.community_id": "1:djhBHAw6H+Q9Bcz6i7V+GTrjtzA=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091150, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 42924, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "insufficient-content", + "related.ip": [ + "192.168.15.224", + "35.186.194.41", + "192.168.1.63", + "35.186.194.41" + ], + "server.bytes": 2302, + "server.ip": "35.186.194.41", + "server.packets": 24, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 2302, + "source.ip": "192.168.15.224", + "source.packets": 20, + "source.port": 52479, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 58831, + "client.ip": "192.168.15.224", + "client.packets": 41, + "client.port": 52478, + "destination.bytes": 58831, + "destination.geo.continent_name": "Asia", + "destination.geo.location.lat": 35.0, + "destination.geo.location.lon": 105.0, + "destination.ip": "35.201.124.9", + "destination.packets": 63, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 8000000000, + "event.end": "2018-11-30T16:09:27.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:19.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 18185, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.201.124.9,192.168.1.63,35.201.124.9,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24248,1,52478,443,58977,443,0x400053,tcp,allow,65588,58831,6757,104,2018/11/30 16:09:19,8,insufficient-content,0,32091151,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,63,41,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 65588, + "network.community_id": "1:DBvAD0JZYsb+pmUJkhTQYOcLJls=", + "network.direction": "outbound", + "network.packets": 104, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "35.201.124.9", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24248", + "palo_alto.network.nat.community_id": "1:hIY5A8O11VWtEfpYG2l5voTvbVQ=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091151, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 58977, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "insufficient-content", + "related.ip": [ + "192.168.15.224", + "35.201.124.9", + "192.168.1.63", + "35.201.124.9" + ], + "server.bytes": 6757, + "server.ip": "35.201.124.9", + "server.packets": 63, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 6757, + "source.ip": "192.168.15.224", + "source.packets": 41, + "source.port": 52478, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 4069, + "client.ip": "192.168.15.224", + "client.packets": 15, + "client.port": 52502, + "destination.bytes": 4069, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "100.24.131.237", + "destination.packets": 17, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 6000000000, + "event.end": "2018-11-30T16:09:27.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:21.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 18678, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,100.24.131.237,192.168.1.63,100.24.131.237,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24268,1,52502,443,64732,443,0x400053,tcp,allow,13076,4069,9007,32,2018/11/30 16:09:21,6,business-and-economy,0,32091152,0x0,192.168.0.0-192.168.255.255,United States,0,17,15,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 13076, + "network.community_id": "1:3G8yDLybfwtFo10J4I/c5Ayd4Qk=", + "network.direction": "outbound", + "network.packets": 32, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "100.24.131.237", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24268", + "palo_alto.network.nat.community_id": "1:sXYelUOdA/EfjcKKE8M5kPe+M+c=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091152, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 64732, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "100.24.131.237", + "192.168.1.63", + "100.24.131.237" + ], + "server.bytes": 9007, + "server.ip": "100.24.131.237", + "server.packets": 17, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 9007, + "source.ip": "192.168.15.224", + "source.packets": 15, + "source.port": 52502, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 1100, + "client.ip": "192.168.15.224", + "client.packets": 7, + "client.port": 52458, + "destination.bytes": 1100, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "184.51.252.247", + "destination.packets": 8, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 13000000000, + "event.end": "2018-11-30T16:09:27.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:14.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 19179, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,184.51.252.247,192.168.1.63,184.51.252.247,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24175,1,52458,443,58292,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091153,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 1761, + "network.community_id": "1:ZTCXYP/obCmlK+BT3BISstdxpCk=", + "network.direction": "outbound", + "network.packets": 15, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "184.51.252.247", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24175", + "palo_alto.network.nat.community_id": "1:D6pPzYoIWTOXxVzuweKvZYK6FVE=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091153, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 58292, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "computer-and-internet-info", + "related.ip": [ + "192.168.15.224", + "184.51.252.247", + "192.168.1.63", + "184.51.252.247" + ], + "server.bytes": 661, + "server.ip": "184.51.252.247", + "server.packets": 8, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 661, + "source.ip": "192.168.15.224", + "source.packets": 7, + "source.port": 52458, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 3596, + "client.ip": "192.168.15.224", + "client.packets": 16, + "client.port": 52484, + "destination.bytes": 3596, + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.419200000000004, + "destination.geo.location.lon": -122.0574, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "35.190.88.148", + "destination.packets": 15, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 8000000000, + "event.end": "2018-11-30T16:09:27.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:19.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 19683, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.190.88.148,192.168.1.63,35.190.88.148,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24312,1,52484,443,32209,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091154,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 14732, + "network.community_id": "1:DEAqTvDzZjanGG1P2CcnR3CKUfc=", + "network.direction": "outbound", + "network.packets": 31, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "35.190.88.148", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24312", + "palo_alto.network.nat.community_id": "1:VFQjrA+iaNcIu6vFJNU6ls7+4Is=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091154, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 32209, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "computer-and-internet-info", + "related.ip": [ + "192.168.15.224", + "35.190.88.148", + "192.168.1.63", + "35.190.88.148" + ], + "server.bytes": 11136, + "server.ip": "35.190.88.148", + "server.packets": 15, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 11136, + "source.ip": "192.168.15.224", + "source.packets": 16, + "source.port": 52484, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 3596, + "client.ip": "192.168.15.224", + "client.packets": 16, + "client.port": 52482, + "destination.bytes": 3596, + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.419200000000004, + "destination.geo.location.lon": -122.0574, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "35.186.243.83", + "destination.packets": 15, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 8000000000, + "event.end": "2018-11-30T16:09:27.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:19.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 20177, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.186.243.83,192.168.1.63,35.186.243.83,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24164,1,52482,443,38822,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091155,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 14732, + "network.community_id": "1:t/ErTuEXtgYIkRnq4+UdhVKcFnA=", + "network.direction": "outbound", + "network.packets": 31, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "35.186.243.83", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24164", + "palo_alto.network.nat.community_id": "1:Xx31zYZNYc/mjf2GOihkp6JogmA=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091155, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 38822, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "computer-and-internet-info", + "related.ip": [ + "192.168.15.224", + "35.186.243.83", + "192.168.1.63", + "35.186.243.83" + ], + "server.bytes": 11136, + "server.ip": "35.186.243.83", + "server.packets": 15, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 11136, + "source.ip": "192.168.15.224", + "source.packets": 16, + "source.port": 52482, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 84, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 33769, + "destination.bytes": 84, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:12.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:12.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 20671, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,untrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24198,1,33769,53,16044,53,0x400019,udp,allow,266,84,182,2,2018/11/30 16:09:12,0,any,0,32091156,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 266, + "network.community_id": "1:Y7iOj20be5Di4rx5iGHLO9k0YoU=", + "network.direction": "external", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24198", + "palo_alto.network.nat.community_id": "1:445AeHI1LAvb+ii4arRZeLAO4zM=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091156, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 16044, + "palo_alto.source.zone": "untrust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 182, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 182, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 33769, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 74, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 14106, + "destination.bytes": 74, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:12.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:12.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 21122, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24184,1,14106,53,56614,53,0x400019,udp,allow,164,74,90,2,2018/11/30 16:09:12,0,any,0,32091157,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 164, + "network.community_id": "1:8HlDMcJ2vfYtzQNW4/YDX7avDu8=", + "network.direction": "internal", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "24184", + "palo_alto.network.nat.community_id": "1:+5KwsEYW+tFecEENSBwHbKTvUv8=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091157, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 56614, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 90, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 90, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 14106, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 2731, + "client.ip": "192.168.15.224", + "client.packets": 13, + "client.port": 52503, + "destination.bytes": 2731, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "100.24.165.74", + "destination.packets": 17, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 6000000000, + "event.end": "2018-11-30T16:09:27.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:21.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 21568, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,100.24.165.74,192.168.1.63,100.24.165.74,new_outbound_from_trust,,,ssl,vsys1,untrust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24314,1,52503,443,53168,443,0x400053,tcp,allow,9400,2731,6669,30,2018/11/30 16:09:21,6,business-and-economy,0,32091158,0x0,192.168.0.0-192.168.255.255,United States,0,17,13,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 9400, + "network.community_id": "1:dDqHJ1Y91GSM0iyiXXbBnOasVJM=", + "network.direction": "inbound", + "network.packets": 30, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "100.24.165.74", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "trust", + "palo_alto.flow_id": "24314", + "palo_alto.network.nat.community_id": "1:DRqq/mx90TOYq1a5yLf562kwIvc=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091158, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 53168, + "palo_alto.source.zone": "untrust", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "100.24.165.74", + "192.168.1.63", + "100.24.165.74" + ], + "server.bytes": 6669, + "server.ip": "100.24.165.74", + "server.packets": 17, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 6669, + "source.ip": "192.168.15.224", + "source.packets": 13, + "source.port": 52503, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 1100, + "client.ip": "192.168.15.224", + "client.packets": 7, + "client.port": 52459, + "destination.bytes": 1100, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "184.51.252.247", + "destination.packets": 8, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 13000000000, + "event.end": "2018-11-30T16:09:27.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:14.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 22066, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,184.51.252.247,192.168.1.63,184.51.252.247,new_outbound_from_trust,,,ssl,vsys1,xtrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24204,1,52459,443,28012,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091159,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 1761, + "network.community_id": "1:LeVVxJ/qJ69xMnerDRfh9DhS1wg=", + "network.direction": "unknown", + "network.packets": 15, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "184.51.252.247", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24204", + "palo_alto.network.nat.community_id": "1:vx03vuDn4sh2/e89Lm3RoSpVIVM=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091159, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 28012, + "palo_alto.source.zone": "xtrust", + "palo_alto.url.category": "computer-and-internet-info", + "related.ip": [ + "192.168.15.224", + "184.51.252.247", + "192.168.1.63", + "184.51.252.247" + ], + "server.bytes": 661, + "server.ip": "184.51.252.247", + "server.packets": 8, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 661, + "source.ip": "192.168.15.224", + "source.packets": 7, + "source.port": 52459, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 3596, + "client.ip": "192.168.15.224", + "client.packets": 16, + "client.port": 52483, + "destination.bytes": 3596, + "destination.geo.continent_name": "Asia", + "destination.geo.location.lat": 35.0, + "destination.geo.location.lon": 105.0, + "destination.ip": "35.201.94.140", + "destination.packets": 15, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 8000000000, + "event.end": "2018-11-30T16:09:27.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:19.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 22571, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.201.94.140,192.168.1.63,35.201.94.140,new_outbound_from_trust,,,ssl,vsys1,trust,xuntrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24234,1,52483,443,16050,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091160,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 14732, + "network.community_id": "1:b6jBmvbfVzb1LGTW2RD80kK1rMs=", + "network.direction": "unknown", + "network.packets": 31, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "35.201.94.140", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "xuntrust", + "palo_alto.flow_id": "24234", + "palo_alto.network.nat.community_id": "1:u1uvQ3wfJoaG/nNiBhvQMHQSVlU=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091160, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 16050, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "computer-and-internet-info", + "related.ip": [ + "192.168.15.224", + "35.201.94.140", + "192.168.1.63", + "35.201.94.140" + ], + "server.bytes": 11136, + "server.ip": "35.201.94.140", + "server.packets": 15, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 11136, + "source.ip": "192.168.15.224", + "source.packets": 16, + "source.port": 52483, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 588, + "client.ip": "192.168.15.224", + "client.packets": 6, + "client.port": 0, + "destination.bytes": 588, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 6, + "destination.port": 0, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:31.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:31.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 23072, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,,,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24390,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:31,0,any,0,32091161,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ping", + "network.bytes": 1176, + "network.community_id": "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "network.direction": "unknown", + "network.packets": 12, + "network.transport": "icmp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 0, + "palo_alto.flow_id": "24390", + "palo_alto.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091161, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 0, + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 588, + "server.ip": "8.8.8.8", + "server.packets": 6, + "server.port": 0, + "service.type": "palo_alto", + "source.bytes": 588, + "source.ip": "192.168.15.224", + "source.packets": 6, + "source.port": 0, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 84, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 38663, + "destination.bytes": 84, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 23504, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24093,1,38663,53,61722,53,0x400019,udp,allow,228,84,144,2,2018/11/30 16:09:13,0,any,0,32091162,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 228, + "network.community_id": "1:jK1/samUe1w5J1uVlmH7SIXX1YE=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24093", + "palo_alto.network.nat.community_id": "1:lz0ZCL4R4wwyqmvefpkiJk7yR18=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091162, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 61722, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 144, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 144, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 38663, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 131, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 50443, + "destination.bytes": 131, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 23953, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24117,1,50443,53,14247,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091163,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 337, + "network.community_id": "1:pe+tF7SEY/Km9LRsrGI4UWHmV8E=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24117", + "palo_alto.network.nat.community_id": "1:DkOVz0BGrlh9OPZZ8+58eugW7gU=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091163, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 14247, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 206, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 206, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 50443, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 131, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 54215, + "destination.bytes": 131, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 24403, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24142,1,54215,53,33580,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091164,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 337, + "network.community_id": "1:qHh6xeCGBZ5pLwaBsFDRVbP5MZU=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24142", + "palo_alto.network.nat.community_id": "1:twx1eOqehbazvI0g0nkTeVynrY0=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091164, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 33580, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 206, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 206, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 54215, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 83, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 35827, + "destination.bytes": 83, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 24853, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24195,1,35827,53,13498,53,0x400019,udp,allow,252,83,169,2,2018/11/30 16:09:13,0,any,0,32091165,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 252, + "network.community_id": "1:7yZMN4i1Gxii2+FmEtBbvDk3lvA=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24195", + "palo_alto.network.nat.community_id": "1:hcgjXpi+ne3QnFDBLeskkVg4V+M=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091165, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 13498, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 169, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 169, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 35827, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 100, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 60609, + "destination.bytes": 100, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 25302, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24124,1,60609,53,20365,53,0x400019,udp,allow,232,100,132,2,2018/11/30 16:09:13,0,any,0,32091166,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 232, + "network.community_id": "1:0vV/bWp15XA8ntbAvsV9+ktbx6E=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24124", + "palo_alto.network.nat.community_id": "1:C91XK45Q10iqwwp4XYM+Wg1Ua8A=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091166, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 20365, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 132, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 132, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 60609, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 79, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 3248, + "destination.bytes": 79, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 25752, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24153,1,3248,53,61464,53,0x400019,udp,allow,206,79,127,2,2018/11/30 16:09:13,0,any,0,32091167,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 206, + "network.community_id": "1:v2Rn2HMvdhM3B2CXYva9UePt+Og=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24153", + "palo_alto.network.nat.community_id": "1:hsTAFtOdeb7+Ofe152B+9h69mbE=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091167, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 61464, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 127, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 127, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 3248, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 89, + "client.ip": "192.168.15.196", + "client.packets": 1, + "client.port": 49284, + "destination.bytes": 89, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 26200, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24122,1,49284,53,42877,53,0x400019,udp,allow,194,89,105,2,2018/11/30 16:09:13,0,any,0,32091168,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 194, + "network.community_id": "1:tO559KwdaAXfBh7HmZSLp9/JUJQ=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24122", + "palo_alto.network.nat.community_id": "1:htOXUg3QOGd0fpgLjYzQlvRMzUQ=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091168, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 42877, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.196", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 105, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 105, + "source.ip": "192.168.15.196", + "source.packets": 1, + "source.port": 49284, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 97, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 57732, + "destination.bytes": 97, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 26649, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24171,1,57732,53,5918,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:13,0,any,0,32091169,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 269, + "network.community_id": "1:aMEfJV/f54B1+0RNtWjw49JfNFU=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24171", + "palo_alto.network.nat.community_id": "1:gHWCOTtilTTqOn7fOKh7zVq45Xw=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091169, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 5918, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 172, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 172, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 57732, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 78, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 49195, + "destination.bytes": 78, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 27097, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24069,1,49195,53,28944,53,0x400019,udp,allow,212,78,134,2,2018/11/30 16:09:13,0,any,0,32091170,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 212, + "network.community_id": "1:WgGQfntwYS3voQPhGfI/qhx0SVk=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24069", + "palo_alto.network.nat.community_id": "1:OGDvpe1+4KQfCsxk0I61jm0+DIc=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091170, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 28944, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 134, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 134, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 49195, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 73, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 17266, + "destination.bytes": 73, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 27546, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24282,1,17266,53,13415,53,0x400019,udp,allow,252,73,179,2,2018/11/30 16:09:13,0,any,0,32091171,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 252, + "network.community_id": "1:RM5edUgZPywM/hIejzFVba+A4co=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24282", + "palo_alto.network.nat.community_id": "1:po/vy4RoD5WeFPgCZnduQkE47yY=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091171, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 13415, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 179, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 179, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 17266, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 90, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 48631, + "destination.bytes": 90, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 27995, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24218,1,48631,53,2489,53,0x400019,udp,allow,308,90,218,2,2018/11/30 16:09:13,0,any,0,32091172,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 308, + "network.community_id": "1:jJo7FJWI3gHbC96nTsyT17hVP98=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24218", + "palo_alto.network.nat.community_id": "1:wIxYOe++IxscmxBcRwrPGEIlZF4=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091172, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 2489, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 218, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 218, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 48631, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 77, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 58540, + "destination.bytes": 77, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 28443, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24200,1,58540,53,49328,53,0x400019,udp,allow,249,77,172,2,2018/11/30 16:09:13,0,any,0,32091173,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 249, + "network.community_id": "1:eWhg/7DfJGJNfW90sKt5WEYnI9g=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24200", + "palo_alto.network.nat.community_id": "1:xN7R3QI47jVAQhgJrOAvdsu+oes=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091173, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 49328, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 172, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 172, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 58540, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 74, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 42678, + "destination.bytes": 74, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 28892, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24224,1,42678,53,36036,53,0x400019,udp,allow,379,74,305,2,2018/11/30 16:09:13,0,any,0,32091174,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 379, + "network.community_id": "1:dhAcAsMUxJrHfinQA5Q7eglS7T0=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24224", + "palo_alto.network.nat.community_id": "1:BxuDgAhR5Rh55XOXYnYF+6GKhps=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091174, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 36036, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 305, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 305, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 42678, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:47.000Z", + "client.bytes": 76, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 16576, + "destination.bytes": 76, + "destination.geo.city_name": "Upper Marlboro", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.8922, + "destination.geo.location.lon": -76.7681, + "destination.geo.region_iso_code": "US-MD", + "destination.geo.region_name": "Maryland", + "destination.ip": "66.28.0.45", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:14.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:14.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 29341, + "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,66.28.0.45,192.168.1.63,66.28.0.45,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24240,1,16576,53,33744,53,0x400019,udp,allow,603,76,527,2,2018/11/30 16:09:14,0,any,0,32091175,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 603, + "network.community_id": "1:4i/owhGS2IpySKH+SyV4sXRj0+A=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "66.28.0.45", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24240", + "palo_alto.network.nat.community_id": "1:Yv+Yq/7HK9SajeKHOV50RYQWjRU=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091175, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 33744, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "66.28.0.45", + "192.168.1.63", + "66.28.0.45" + ], + "server.bytes": 527, + "server.ip": "66.28.0.45", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 527, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 16576, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:47.000Z", + "client.bytes": 89, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 39830, + "destination.bytes": 89, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:14.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:14.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 29796, + "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24183,1,39830,53,45809,53,0x400019,udp,allow,242,89,153,2,2018/11/30 16:09:14,0,any,0,32091176,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 242, + "network.community_id": "1:KZzZcwEN4cbaTck1z2Wa/3P3YjU=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24183", + "palo_alto.network.nat.community_id": "1:MxVcaRP5Y1xyEiYiNsmO1lVcN+A=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091176, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 45809, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 153, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 153, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 39830, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:47.000Z", + "client.bytes": 71, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 6185, + "destination.bytes": 71, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:14.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:14.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 30245, + "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24211,1,6185,53,3675,53,0x400019,udp,allow,240,71,169,2,2018/11/30 16:09:14,0,any,0,32091177,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 240, + "network.community_id": "1:LJ6ZkdUI9SYHDvi3B2Yn/9ILMbM=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24211", + "palo_alto.network.nat.community_id": "1:p8DU1xLXG63f/3s/r6ZKJcQo9u8=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091177, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 3675, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 169, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 169, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 6185, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:47.000Z", + "client.bytes": 80, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 8781, + "destination.bytes": 80, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:14.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:14.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 30692, + "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24253,1,8781,53,5787,53,0x400019,udp,allow,208,80,128,2,2018/11/30 16:09:14,0,any,0,32091178,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 208, + "network.community_id": "1:8CDWB7X3kkKjoV2bprSLSQY1py4=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24253", + "palo_alto.network.nat.community_id": "1:bU3nBIz+M3cDoPKg8azcJgVx+8Q=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091178, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 5787, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 128, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 128, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 8781, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:47.000Z", + "client.bytes": 72, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 16788, + "destination.bytes": 72, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:14.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:14.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 31139, + "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24221,1,16788,53,12342,53,0x400019,udp,allow,253,72,181,2,2018/11/30 16:09:14,0,any,0,32091179,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 253, + "network.community_id": "1:ScmRIn+bxqoJafQfJfEaH/CdCjE=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24221", + "palo_alto.network.nat.community_id": "1:vnb4ttnFy2i39tg89p3jkGs6eDg=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091179, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 12342, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 181, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 181, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 16788, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:47.000Z", + "client.bytes": 76, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 45307, + "destination.bytes": 76, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:14.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:14.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 31588, + "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24310,1,45307,53,18729,53,0x400019,udp,allow,197,76,121,2,2018/11/30 16:09:14,0,any,0,32091180,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 197, + "network.community_id": "1:eupsSNkv67+oInX/FQ2hHpUMyR8=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24310", + "palo_alto.network.nat.community_id": "1:71/qcXOmOV3sXCqZ1T6JVPlE9y8=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091180, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 18729, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 121, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 121, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 45307, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:47.000Z", + "client.bytes": 681, + "client.ip": "192.168.15.224", + "client.packets": 5, + "client.port": 52520, + "destination.bytes": 681, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "23.52.174.25", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:29.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:29.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 32037, + "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,23.52.174.25,192.168.1.63,23.52.174.25,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24326,1,52520,80,57858,80,0x400053,tcp,allow,1927,681,1246,11,2018/11/30 16:09:29,0,computer-and-internet-info,0,32091181,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ocsp", + "network.bytes": 1927, + "network.community_id": "1://eZmJioBenLsE0zEL0rhbQ7JT8=", + "network.direction": "outbound", + "network.packets": 11, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "23.52.174.25", + "palo_alto.destination.nat.port": 80, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24326", + "palo_alto.network.nat.community_id": "1:5ECmBtgiSUvWFJAA318pVeeu5Pw=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091181, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 57858, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "computer-and-internet-info", + "related.ip": [ + "192.168.15.224", + "23.52.174.25", + "192.168.1.63", + "23.52.174.25" + ], + "server.bytes": 1246, + "server.ip": "23.52.174.25", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.bytes": 1246, + "source.ip": "192.168.15.224", + "source.packets": 5, + "source.port": 52520, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:47.000Z", + "client.bytes": 79, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 8503, + "destination.bytes": 79, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 1000000000, + "event.end": "2018-11-30T16:09:14.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 32523, + "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24201,1,8503,53,2722,53,0x400019,udp,allow,394,79,315,2,2018/11/30 16:09:13,1,any,0,32091182,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 394, + "network.community_id": "1:5CL0nRdjk2Nab0PzB6vfyC1FbtI=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24201", + "palo_alto.network.nat.community_id": "1:hxrz+dYE5XEf60JMlFz6JKWD6Ek=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091182, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 2722, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 315, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 315, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 8503, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:47.000Z", + "client.bytes": 82, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 6910, + "destination.bytes": 82, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:14.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:14.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 32970, + "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24130,1,6910,53,6674,53,0x400019,udp,allow,212,82,130,2,2018/11/30 16:09:14,0,any,0,32091183,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 212, + "network.community_id": "1:3cIrQ2yt0QUupDVmbBJXH54+2pA=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24130", + "palo_alto.network.nat.community_id": "1:8cb9oPS9OJnzqGAkowgmRpiqmJU=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091183, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 6674, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 130, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 130, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 6910, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:47.000Z", + "client.bytes": 354, + "client.ip": "192.168.15.224", + "client.packets": 4, + "client.port": 52475, + "destination.bytes": 354, + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.542, + "destination.geo.location.lon": -122.3123, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "54.230.5.228", + "destination.packets": 5, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 12000000000, + "event.end": "2018-11-30T16:09:29.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:17.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 33417, + "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,54.230.5.228,192.168.1.63,54.230.5.228,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24237,1,52475,443,37427,443,0x40001c,tcp,allow,642,354,288,9,2018/11/30 16:09:17,12,any,0,32091184,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "incomplete", + "network.bytes": 642, + "network.community_id": "1:ArbNq6iF9i1NLk5zDU1qThAZf4g=", + "network.direction": "outbound", + "network.packets": 9, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "54.230.5.228", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24237", + "palo_alto.network.nat.community_id": "1:Qc2oBV7ermdHPwGTWFOi4D1TcLg=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091184, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 37427, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "54.230.5.228", + "192.168.1.63", + "54.230.5.228" + ], + "server.bytes": 288, + "server.ip": "54.230.5.228", + "server.packets": 5, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 288, + "source.ip": "192.168.15.224", + "source.packets": 4, + "source.port": 52475, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:47.000Z", + "client.bytes": 76, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 14342, + "destination.bytes": 76, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:14.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:14.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 33886, + "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24108,1,14342,53,22408,53,0x400019,udp,allow,225,76,149,2,2018/11/30 16:09:14,0,any,0,32091185,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 225, + "network.community_id": "1:uTxp5xDc9k43Sc1xNxNrsxzfM/I=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24108", + "palo_alto.network.nat.community_id": "1:5IHTDvzRd4yPLPdpI4ErHcRK4/w=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091185, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 22408, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 149, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 149, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 14342, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:48.000Z", + "client.bytes": 71, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 48197, + "destination.bytes": 71, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:15.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:15.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 34335, + "log.original": "Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24247,1,48197,53,27899,53,0x400019,udp,allow,273,71,202,2,2018/11/30 16:09:15,0,any,0,32091186,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 273, + "network.community_id": "1:hwpLJFJeocCuki/uuS7DMUwYAcc=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24247", + "palo_alto.network.nat.community_id": "1:0s4n+/itsIbV3mUc8OnOxmZ6exs=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091186, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 27899, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 202, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 202, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 48197, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:48.000Z", + "client.bytes": 75, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 32296, + "destination.bytes": 75, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:15.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:15.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 34784, + "log.original": "Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24098,1,32296,53,52939,53,0x400019,udp,allow,270,75,195,2,2018/11/30 16:09:15,0,any,0,32091187,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 270, + "network.community_id": "1:PL/uhiXbtv9YRtGDNEfmkWyMpEw=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24098", + "palo_alto.network.nat.community_id": "1:+GsjKlESn/QeXwrAsS8c8EaMzi0=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091187, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 52939, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 195, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 195, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 32296, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:48.000Z", + "client.bytes": 90, + "client.ip": "192.168.15.195", + "client.packets": 1, + "client.port": 33870, + "destination.bytes": 90, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "208.83.246.20", + "destination.packets": 1, + "destination.port": 123, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:15.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:15.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 35233, + "log.original": "Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.195,208.83.246.20,192.168.1.63,208.83.246.20,new_outbound_from_trust,,,ntp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24263,1,33870,123,42907,123,0x400053,udp,allow,180,90,90,2,2018/11/30 16:09:15,0,any,0,32091188,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ntp", + "network.bytes": 180, + "network.community_id": "1:zSTxlbsV3qi7ri6QQifUc6oMz/o=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "208.83.246.20", + "palo_alto.destination.nat.port": 123, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24263", + "palo_alto.network.nat.community_id": "1:OSARbLstqz9D5CGo0NQuv0a9g20=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091188, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 42907, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.195", + "208.83.246.20", + "192.168.1.63", + "208.83.246.20" + ], + "server.bytes": 90, + "server.ip": "208.83.246.20", + "server.packets": 1, + "server.port": 123, + "service.type": "palo_alto", + "source.bytes": 90, + "source.ip": "192.168.15.195", + "source.packets": 1, + "source.port": 33870, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:49.000Z", + "client.bytes": 148, + "client.ip": "192.168.15.196", + "client.packets": 2, + "client.port": 54659, + "destination.bytes": 148, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 2, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:16.000Z", + "event.module": "palo_alto", + "event.outcome": "drop-icmp", + "event.start": "2018-11-30T16:09:16.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 35695, + "log.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24258,1,54659,53,19658,53,0x400019,udp,drop ICMP,340,148,192,4,2018/11/30 16:09:16,0,any,0,32091189,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 340, + "network.community_id": "1:E2LqiKHR3ZQXGMA0QsH84jNNC/0=", + "network.direction": "outbound", + "network.packets": 4, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24258", + "palo_alto.network.nat.community_id": "1:Cc+ekkpKaB3f2BPdSyd/esY/QVI=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091189, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 19658, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.196", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 192, + "server.ip": "8.8.8.8", + "server.packets": 2, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 192, + "source.ip": "192.168.15.196", + "source.packets": 2, + "source.port": 54659, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:49.000Z", + "client.bytes": 83, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 57446, + "destination.bytes": 83, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:16.000Z", + "event.module": "palo_alto", + "event.outcome": "reset-client", + "event.start": "2018-11-30T16:09:16.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 36149, + "log.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24155,1,57446,53,64352,53,0x400019,udp,reset client,291,83,208,2,2018/11/30 16:09:16,0,any,0,32091190,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 291, + "network.community_id": "1:wZXxVANJq0JID3j0Sh2o/qnIa7A=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24155", + "palo_alto.network.nat.community_id": "1:uPFYX4KL/wjyCp4kt+08v7myT3w=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091190, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 64352, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 208, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 208, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 57446, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:49.000Z", + "client.bytes": 84, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 22655, + "destination.bytes": 84, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:16.000Z", + "event.module": "palo_alto", + "event.outcome": "reset-server", + "event.start": "2018-11-30T16:09:16.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 36605, + "log.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24232,1,22655,53,60126,53,0x400019,udp,reset server,184,84,100,2,2018/11/30 16:09:16,0,any,0,32091191,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 184, + "network.community_id": "1:GzSDvCcBuprowvf40RNRaGTOn+A=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24232", + "palo_alto.network.nat.community_id": "1:f3vxOCmoOo/FOLV6VRqKjZ7eUVE=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091191, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 60126, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 100, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 100, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 22655, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:49.000Z", + "client.bytes": 2053, + "client.ip": "192.168.15.224", + "client.packets": 11, + "client.port": 52509, + "destination.bytes": 2053, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.6582, + "destination.geo.location.lon": -77.2497, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "35.185.88.112", + "destination.packets": 13, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 10000000000, + "event.end": "2018-11-30T16:09:31.000Z", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.start": "2018-11-30T16:09:21.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 37061, + "log.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,35.185.88.112,192.168.1.63,35.185.88.112,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24330,1,52509,443,59771,443,0x40001a,tcp,reset both,9290,2053,7237,24,2018/11/30 16:09:21,10,business-and-economy,0,32091192,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 9290, + "network.community_id": "1:WVDXvoZNkWqELBhlp2DzAjKS6V4=", + "network.direction": "outbound", + "network.packets": 24, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "35.185.88.112", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24330", + "palo_alto.network.nat.community_id": "1:/rmnQ6QBbJzgkfNBrkCgvu5UHiU=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091192, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 59771, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "35.185.88.112", + "192.168.1.63", + "35.185.88.112" + ], + "server.bytes": 7237, + "server.ip": "35.185.88.112", + "server.packets": 13, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 7237, + "source.ip": "192.168.15.224", + "source.packets": 11, + "source.port": 52509, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:49.000Z", + "client.bytes": 93, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 27192, + "destination.bytes": 93, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:16.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:16.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 37565, + "log.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,23960,1,27192,53,35748,53,0x400019,udp,allow,202,93,109,2,2018/11/30 16:09:16,0,any,0,32091193,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 202, + "network.community_id": "1:SaW9SLCHEmuQYbHgbCLPVZmIrWo=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "23960", + "palo_alto.network.nat.community_id": "1:9Ub1pskil4C0tLo85OJa61g1D0Q=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091193, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 35748, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 109, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 109, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 27192, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:49.000Z", + "client.bytes": 84, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 30221, + "destination.bytes": 84, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:16.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:16.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 38014, + "log.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24236,1,30221,53,63701,53,0x400019,udp,allow,200,84,116,2,2018/11/30 16:09:16,0,any,0,32091194,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 200, + "network.community_id": "1:UKGEn5x2xKPJhb0aLNUd3IM2xP0=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24236", + "palo_alto.network.nat.community_id": "1:rh7nCIUBzUAekx4F+OTwBbpRh+E=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091194, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 63701, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 116, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 116, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 30221, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:49.000Z", + "client.bytes": 64, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 30570, + "destination.bytes": 64, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:16.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:16.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 38463, + "log.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24276,1,30570,53,57872,53,0x400019,udp,allow,160,64,96,2,2018/11/30 16:09:16,0,any,0,32091195,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 160, + "network.community_id": "1:7WDGZhY7X3GTZLGCIDWzxK5juF4=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24276", + "palo_alto.network.nat.community_id": "1:eIIc+AXkJtZLyfNqUAVZLumaYVQ=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091195, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 57872, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 96, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 96, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 30570, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:50.000Z", + "client.bytes": 1100, + "client.ip": "192.168.15.224", + "client.packets": 7, + "client.port": 52497, + "destination.bytes": 1100, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "50.19.85.24", + "destination.packets": 8, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 11000000000, + "event.end": "2018-11-30T16:09:32.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:21.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 38911, + "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24299,1,52497,443,37581,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091196,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 1754, + "network.community_id": "1:wOhR5YstpLgnt5WE19sGYKCmyZU=", + "network.direction": "outbound", + "network.packets": 15, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "50.19.85.24", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24299", + "palo_alto.network.nat.community_id": "1:Mn7w9ScywW3qjDMNsO8QsGj6BY0=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091196, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 37581, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "50.19.85.24", + "192.168.1.63", + "50.19.85.24" + ], + "server.bytes": 654, + "server.ip": "50.19.85.24", + "server.packets": 8, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 654, + "source.ip": "192.168.15.224", + "source.packets": 7, + "source.port": 52497, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:50.000Z", + "client.bytes": 1100, + "client.ip": "192.168.15.224", + "client.packets": 7, + "client.port": 52498, + "destination.bytes": 1100, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "50.19.85.24", + "destination.packets": 8, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 11000000000, + "event.end": "2018-11-30T16:09:32.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:21.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 39403, + "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24229,1,52498,443,19226,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091197,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 1754, + "network.community_id": "1:6h8eY2s13iXP9cVx+C3Odlnn4+A=", + "network.direction": "outbound", + "network.packets": 15, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "50.19.85.24", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24229", + "palo_alto.network.nat.community_id": "1:8oAG19bm5FROhazDy0CcTH+Cfqc=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091197, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 19226, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "50.19.85.24", + "192.168.1.63", + "50.19.85.24" + ], + "server.bytes": 654, + "server.ip": "50.19.85.24", + "server.packets": 8, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 654, + "source.ip": "192.168.15.224", + "source.packets": 7, + "source.port": 52498, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:50.000Z", + "client.bytes": 1100, + "client.ip": "192.168.15.224", + "client.packets": 7, + "client.port": 52496, + "destination.bytes": 1100, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "50.19.85.24", + "destination.packets": 8, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 11000000000, + "event.end": "2018-11-30T16:09:32.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:21.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 39895, + "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24283,1,52496,443,61721,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091198,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 1754, + "network.community_id": "1:/ZL4TDk4BgzLIyz/Xp1oJ9ew5cE=", + "network.direction": "outbound", + "network.packets": 15, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "50.19.85.24", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24283", + "palo_alto.network.nat.community_id": "1:ZhVElLU1QcpGayhElc2L/+Rp+xw=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091198, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 61721, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "50.19.85.24", + "192.168.1.63", + "50.19.85.24" + ], + "server.bytes": 654, + "server.ip": "50.19.85.24", + "server.packets": 8, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 654, + "source.ip": "192.168.15.224", + "source.packets": 7, + "source.port": 52496, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:50.000Z", + "client.bytes": 2691, + "client.ip": "192.168.15.224", + "client.packets": 10, + "client.port": 52510, + "destination.bytes": 2691, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "104.254.150.9", + "destination.packets": 12, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 11000000000, + "event.end": "2018-11-30T16:09:32.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:21.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 40387, + "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,104.254.150.9,192.168.1.63,104.254.150.9,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24369,1,52510,443,10098,443,0x40001a,tcp,allow,10511,2691,7820,22,2018/11/30 16:09:21,11,web-advertisements,0,32091199,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 10511, + "network.community_id": "1:xYiSF9gJFyCzwbXQPyFt8YU2J78=", + "network.direction": "outbound", + "network.packets": 22, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "104.254.150.9", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24369", + "palo_alto.network.nat.community_id": "1:aHhDlT3Bx285CJRrBykpRsei1a0=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091199, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 10098, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "web-advertisements", + "related.ip": [ + "192.168.15.224", + "104.254.150.9", + "192.168.1.63", + "104.254.150.9" + ], + "server.bytes": 7820, + "server.ip": "104.254.150.9", + "server.packets": 12, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 7820, + "source.ip": "192.168.15.224", + "source.packets": 10, + "source.port": 52510, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:50.000Z", + "client.bytes": 1100, + "client.ip": "192.168.15.224", + "client.packets": 7, + "client.port": 52495, + "destination.bytes": 1100, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "50.19.85.24", + "destination.packets": 8, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 11000000000, + "event.end": "2018-11-30T16:09:32.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:21.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 40885, + "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24354,1,52495,443,4564,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091200,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 1754, + "network.community_id": "1:QTH4ra5ZOxMb5v4tYy8DkqQsSus=", + "network.direction": "outbound", + "network.packets": 15, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "50.19.85.24", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24354", + "palo_alto.network.nat.community_id": "1:RLfRarGPGl+PnGhB8fb+S+uTX1o=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091200, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 4564, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "50.19.85.24", + "192.168.1.63", + "50.19.85.24" + ], + "server.bytes": 654, + "server.ip": "50.19.85.24", + "server.packets": 8, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 654, + "source.ip": "192.168.15.224", + "source.packets": 7, + "source.port": 52495, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:50.000Z", + "client.bytes": 276, + "client.ip": "192.168.15.224", + "client.packets": 3, + "client.port": 52486, + "destination.bytes": 276, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.0.218.108", + "destination.packets": 4, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 12000000000, + "event.end": "2018-11-30T16:09:32.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:20.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 41376, + "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,52.0.218.108,192.168.1.63,52.0.218.108,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24254,1,52486,443,32104,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091201,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "incomplete", + "network.bytes": 490, + "network.community_id": "1:pRGS72RJ+/RdCMjmtcrBxdR6i9w=", + "network.direction": "outbound", + "network.packets": 7, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "52.0.218.108", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24254", + "palo_alto.network.nat.community_id": "1:/0iCZCsnpk+5MR4Tc26unyr/T4Q=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091201, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 32104, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "52.0.218.108", + "192.168.1.63", + "52.0.218.108" + ], + "server.bytes": 214, + "server.ip": "52.0.218.108", + "server.packets": 4, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 214, + "source.ip": "192.168.15.224", + "source.packets": 3, + "source.port": 52486, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:50.000Z", + "client.bytes": 276, + "client.ip": "192.168.15.224", + "client.packets": 3, + "client.port": 52489, + "destination.bytes": 276, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.6.117.19", + "destination.packets": 4, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 12000000000, + "event.end": "2018-11-30T16:09:32.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:20.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 41845, + "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,52.6.117.19,192.168.1.63,52.6.117.19,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24246,1,52489,443,14172,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091202,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "incomplete", + "network.bytes": 490, + "network.community_id": "1:zaENYnP2VlZewYNuHhpqTvNAf4Y=", + "network.direction": "outbound", + "network.packets": 7, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "52.6.117.19", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24246", + "palo_alto.network.nat.community_id": "1:486dmnLzuTH8P7j6jI6JsUtW2VU=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091202, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 14172, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "52.6.117.19", + "192.168.1.63", + "52.6.117.19" + ], + "server.bytes": 214, + "server.ip": "52.6.117.19", + "server.packets": 4, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 214, + "source.ip": "192.168.15.224", + "source.packets": 3, + "source.port": 52489, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:50.000Z", + "client.bytes": 276, + "client.ip": "192.168.15.224", + "client.packets": 3, + "client.port": 52490, + "destination.bytes": 276, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "34.238.96.22", + "destination.packets": 4, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 12000000000, + "event.end": "2018-11-30T16:09:32.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:20.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 42312, + "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,34.238.96.22,192.168.1.63,34.238.96.22,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24343,1,52490,443,10286,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091203,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "incomplete", + "network.bytes": 490, + "network.community_id": "1:FdupsUbF1ju1djczW9JAKlxKNC4=", + "network.direction": "outbound", + "network.packets": 7, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "34.238.96.22", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24343", + "palo_alto.network.nat.community_id": "1:6LTK93w8ZdfxzSfZXzebKR6jWxo=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091203, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 10286, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "34.238.96.22", + "192.168.1.63", + "34.238.96.22" + ], + "server.bytes": 214, + "server.ip": "34.238.96.22", + "server.packets": 4, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 214, + "source.ip": "192.168.15.224", + "source.packets": 3, + "source.port": 52490, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:50.000Z", + "client.bytes": 276, + "client.ip": "192.168.15.224", + "client.packets": 4, + "client.port": 52493, + "destination.bytes": 276, + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.419200000000004, + "destination.geo.location.lon": -122.0574, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "130.211.47.17", + "destination.packets": 4, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 12000000000, + "event.end": "2018-11-30T16:09:32.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:20.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 42781, + "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,130.211.47.17,192.168.1.63,130.211.47.17,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24262,1,52493,443,30799,443,0x40001c,tcp,allow,556,276,280,8,2018/11/30 16:09:20,12,any,0,32091204,0x0,192.168.0.0-192.168.255.255,United States,0,4,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "incomplete", + "network.bytes": 556, + "network.community_id": "1:fHitWYVd9RNFs7M5hQrqw/dmY8Y=", + "network.direction": "outbound", + "network.packets": 8, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "130.211.47.17", + "palo_alto.destination.nat.port": 443, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24262", + "palo_alto.network.nat.community_id": "1:roV5JFl0FdQHIRUkgeZm+ZeyeCQ=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091204, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 30799, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "130.211.47.17", + "192.168.1.63", + "130.211.47.17" + ], + "server.bytes": 280, + "server.ip": "130.211.47.17", + "server.packets": 4, + "server.port": 443, + "service.type": "palo_alto", + "source.bytes": 280, + "source.ip": "192.168.15.224", + "source.packets": 4, + "source.port": 52493, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:51.000Z", + "client.bytes": 97, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 59320, + "destination.bytes": 97, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:18.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:18.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 43252, + "log.original": "Nov 30 16:09:51 PA-220 1,2018/11/30 16:09:51,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:51,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:51,24281,1,59320,53,13490,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:18,0,any,0,32091205,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 269, + "network.community_id": "1:n/IZF37E/7cErtK4po3ewuEQScY=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24281", + "palo_alto.network.nat.community_id": "1:5G+JVi/ClM/MfHhUL//vH/GmuaA=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091205, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 13490, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 172, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 172, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 59320, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:52.000Z", + "client.bytes": 588, + "client.ip": "192.168.15.224", + "client.packets": 6, + "client.port": 0, + "destination.bytes": 588, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 6, + "destination.port": 0, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:37.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:37.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 43701, + "log.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24424,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:37,0,any,0,32091206,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ping", + "network.bytes": 1176, + "network.community_id": "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "network.direction": "outbound", + "network.packets": 12, + "network.transport": "icmp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 0, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24424", + "palo_alto.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091206, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 0, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 588, + "server.ip": "8.8.8.8", + "server.packets": 6, + "server.port": 0, + "service.type": "palo_alto", + "source.bytes": 588, + "source.ip": "192.168.15.224", + "source.packets": 6, + "source.port": 0, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:52.000Z", + "client.bytes": 78, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 13076, + "destination.bytes": 78, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:19.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:19.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 44145, + "log.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24230,1,13076,53,53751,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091207,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 172, + "network.community_id": "1:jKueIOIhkRRjHQyRO93QyuKEiP8=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24230", + "palo_alto.network.nat.community_id": "1:mdksC4jGw6MN7g3nGdquiqQ95vU=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091207, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 53751, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 94, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 94, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 13076, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:52.000Z", + "client.bytes": 72, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 5511, + "destination.bytes": 72, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:19.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:19.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 44593, + "log.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24243,1,5511,53,21643,53,0x400019,udp,allow,242,72,170,2,2018/11/30 16:09:19,0,any,0,32091208,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 242, + "network.community_id": "1:mci4o+GZJDLvZr11UdJH9bepPqU=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24243", + "palo_alto.network.nat.community_id": "1:+zC2Y+UE7UqApr01oqb755Xyuf4=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091208, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 21643, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 170, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 170, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 5511, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:52.000Z", + "client.bytes": 78, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 9799, + "destination.bytes": 78, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:19.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:19.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 45041, + "log.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24077,1,9799,53,22446,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091209,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 172, + "network.community_id": "1:Px8uRfOgVDuaWj/VKxjTwyAzHAM=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24077", + "palo_alto.network.nat.community_id": "1:xawqUBgLyfe1E61ObEXv4nbO590=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091209, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 22446, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 94, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 94, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 9799, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:52.000Z", + "client.bytes": 78, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 39169, + "destination.bytes": 78, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:19.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:19.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 45488, + "log.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24266,1,39169,53,22301,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091210,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 172, + "network.community_id": "1:6tSek5GUc9k56LSY4NgTMd0igd8=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24266", + "palo_alto.network.nat.community_id": "1:PDWWOeDVqKGZ/hwjVVdCDdF6qB4=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091210, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 22301, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 94, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 94, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 39169, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:52.000Z", + "client.bytes": 72, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 42476, + "destination.bytes": 72, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.log", + "event.duration": 0, + "event.end": "2018-11-30T16:09:19.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:19.000Z", + "fileset.name": "log", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 45936, + "log.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24269,1,42476,53,58124,53,0x400019,udp,allow,238,72,166,2,2018/11/30 16:09:19,0,any,0,32091211,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 238, + "network.community_id": "1:xl0u/+SYGciPtyPuv813G1aTEdI=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.destination.interface": "ethernet1/1", + "palo_alto.destination.nat.ip": "8.8.8.8", + "palo_alto.destination.nat.port": 53, + "palo_alto.destination.zone": "untrust", + "palo_alto.flow_id": "24269", + "palo_alto.network.nat.community_id": "1:yNIHAg1M08IChho9000mtg7zUOc=", + "palo_alto.ruleset": "new_outbound_from_trust", + "palo_alto.sequence_number": 32091211, + "palo_alto.source.interface": "ethernet1/2", + "palo_alto.source.nat.ip": "192.168.1.63", + "palo_alto.source.nat.port": 58124, + "palo_alto.source.zone": "trust", + "palo_alto.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 166, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.bytes": 166, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 42476, + "tags": [ + "pan-os" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/palo_alto/module.yml b/x-pack/filebeat/module/palo_alto/module.yml new file mode 100644 index 000000000000..b78832712d05 --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/module.yml @@ -0,0 +1,3 @@ +dashboards: +# TODO + From 250555910774ef85e29ccbe9802f3bc4a9d5b0bf Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 8 May 2019 23:05:48 +0200 Subject: [PATCH 02/10] Rename fileset from `log` to `pan_os` --- x-pack/filebeat/filebeat.reference.yml | 2 +- .../module/palo_alto/_meta/config.yml | 2 +- .../module/palo_alto/_meta/docs.asciidoc | 8 +- .../{log => pan_os}/_meta/fields.yml | 0 .../{log => pan_os}/config/input.yml | 0 .../{log => pan_os}/ingest/pipeline.yml | 0 .../palo_alto/{log => pan_os}/manifest.yml | 2 +- .../{log => pan_os}/test/pan_inc_other.log | 0 .../test/pan_inc_other.log-expected.json | 4 +- .../{log => pan_os}/test/pan_inc_threat.log | 0 .../test/pan_inc_threat.log-expected.json | 400 +++++++++--------- .../{log => pan_os}/test/pan_inc_traffic.log | 0 .../test/pan_inc_traffic.log-expected.json | 400 +++++++++--------- .../palo_alto/{log => pan_os}/test/threat.log | 0 .../test/threat.log-expected.json | 304 ++++++------- .../{log => pan_os}/test/traffic.log | 0 .../test/traffic.log-expected.json | 400 +++++++++--------- 17 files changed, 761 insertions(+), 761 deletions(-) rename x-pack/filebeat/module/palo_alto/{log => pan_os}/_meta/fields.yml (100%) rename x-pack/filebeat/module/palo_alto/{log => pan_os}/config/input.yml (100%) rename x-pack/filebeat/module/palo_alto/{log => pan_os}/ingest/pipeline.yml (100%) rename x-pack/filebeat/module/palo_alto/{log => pan_os}/manifest.yml (95%) rename x-pack/filebeat/module/palo_alto/{log => pan_os}/test/pan_inc_other.log (100%) rename x-pack/filebeat/module/palo_alto/{log => pan_os}/test/pan_inc_other.log-expected.json (97%) rename x-pack/filebeat/module/palo_alto/{log => pan_os}/test/pan_inc_threat.log (100%) rename x-pack/filebeat/module/palo_alto/{log => pan_os}/test/pan_inc_threat.log-expected.json (97%) rename x-pack/filebeat/module/palo_alto/{log => pan_os}/test/pan_inc_traffic.log (100%) rename x-pack/filebeat/module/palo_alto/{log => pan_os}/test/pan_inc_traffic.log-expected.json (97%) rename x-pack/filebeat/module/palo_alto/{log => pan_os}/test/threat.log (100%) rename x-pack/filebeat/module/palo_alto/{log => pan_os}/test/threat.log-expected.json (97%) rename x-pack/filebeat/module/palo_alto/{log => pan_os}/test/traffic.log (100%) rename x-pack/filebeat/module/palo_alto/{log => pan_os}/test/traffic.log-expected.json (97%) diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 36b8e91a44d5..05b7cee914eb 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -405,7 +405,7 @@ filebeat.modules: #------------------------------ Palo_alto Module ------------------------------ - module: palo_alto - log: + pan_os: enabled: true # Set which input to use between syslog (default) or file. diff --git a/x-pack/filebeat/module/palo_alto/_meta/config.yml b/x-pack/filebeat/module/palo_alto/_meta/config.yml index 92bd528253de..e507060d2f0f 100644 --- a/x-pack/filebeat/module/palo_alto/_meta/config.yml +++ b/x-pack/filebeat/module/palo_alto/_meta/config.yml @@ -1,5 +1,5 @@ - module: palo_alto - log: + pan_os: enabled: true # Set which input to use between syslog (default) or file. diff --git a/x-pack/filebeat/module/palo_alto/_meta/docs.asciidoc b/x-pack/filebeat/module/palo_alto/_meta/docs.asciidoc index b8f8c89adf7d..d436be7f14d6 100644 --- a/x-pack/filebeat/module/palo_alto/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/palo_alto/_meta/docs.asciidoc @@ -133,24 +133,24 @@ it can also be configured to read logs from a file. See the following example. ["source","yaml",subs="attributes"] ----- - module: palo_alto - log: + pan_os: enabled: true var.paths: ["/var/log/pan-os.log"] var.input: "file" ----- -:fileset_ex: log +:fileset_ex: pan_os include::../include/config-option-intro.asciidoc[] [float] -==== `log` fileset settings +==== `pan_os` fileset settings Example config: [source,yaml] ---- - log: + pan_os: var.syslog_host: 0.0.0.0 var.syslog_port: 514 ---- diff --git a/x-pack/filebeat/module/palo_alto/log/_meta/fields.yml b/x-pack/filebeat/module/palo_alto/pan_os/_meta/fields.yml similarity index 100% rename from x-pack/filebeat/module/palo_alto/log/_meta/fields.yml rename to x-pack/filebeat/module/palo_alto/pan_os/_meta/fields.yml diff --git a/x-pack/filebeat/module/palo_alto/log/config/input.yml b/x-pack/filebeat/module/palo_alto/pan_os/config/input.yml similarity index 100% rename from x-pack/filebeat/module/palo_alto/log/config/input.yml rename to x-pack/filebeat/module/palo_alto/pan_os/config/input.yml diff --git a/x-pack/filebeat/module/palo_alto/log/ingest/pipeline.yml b/x-pack/filebeat/module/palo_alto/pan_os/ingest/pipeline.yml similarity index 100% rename from x-pack/filebeat/module/palo_alto/log/ingest/pipeline.yml rename to x-pack/filebeat/module/palo_alto/pan_os/ingest/pipeline.yml diff --git a/x-pack/filebeat/module/palo_alto/log/manifest.yml b/x-pack/filebeat/module/palo_alto/pan_os/manifest.yml similarity index 95% rename from x-pack/filebeat/module/palo_alto/log/manifest.yml rename to x-pack/filebeat/module/palo_alto/pan_os/manifest.yml index cdcc1ffec7bd..f6265abad1ec 100644 --- a/x-pack/filebeat/module/palo_alto/log/manifest.yml +++ b/x-pack/filebeat/module/palo_alto/pan_os/manifest.yml @@ -3,7 +3,7 @@ module_version: "1.0" var: - name: paths default: - - /var/log/iptables.log + - /var/log/pan-os.log - name: tags default: [pan-os] - name: syslog_host diff --git a/x-pack/filebeat/module/palo_alto/log/test/pan_inc_other.log b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_other.log similarity index 100% rename from x-pack/filebeat/module/palo_alto/log/test/pan_inc_other.log rename to x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_other.log diff --git a/x-pack/filebeat/module/palo_alto/log/test/pan_inc_other.log-expected.json b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_other.log-expected.json similarity index 97% rename from x-pack/filebeat/module/palo_alto/log/test/pan_inc_other.log-expected.json rename to x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_other.log-expected.json index bbf67e36628e..fa663da2eba8 100644 --- a/x-pack/filebeat/module/palo_alto/log/test/pan_inc_other.log-expected.json +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_other.log-expected.json @@ -20,13 +20,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:56.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:56.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 5853, diff --git a/x-pack/filebeat/module/palo_alto/log/test/pan_inc_threat.log b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_threat.log similarity index 100% rename from x-pack/filebeat/module/palo_alto/log/test/pan_inc_threat.log rename to x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_threat.log diff --git a/x-pack/filebeat/module/palo_alto/log/test/pan_inc_threat.log-expected.json b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_threat.log-expected.json similarity index 97% rename from x-pack/filebeat/module/palo_alto/log/test/pan_inc_threat.log-expected.json rename to x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_threat.log-expected.json index 39a758fc5ca2..7b15d0ba5b81 100644 --- a/x-pack/filebeat/module/palo_alto/log/test/pan_inc_threat.log-expected.json +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_threat.log-expected.json @@ -16,11 +16,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -80,11 +80,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -144,11 +144,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -208,11 +208,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -272,11 +272,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -336,11 +336,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -400,11 +400,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -464,11 +464,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -528,11 +528,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -592,11 +592,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -656,11 +656,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -720,11 +720,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -784,11 +784,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -848,11 +848,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -911,11 +911,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -975,11 +975,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -1036,11 +1036,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -1099,11 +1099,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -1163,11 +1163,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -1227,11 +1227,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -1291,11 +1291,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -1355,11 +1355,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -1419,11 +1419,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -1483,11 +1483,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -1547,11 +1547,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -1611,11 +1611,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -1675,11 +1675,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -1739,11 +1739,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -1803,11 +1803,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -1867,11 +1867,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -1931,11 +1931,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -1995,11 +1995,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -2059,11 +2059,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "labels.container_page": true, @@ -2120,11 +2120,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -2180,11 +2180,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -2243,11 +2243,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -2306,11 +2306,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -2366,11 +2366,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -2426,11 +2426,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -2489,11 +2489,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -2549,11 +2549,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -2609,11 +2609,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -2669,11 +2669,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -2726,11 +2726,11 @@ "ecs.version": "1.0.0", "event.action": "spyware_detected", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "drop-all-packets", "event.severity": 1, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "critical", @@ -2795,11 +2795,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -2855,11 +2855,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -2915,11 +2915,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -2975,11 +2975,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -3038,11 +3038,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -3101,11 +3101,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -3164,11 +3164,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -3227,11 +3227,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -3290,11 +3290,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -3347,11 +3347,11 @@ "ecs.version": "1.0.0", "event.action": "file_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "deny", "event.severity": 4, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "low", @@ -3416,11 +3416,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -3473,11 +3473,11 @@ "ecs.version": "1.0.0", "event.action": "file_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "deny", "event.severity": 4, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "low", @@ -3530,11 +3530,11 @@ "ecs.version": "1.0.0", "event.action": "file_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "deny", "event.severity": 4, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "low", @@ -3598,11 +3598,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -3655,11 +3655,11 @@ "ecs.version": "1.0.0", "event.action": "file_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "deny", "event.severity": 4, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "low", @@ -3715,11 +3715,11 @@ "ecs.version": "1.0.0", "event.action": "file_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "deny", "event.severity": 4, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "low", @@ -3775,11 +3775,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -3835,11 +3835,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -3895,11 +3895,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -3952,11 +3952,11 @@ "ecs.version": "1.0.0", "event.action": "file_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "deny", "event.severity": 4, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "low", @@ -4021,11 +4021,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -4084,11 +4084,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -4141,11 +4141,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -4204,11 +4204,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -4273,11 +4273,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -4330,11 +4330,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -4393,11 +4393,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -4450,11 +4450,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "reset-both", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -4510,11 +4510,11 @@ "ecs.version": "1.0.0", "event.action": "file_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "deny", "event.severity": 4, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "low", @@ -4567,11 +4567,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "reset-both", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -4627,11 +4627,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "reset-both", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -4687,11 +4687,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "reset-both", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -4747,11 +4747,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "reset-both", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -4810,11 +4810,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -4867,11 +4867,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "reset-both", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -4927,11 +4927,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -4987,11 +4987,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -5047,11 +5047,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -5107,11 +5107,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "reset-both", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -5170,11 +5170,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "reset-both", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -5230,11 +5230,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "reset-both", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -5290,11 +5290,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -5353,11 +5353,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "reset-both", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -5413,11 +5413,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -5473,11 +5473,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -5533,11 +5533,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "reset-both", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -5596,11 +5596,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -5653,11 +5653,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "reset-both", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -5713,11 +5713,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "reset-both", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -5776,11 +5776,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -5833,11 +5833,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "reset-both", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -5893,11 +5893,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "reset-both", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -5953,11 +5953,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "reset-both", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -6013,11 +6013,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "reset-both", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -6073,11 +6073,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "alert", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", @@ -6133,11 +6133,11 @@ "ecs.version": "1.0.0", "event.action": "data_match", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "reset-both", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.level": "informational", diff --git a/x-pack/filebeat/module/palo_alto/log/test/pan_inc_traffic.log b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_traffic.log similarity index 100% rename from x-pack/filebeat/module/palo_alto/log/test/pan_inc_traffic.log rename to x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_traffic.log diff --git a/x-pack/filebeat/module/palo_alto/log/test/pan_inc_traffic.log-expected.json b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_traffic.log-expected.json similarity index 97% rename from x-pack/filebeat/module/palo_alto/log/test/pan_inc_traffic.log-expected.json rename to x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_traffic.log-expected.json index abb2a5a4419e..4c9fe0725295 100644 --- a/x-pack/filebeat/module/palo_alto/log/test/pan_inc_traffic.log-expected.json +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_traffic.log-expected.json @@ -20,13 +20,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:59.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:59.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 0, @@ -88,13 +88,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:58.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:58.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 364, @@ -156,13 +156,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:58.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:58.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 717, @@ -227,13 +227,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:58.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:58.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 1070, @@ -298,13 +298,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:58.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:58.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 1434, @@ -366,13 +366,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:58.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:58.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 1798, @@ -434,13 +434,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:58.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:58.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 2151, @@ -505,13 +505,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 1000000000, "event.end": "2012-04-10T04:39:28.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:27.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 2504, @@ -576,13 +576,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:28.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:28.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 2889, @@ -647,13 +647,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 1000000000, "event.end": "2012-04-10T04:39:28.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:27.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 3274, @@ -718,13 +718,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:58.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:58.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 3659, @@ -789,13 +789,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:57.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:57.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 4023, @@ -860,13 +860,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:57.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:57.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 4387, @@ -931,13 +931,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:57.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:57.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 4751, @@ -1002,13 +1002,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:27.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:27.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 5115, @@ -1073,13 +1073,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 1000000000, "event.end": "2012-04-10T04:39:27.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:26.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 5500, @@ -1144,13 +1144,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 512000000000, "event.end": "2012-04-10T04:38:26.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:29:54.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 5885, @@ -1215,13 +1215,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:56.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:56.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 6267, @@ -1286,13 +1286,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:56.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:56.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 6631, @@ -1354,13 +1354,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:56.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:56.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 6995, @@ -1422,13 +1422,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:56.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:56.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 7348, @@ -1493,13 +1493,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:56.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:56.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 7701, @@ -1561,13 +1561,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:26.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:26.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 8065, @@ -1632,13 +1632,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:26.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:26.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 8418, @@ -1703,13 +1703,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:26.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:26.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 8803, @@ -1774,13 +1774,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:56.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:56.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 9188, @@ -1842,13 +1842,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:55.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:55.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 9552, @@ -1910,13 +1910,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:55.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:55.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 9905, @@ -1978,13 +1978,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 125000000000, "event.end": "2012-04-10T04:39:55.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:37:50.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 10258, @@ -2049,13 +2049,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:55.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:55.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 10624, @@ -2117,13 +2117,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:55.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:55.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 10988, @@ -2188,13 +2188,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 1000000000, "event.end": "2012-04-10T04:39:25.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:24.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 11341, @@ -2259,13 +2259,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:55.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:55.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 11713, @@ -2327,13 +2327,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:54.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:54.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 12077, @@ -2395,13 +2395,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:54.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:54.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 12430, @@ -2466,13 +2466,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:54.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:54.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 12783, @@ -2537,13 +2537,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:54.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:54.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 13147, @@ -2605,13 +2605,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:54.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:54.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 13511, @@ -2673,13 +2673,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:54.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:54.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 13864, @@ -2740,13 +2740,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:24.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:24.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "log.offset": 14217, "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,8.8.8.8,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25142,1,38796,53,0,0,0x0,udp,allow,206,95,111,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", @@ -2809,13 +2809,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 1000000000, "event.end": "2012-04-10T04:39:24.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:23.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 14556, @@ -2879,13 +2879,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:24.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:24.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "log.offset": 14933, "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,50.19.102.116,0.0.0.0,0.0.0.0,rule1,,,paloalto-wildfire-cloud,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,24787,1,48412,443,0,0,0x0,tcp,allow,5817,804,5013,17,2012/04/10 04:39:24,0,computer-and-internet-security,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,10,7", @@ -2948,13 +2948,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:24.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:24.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 15331, @@ -3019,13 +3019,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:24.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:24.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 15696, @@ -3086,13 +3086,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:24.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:24.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "log.offset": 16061, "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,8.8.8.8,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25349,1,52189,53,0,0,0x0,udp,allow,227,86,141,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", @@ -3155,13 +3155,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:54.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:54.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 16400, @@ -3223,13 +3223,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:53.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:53.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 16764, @@ -3294,13 +3294,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:53.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:53.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 17117, @@ -3362,13 +3362,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:53.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:53.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 17481, @@ -3430,13 +3430,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 1000000000, "event.end": "2012-04-10T04:39:23.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:22.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 17834, @@ -3498,13 +3498,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:23.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:23.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 18189, @@ -3566,13 +3566,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:23.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:23.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 18543, @@ -3637,13 +3637,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:23.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:23.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 18897, @@ -3708,13 +3708,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 2000000000, "event.end": "2012-04-10T04:39:23.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:21.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 19272, @@ -3779,13 +3779,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 512000000000, "event.end": "2012-04-10T04:38:23.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:29:51.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 19646, @@ -3847,13 +3847,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:53.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:53.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 20028, @@ -3918,13 +3918,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:53.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:53.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 20381, @@ -3986,13 +3986,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:52.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:52.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 20745, @@ -4054,13 +4054,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:52.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:52.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 21098, @@ -4125,13 +4125,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:52.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:52.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 21451, @@ -4196,13 +4196,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:52.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:52.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 21817, @@ -4264,13 +4264,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:52.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:52.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 22181, @@ -4332,13 +4332,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:52.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:52.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 22534, @@ -4403,13 +4403,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 1000000000, "event.end": "2012-04-10T04:39:22.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:21.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 22887, @@ -4471,13 +4471,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:22.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:22.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 23264, @@ -4539,13 +4539,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:51.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:51.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 23618, @@ -4607,13 +4607,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:51.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:51.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 23971, @@ -4678,13 +4678,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:51.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:51.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 24324, @@ -4749,13 +4749,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 1000000000, "event.end": "2012-04-10T04:39:21.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:20.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 24688, @@ -4820,13 +4820,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:51.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:51.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 25063, @@ -4888,13 +4888,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:50.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:50.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 25427, @@ -4956,13 +4956,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:50.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:50.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 25780, @@ -5027,13 +5027,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:50.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:50.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 26133, @@ -5095,13 +5095,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:20.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:20.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 26497, @@ -5163,13 +5163,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:50.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:50.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 26873, @@ -5231,13 +5231,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:50.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:50.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 27226, @@ -5302,13 +5302,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:50.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:50.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 27579, @@ -5366,13 +5366,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:20.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:20.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 27943, @@ -5437,13 +5437,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 3000000000, "event.end": "2012-04-10T04:39:20.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:17.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 28310, @@ -5508,13 +5508,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 7000000000, "event.end": "2012-04-10T04:39:20.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:13.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 28683, @@ -5572,13 +5572,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:20.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:20.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 29056, @@ -5636,13 +5636,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:20.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:20.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 29423, @@ -5707,13 +5707,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:49.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:49.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 29789, @@ -5775,13 +5775,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:49.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:49.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 30153, @@ -5843,13 +5843,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:49.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:49.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 30506, @@ -5914,13 +5914,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:49.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:49.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 30859, @@ -5982,13 +5982,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:49.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:49.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 31223, @@ -6046,13 +6046,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 1000000000, "event.end": "2012-04-10T04:39:19.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:18.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 31576, @@ -6114,13 +6114,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:49.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:49.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 31942, @@ -6185,13 +6185,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:48.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:48.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 32295, @@ -6253,13 +6253,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:48.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:48.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 32659, @@ -6321,13 +6321,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:48.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:48.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 33012, @@ -6392,13 +6392,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 1000000000, "event.end": "2012-04-10T04:39:18.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:17.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 33365, @@ -6463,13 +6463,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:48.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:48.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 33742, @@ -6534,13 +6534,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:48.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:48.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 34106, @@ -6605,13 +6605,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:47.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:47.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 34470, @@ -6669,13 +6669,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 1000000000, "event.end": "2012-04-10T04:39:17.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:16.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 34834, @@ -6740,13 +6740,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:47.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:47.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 35200, @@ -6811,13 +6811,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:47.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:47.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 35567, @@ -6882,13 +6882,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2012-04-10T04:39:46.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2012-04-10T04:39:46.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.captive_portal": true, "log.offset": 35934, diff --git a/x-pack/filebeat/module/palo_alto/log/test/threat.log b/x-pack/filebeat/module/palo_alto/pan_os/test/threat.log similarity index 100% rename from x-pack/filebeat/module/palo_alto/log/test/threat.log rename to x-pack/filebeat/module/palo_alto/pan_os/test/threat.log diff --git a/x-pack/filebeat/module/palo_alto/log/test/threat.log-expected.json b/x-pack/filebeat/module/palo_alto/pan_os/test/threat.log-expected.json similarity index 97% rename from x-pack/filebeat/module/palo_alto/log/test/threat.log-expected.json rename to x-pack/filebeat/module/palo_alto/pan_os/test/threat.log-expected.json index 8f5fab57bc8c..2f3495524c39 100644 --- a/x-pack/filebeat/module/palo_alto/log/test/threat.log-expected.json +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/threat.log-expected.json @@ -12,11 +12,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -73,11 +73,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -134,11 +134,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -195,11 +195,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -256,11 +256,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -317,11 +317,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -378,11 +378,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -439,11 +439,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -500,11 +500,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -561,11 +561,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -622,11 +622,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -683,11 +683,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -744,11 +744,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -805,11 +805,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -866,11 +866,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -927,11 +927,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -988,11 +988,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -1049,11 +1049,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -1110,11 +1110,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -1171,11 +1171,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -1232,11 +1232,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -1293,11 +1293,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -1354,11 +1354,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -1415,11 +1415,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -1476,11 +1476,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -1537,11 +1537,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -1598,11 +1598,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -1659,11 +1659,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -1720,11 +1720,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -1781,11 +1781,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -1842,11 +1842,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -1903,11 +1903,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -1964,11 +1964,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -2025,11 +2025,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -2086,11 +2086,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -2147,11 +2147,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -2211,11 +2211,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -2275,11 +2275,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -2339,11 +2339,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -2403,11 +2403,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -2467,11 +2467,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -2531,11 +2531,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -2595,11 +2595,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -2659,11 +2659,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -2723,11 +2723,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -2787,11 +2787,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -2851,11 +2851,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -2915,11 +2915,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -2979,11 +2979,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -3043,11 +3043,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -3104,11 +3104,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -3165,11 +3165,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -3226,11 +3226,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -3287,11 +3287,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -3348,11 +3348,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -3409,11 +3409,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -3470,11 +3470,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -3531,11 +3531,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -3592,11 +3592,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -3653,11 +3653,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -3717,11 +3717,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -3781,11 +3781,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -3845,11 +3845,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -3909,11 +3909,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -3973,11 +3973,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -4037,11 +4037,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -4101,11 +4101,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -4165,11 +4165,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -4229,11 +4229,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -4293,11 +4293,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -4357,11 +4357,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -4421,11 +4421,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -4485,11 +4485,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -4549,11 +4549,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -4613,11 +4613,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, @@ -4677,11 +4677,11 @@ "ecs.version": "1.0.0", "event.action": "url_filtering", "event.category": "security_threat", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.module": "palo_alto", "event.outcome": "block-url", "event.severity": 5, - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "labels.temporary_match": true, diff --git a/x-pack/filebeat/module/palo_alto/log/test/traffic.log b/x-pack/filebeat/module/palo_alto/pan_os/test/traffic.log similarity index 100% rename from x-pack/filebeat/module/palo_alto/log/test/traffic.log rename to x-pack/filebeat/module/palo_alto/pan_os/test/traffic.log diff --git a/x-pack/filebeat/module/palo_alto/log/test/traffic.log-expected.json b/x-pack/filebeat/module/palo_alto/pan_os/test/traffic.log-expected.json similarity index 97% rename from x-pack/filebeat/module/palo_alto/log/test/traffic.log-expected.json rename to x-pack/filebeat/module/palo_alto/pan_os/test/traffic.log-expected.json index 0824df10014d..43b0f21973b9 100644 --- a/x-pack/filebeat/module/palo_alto/log/test/traffic.log-expected.json +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/traffic.log-expected.json @@ -16,13 +16,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 586000000000, "event.end": "2018-11-30T16:08:50.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T15:59:04.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 0, @@ -84,13 +84,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:08:55.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:08:55.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 503, @@ -152,13 +152,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 1000000000, "event.end": "2018-11-30T16:08:52.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:08:51.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 947, @@ -220,13 +220,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:01.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:01.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 1441, @@ -291,13 +291,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:07:13.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:07:13.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 1885, @@ -359,13 +359,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 85000000000, "event.end": "2018-11-30T16:08:58.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:07:33.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 2353, @@ -427,13 +427,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:07.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:07.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 2844, @@ -495,13 +495,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 15000000000, "event.end": "2018-11-30T16:07:19.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:07:04.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 3288, @@ -563,13 +563,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:08:50.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:08:50.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 3758, @@ -631,13 +631,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:08:51.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:08:51.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 4207, @@ -699,13 +699,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 593000000000, "event.end": "2018-11-30T16:08:52.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T15:58:59.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 4655, @@ -767,13 +767,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:08:52.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:08:52.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 5180, @@ -835,13 +835,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:08:52.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:08:52.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 5629, @@ -903,13 +903,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:08:52.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:08:52.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 6078, @@ -971,13 +971,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:08:52.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:08:52.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 6526, @@ -1039,13 +1039,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:13.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:13.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 6974, @@ -1107,13 +1107,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 1000000000, "event.end": "2018-11-30T16:08:55.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:08:54.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 7418, @@ -1175,13 +1175,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 17000000000, "event.end": "2018-11-30T16:09:11.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:08:54.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 7867, @@ -1243,13 +1243,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 17000000000, "event.end": "2018-11-30T16:09:11.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:08:54.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 8350, @@ -1311,13 +1311,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:15.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:15.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 8829, @@ -1379,13 +1379,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 116000000000, "event.end": "2018-11-30T16:09:12.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:07:16.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 9271, @@ -1447,13 +1447,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:08:57.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:08:57.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 9763, @@ -1518,13 +1518,13 @@ "ecs.version": "1.0.0", "event.action": "flow_started", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:13.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:13.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 10212, @@ -1589,13 +1589,13 @@ "ecs.version": "1.0.0", "event.action": "flow_dropped", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 13000000000, "event.end": "2018-11-30T16:09:25.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:12.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 10725, @@ -1657,13 +1657,13 @@ "ecs.version": "1.0.0", "event.action": "flow_denied", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:19.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:19.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 11198, @@ -1724,13 +1724,13 @@ "destination.port": 53, "ecs.version": "1.0.0", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:02.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:02.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 11643, @@ -1791,13 +1791,13 @@ "destination.port": 443, "ecs.version": "1.0.0", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 15000000000, "event.end": "2018-11-30T16:07:35.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:07:20.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 12089, @@ -1859,13 +1859,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:21.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:21.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 12559, @@ -1930,13 +1930,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:07:36.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:07:36.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 13050, @@ -1998,13 +1998,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:25.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:25.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 13518, @@ -2066,13 +2066,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:25.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:25.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 13962, @@ -2134,13 +2134,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:22.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:22.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 14404, @@ -2202,13 +2202,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:08.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:08.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 14890, @@ -2273,13 +2273,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:33.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:33.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 15339, @@ -2344,13 +2344,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:25.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:25.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 15808, @@ -2415,13 +2415,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 4000000000, "event.end": "2018-11-30T16:09:25.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:21.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 16297, @@ -2483,13 +2483,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:12.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:12.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 16802, @@ -2551,13 +2551,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:12.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:12.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 17250, @@ -2622,13 +2622,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 8000000000, "event.end": "2018-11-30T16:09:27.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:19.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 17699, @@ -2689,13 +2689,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 8000000000, "event.end": "2018-11-30T16:09:27.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:19.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 18185, @@ -2760,13 +2760,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 6000000000, "event.end": "2018-11-30T16:09:27.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:21.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 18678, @@ -2828,13 +2828,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 13000000000, "event.end": "2018-11-30T16:09:27.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:14.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 19179, @@ -2899,13 +2899,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 8000000000, "event.end": "2018-11-30T16:09:27.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:19.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 19683, @@ -2970,13 +2970,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 8000000000, "event.end": "2018-11-30T16:09:27.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:19.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 20177, @@ -3038,13 +3038,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:12.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:12.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 20671, @@ -3106,13 +3106,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:12.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:12.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 21122, @@ -3177,13 +3177,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 6000000000, "event.end": "2018-11-30T16:09:27.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:21.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 21568, @@ -3245,13 +3245,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 13000000000, "event.end": "2018-11-30T16:09:27.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:14.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 22066, @@ -3312,13 +3312,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 8000000000, "event.end": "2018-11-30T16:09:27.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:19.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 22571, @@ -3380,13 +3380,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:31.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:31.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 23072, @@ -3446,13 +3446,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:13.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:13.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 23504, @@ -3514,13 +3514,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:13.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:13.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 23953, @@ -3582,13 +3582,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:13.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:13.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 24403, @@ -3650,13 +3650,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:13.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:13.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 24853, @@ -3718,13 +3718,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:13.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:13.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 25302, @@ -3786,13 +3786,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:13.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:13.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 25752, @@ -3854,13 +3854,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:13.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:13.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 26200, @@ -3922,13 +3922,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:13.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:13.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 26649, @@ -3990,13 +3990,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:13.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:13.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 27097, @@ -4058,13 +4058,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:13.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:13.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 27546, @@ -4126,13 +4126,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:13.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:13.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 27995, @@ -4194,13 +4194,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:13.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:13.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 28443, @@ -4262,13 +4262,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:13.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:13.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 28892, @@ -4333,13 +4333,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:14.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:14.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 29341, @@ -4401,13 +4401,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:14.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:14.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 29796, @@ -4469,13 +4469,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:14.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:14.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 30245, @@ -4537,13 +4537,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:14.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:14.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 30692, @@ -4605,13 +4605,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:14.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:14.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 31139, @@ -4673,13 +4673,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:14.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:14.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 31588, @@ -4741,13 +4741,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:29.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:29.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 32037, @@ -4809,13 +4809,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 1000000000, "event.end": "2018-11-30T16:09:14.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:13.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 32523, @@ -4877,13 +4877,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:14.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:14.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 32970, @@ -4948,13 +4948,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 12000000000, "event.end": "2018-11-30T16:09:29.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:17.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 33417, @@ -5016,13 +5016,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:14.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:14.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 33886, @@ -5084,13 +5084,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:15.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:15.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 34335, @@ -5152,13 +5152,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:15.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:15.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 34784, @@ -5220,13 +5220,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:15.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:15.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 35233, @@ -5288,13 +5288,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:16.000Z", "event.module": "palo_alto", "event.outcome": "drop-icmp", "event.start": "2018-11-30T16:09:16.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 35695, @@ -5356,13 +5356,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:16.000Z", "event.module": "palo_alto", "event.outcome": "reset-client", "event.start": "2018-11-30T16:09:16.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 36149, @@ -5424,13 +5424,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:16.000Z", "event.module": "palo_alto", "event.outcome": "reset-server", "event.start": "2018-11-30T16:09:16.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 36605, @@ -5494,13 +5494,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 10000000000, "event.end": "2018-11-30T16:09:31.000Z", "event.module": "palo_alto", "event.outcome": "reset-both", "event.start": "2018-11-30T16:09:21.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 37061, @@ -5562,13 +5562,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:16.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:16.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 37565, @@ -5630,13 +5630,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:16.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:16.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 38014, @@ -5698,13 +5698,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:16.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:16.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 38463, @@ -5769,13 +5769,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 11000000000, "event.end": "2018-11-30T16:09:32.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:21.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 38911, @@ -5840,13 +5840,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 11000000000, "event.end": "2018-11-30T16:09:32.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:21.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 39403, @@ -5911,13 +5911,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 11000000000, "event.end": "2018-11-30T16:09:32.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:21.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 39895, @@ -5979,13 +5979,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 11000000000, "event.end": "2018-11-30T16:09:32.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:21.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 40387, @@ -6050,13 +6050,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 11000000000, "event.end": "2018-11-30T16:09:32.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:21.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 40885, @@ -6121,13 +6121,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 12000000000, "event.end": "2018-11-30T16:09:32.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:20.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 41376, @@ -6192,13 +6192,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 12000000000, "event.end": "2018-11-30T16:09:32.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:20.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 41845, @@ -6263,13 +6263,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 12000000000, "event.end": "2018-11-30T16:09:32.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:20.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 42312, @@ -6334,13 +6334,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 12000000000, "event.end": "2018-11-30T16:09:32.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:20.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 42781, @@ -6402,13 +6402,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:18.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:18.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 43252, @@ -6470,13 +6470,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:37.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:37.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 43701, @@ -6538,13 +6538,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:19.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:19.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 44145, @@ -6606,13 +6606,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:19.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:19.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 44593, @@ -6674,13 +6674,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:19.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:19.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 45041, @@ -6742,13 +6742,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:19.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:19.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 45488, @@ -6810,13 +6810,13 @@ "ecs.version": "1.0.0", "event.action": "flow_terminated", "event.category": "network_traffic", - "event.dataset": "palo_alto.log", + "event.dataset": "palo_alto.pan_os", "event.duration": 0, "event.end": "2018-11-30T16:09:19.000Z", "event.module": "palo_alto", "event.outcome": "allow", "event.start": "2018-11-30T16:09:19.000Z", - "fileset.name": "log", + "fileset.name": "pan_os", "input.type": "log", "labels.nat_translated": true, "log.offset": 45936, From e8c38d4bfdeba43f01d183c31353ffaf494bfa52 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 8 May 2019 23:59:19 +0200 Subject: [PATCH 03/10] Add pan_os prefix to fields --- x-pack/filebeat/module/palo_alto/fields.go | 2 +- .../module/palo_alto/pan_os/_meta/fields.yml | 211 +- .../module/palo_alto/pan_os/config/input.yml | 66 +- .../palo_alto/pan_os/ingest/pipeline.yml | 28 +- .../test/pan_inc_other.log-expected.json | 24 +- .../test/pan_inc_threat.log-expected.json | 2600 ++++++++--------- .../test/pan_inc_traffic.log-expected.json | 2400 +++++++-------- .../pan_os/test/threat.log-expected.json | 2128 +++++++------- .../pan_os/test/traffic.log-expected.json | 2596 ++++++++-------- 9 files changed, 5030 insertions(+), 5025 deletions(-) diff --git a/x-pack/filebeat/module/palo_alto/fields.go b/x-pack/filebeat/module/palo_alto/fields.go index 2f9e0af13e24..d192ec61b6e4 100644 --- a/x-pack/filebeat/module/palo_alto/fields.go +++ b/x-pack/filebeat/module/palo_alto/fields.go @@ -19,5 +19,5 @@ func init() { // AssetPaloAlto returns asset data. // This is the base64 encoded gzipped contents of module/palo_alto. func AssetPaloAlto() string { - return "eJzMl8Fu4zYQhu95irm5BeLcesmhQNpFgABpauw26NGgqZHFhuJoh6O42qdfkJIcxaItx4mB8BYy5Hzzz/yiOYcnbK6hUpaWygpdAIgRi6+nMvSaTSWG3DX8fgEA8BdltUXIiWGhLMGNFYIHlA3xk4dfFjcP87+//XoBkBu0mb+Om+bgVLlzdhjSVHgNa6a66mYSEcO4jYdBzlSCFPhyEFha+6vu/4Yh29EH5tqiRxms9MGfsNkQZ69W9kC040GVCJRHjHAsSKEESiW6wAykMB48em/IXSVAPNWsMcExFOEIik4QIcD/BV0WcYSqucVntF0YoNV/qOXq1d6xSEO+H+RwZ+mQUpOcYXxrYcLRsW/2aTTkME6Qc6XPBbM9/2gip2QPy7h0R5EsyMv84eafvlgqyxi9vwST91Nh1XiokHPiErNdtn3VHOg4Buuxk0uT1GPuu8UYa2t44rFqPYAlt/4YhBDmBSJhuwy9GKfCmWf33iDWJzHglwHR53DhkOgzWXFYu6Efh/Onm3LClgeNeZQv9mSScuikRydc+h6eSbu69vfE2a3axTnBppVW1dKMO/+dvlgo/YQCWlVSM8Ldl+gJBVIwqrRm8A5jTDeqprKsnZEmlex0wkclHcaffZyYs6XNvFC+6L4I7UX421zqyuLBxsmNPf+PqxDkhJYJCb29I/4wTnEDWzX6XmgpPDoJnCsE5ZRtfmCqBqsmZvCvsdmt4bCLn43G8UchXcyEzjXbs8tcsz1BZa0E18TNRzvzNnZiVP7x6324FWTmI/Hj1/tt1NR3Nuzspb+MO56RM6MFyMU/YyWVy8D4xHY0UiDDrFTWaEO1n13CbM2q2SjG2SUQw2yFzqzd7LA1LG12TXziE+gu3NhOWXB1iWw0mAydmNwgxx5FpYvxHZ56DeH3Gp3GpavLFXKCbXT7HAS7pzWgE26GRPF9ZjwYpxlLdIJZF1iMsnZUs0dnvtf4koildYQ5mEnbGstQyiXxMu2PNwsdWou4bZAQZ/o22OH5mHonHvo7FY/O7ah+BgAA//8eOSmJ" + return "eJzMmM9u4zYQxu95irm5BeLcesmhQNpFgABpauw26NGgqZHEhuJoh6O4ytMXpGVHtulItb1GeAsV8vvNn08iPYUXbG+hVpbmygpdAYgRi9tTGXrNphZD7hZ+vQIA+IOyxiLkxDBTluDOCsETypL4xcNPs7un6Z/ffr4CyA3azN/GRVNwqtrZOwxpa7yFgqmpu5mEYhj3cTPImSqQEt83AkuFv+n+ry8J27puTv59PqX8kfwWA3FESES/Cn4LKc3VQ+PGokfZlurwXrBdEmc7zz5iBIAnVSFQHhnD5iClEqiU6BIzkNJ48Oi9IXeTBPLUsMYkz166hmm6pAkB/ivosoglVE8tvqLtxIAW/6CWm53VqbT1Sd/I7XIO5W4EcRjfVlhBoKv3oaz1eYwT5FztJe+8UBuV/0Hm1G6DwYdFHUk0Iy/Tp7u/1mVUWcbo/TWYfD0VnhoPNXJOXGG2z3i4zr3MpgDXARx4OIJ/P4KHWQpw8xohTuVxDWLJFedDCWLvMEmrZujFOBX2vZBfe4qfzrRfemyfy7l9ss9o335V+x7uz59m5EErD5h5pIcOxJR29QhfDzr7NK4RFners8WF7N2pHWntWqt6blIeOYOHZkq/oIBWtTSM8PAl+keBlIzqUBbhRBONaWhNVdU4I2069DHhj0xBGL+v1WIGLC2npfLl5lAaOuyXqTS1xYHGyo291CEvSB3ZUiG44/rlN+MUt7DJzrpTVjQenQTeBYJyyrZvmK7Loo2x/G1sdm84rONXozH1OkkXOZn7hu2FUt+wPTLzWgkWxO2PcfN97NdYj+evj+FrIxMf2Z+/Pm6002/tsHZdkOu45hU5M1qAXPwzVli5DIxPboBGSmSYVMoabajxk2uYFKzapWKcXAMxTBboTOEmQyaytNy3/QmXt4dwOnDKgmsqZKPBZOjE5AY5djEqXe6fF9L3OPzeoNM4d021QE4yJr5rA4CPVAA64bZPFm+YxoNxmrFCJ5h18mKUtYk6PjvzvcH3kCwVEWkgplXLzEOB58TzQz46KvWh8YhXzRPUxnxfdrjO2QmJnxd2eiE6vaP7LwAA//+NIWzi" } diff --git a/x-pack/filebeat/module/palo_alto/pan_os/_meta/fields.yml b/x-pack/filebeat/module/palo_alto/pan_os/_meta/fields.yml index 25ef9773007a..0e7f15e7d391 100644 --- a/x-pack/filebeat/module/palo_alto/pan_os/_meta/fields.yml +++ b/x-pack/filebeat/module/palo_alto/pan_os/_meta/fields.yml @@ -1,119 +1,124 @@ - - name: ruleset - type: keyword - description: > - Name of the rule that matched this session. - - name: source - type: group - description: > - Fields to extend the top-level source object. - fields: - - name: zone - type: keyword - description: > - Source zone for this session. - - name: interface - type: keyword - description: > - Source interface for this session. - - name: nat - type: group - description: > - Post-NAT source address, if source NAT is performed. - fields: - - name: ip - type: ip + - name: pan_os + type: group + description: > + Fields for the Palo Alto Networks PAN-OS logs. + fields: + - name: ruleset + type: keyword + description: > + Name of the rule that matched this session. + - name: source + type: group + description: > + Fields to extend the top-level source object. + fields: + - name: zone + type: keyword description: > - Post-NAT source IP. - - name: port - type: long + Source zone for this session. + - name: interface + type: keyword description: > - Post-NAT source port. - - - name: destination - type: group - description: > - Fields to extend the top-level destination object. - fields: - - name: zone - type: keyword - description: > - Destination zone for this session. - - name: interface - type: keyword - description: > - Destination interface for this session. - - name: nat - type: group - description: > - Post-NAT destination address, if destination NAT is performed. - fields: + Source interface for this session. + - name: nat + type: group + description: > + Post-NAT source address, if source NAT is performed. + fields: - name: ip type: ip description: > - Post-NAT destination IP. + Post-NAT source IP. - name: port type: long description: > - Post-NAT destination port. + Post-NAT source port. + + - name: destination + type: group + description: > + Fields to extend the top-level destination object. + fields: + - name: zone + type: keyword + description: > + Destination zone for this session. + - name: interface + type: keyword + description: > + Destination interface for this session. + - name: nat + type: group + description: > + Post-NAT destination address, if destination NAT is performed. + fields: + - name: ip + type: ip + description: > + Post-NAT destination IP. + - name: port + type: long + description: > + Post-NAT destination port. - - name: network - type: group - description: > - Fields to extend the top-level network object. - fields: - - name: pcap_id - type: keyword - description: > - Packet capture ID for a threat. + - name: network + type: group + description: > + Fields to extend the top-level network object. + fields: + - name: pcap_id + type: keyword + description: > + Packet capture ID for a threat. - - name: nat - type: group - fields: - - name: community_id - type: keyword - description: > - Community ID flow-hash for the NAT 5-tuple. + - name: nat + type: group + fields: + - name: community_id + type: keyword + description: > + Community ID flow-hash for the NAT 5-tuple. - - name: file - type: group - description: > - Fields to extend the top-level file object. - fields: - - name: hash - description: > - Binary hash for a threat file sent to be analyzed - by the WildFire service. - type: keyword + - name: file + type: group + description: > + Fields to extend the top-level file object. + fields: + - name: hash + description: > + Binary hash for a threat file sent to be analyzed + by the WildFire service. + type: keyword - - name: url - type: group - description: > - Fields to extend the top-level url object. - fields: - - name: category - type: keyword - description: > - For threat URLs, it's the URL category. - For WildFire, the verdict on the file and is - either 'malicious', 'grayware', or 'benign'. + - name: url + type: group + description: > + Fields to extend the top-level url object. + fields: + - name: category + type: keyword + description: > + For threat URLs, it's the URL category. + For WildFire, the verdict on the file and is + either 'malicious', 'grayware', or 'benign'. - - name: flow_id - type: keyword - description: > - Internal numeric identifier for each session. + - name: flow_id + type: keyword + description: > + Internal numeric identifier for each session. - - name: sequence_number - type: long - description: > - Log entry identifier that is incremented sequentially. - Unique for each log type. + - name: sequence_number + type: long + description: > + Log entry identifier that is incremented sequentially. + Unique for each log type. - - name: threat_file_or_url - type: keyword - description: > - URL or file name for a threat. + - name: threat_file_or_url + type: keyword + description: > + URL or file name for a threat. - - name: threat_id - type: keyword - description: > - Palo Alto Networks identifier for the threat. + - name: threat_id + type: keyword + description: > + Palo Alto Networks identifier for the threat. diff --git a/x-pack/filebeat/module/palo_alto/pan_os/config/input.yml b/x-pack/filebeat/module/palo_alto/pan_os/config/input.yml index cc96002f1d68..2fefed18a0ad 100644 --- a/x-pack/filebeat/module/palo_alto/pan_os/config/input.yml +++ b/x-pack/filebeat/module/palo_alto/pan_os/config/input.yml @@ -49,25 +49,25 @@ processors: source.ip: 7 server.ip: 8 destination.ip: 8 - palo_alto.source.nat.ip: 9 - palo_alto.destination.nat.ip: 10 - palo_alto.ruleset: 11 + palo_alto.pan_os.source.nat.ip: 9 + palo_alto.pan_os.destination.nat.ip: 10 + palo_alto.pan_os.ruleset: 11 client.user.name: 12 source.user.name: 12 server.user.name: 13 destination.user.name: 13 network.application: 14 - palo_alto.source.zone: 16 - palo_alto.destination.zone: 17 - palo_alto.source.interface: 18 - palo_alto.destination.interface: 19 - palo_alto.flow_id: 22 + palo_alto.pan_os.source.zone: 16 + palo_alto.pan_os.destination.zone: 17 + palo_alto.pan_os.source.interface: 18 + palo_alto.pan_os.destination.interface: 19 + palo_alto.pan_os.flow_id: 22 client.port: 24 source.port: 24 destination.port: 25 server.port: 25 - palo_alto.source.nat.port: 26 - palo_alto.destination.nat.port: 27 + palo_alto.pan_os.source.nat.port: 26 + palo_alto.pan_os.destination.nat.port: 27 _temp_.labels: 28 network.transport: 29 event.outcome: 30 @@ -79,8 +79,8 @@ processors: network.packets: 34 event.start: 35 event.duration: 36 - palo_alto.url.category: 37 - palo_alto.sequence_number: 39 + palo_alto.pan_os.url.category: 37 + palo_alto.pan_os.sequence_number: 39 server.packets: 44 destination.packets: 44 client.packets: 45 @@ -100,44 +100,44 @@ processors: source.ip: 7 server.ip: 8 destination.ip: 8 - palo_alto.source.nat.ip: 9 - palo_alto.destination.nat.ip: 10 - palo_alto.ruleset: 11 + palo_alto.pan_os.source.nat.ip: 9 + palo_alto.pan_os.destination.nat.ip: 10 + palo_alto.pan_os.ruleset: 11 client.user.name: 12 source.user.name: 12 server.user.name: 13 destination.user.name: 13 network.application: 14 - palo_alto.source.zone: 16 - palo_alto.destination.zone: 17 - palo_alto.source.interface: 18 - palo_alto.destination.interface: 19 - palo_alto.flow_id: 22 + palo_alto.pan_os.source.zone: 16 + palo_alto.pan_os.destination.zone: 17 + palo_alto.pan_os.source.interface: 18 + palo_alto.pan_os.destination.interface: 19 + palo_alto.pan_os.flow_id: 22 client.port: 24 source.port: 24 destination.port: 25 server.port: 25 - palo_alto.source.nat.port: 26 - palo_alto.destination.nat.port: 27 + palo_alto.pan_os.source.nat.port: 26 + palo_alto.pan_os.destination.nat.port: 27 _temp_.labels: 28 network.transport: 29 event.outcome: 30 - palo_alto.threat_file_or_url: 31 + palo_alto.pan_os.threat_file_or_url: 31 url.original: 31 - palo_alto.threat_id: 32 - palo_alto.url.category: 33 + palo_alto.pan_os.threat_id: 32 + palo_alto.pan_os.url.category: 33 log.level: 34 _temp_.direction: 35 source.geo.country_iso_code: 38 destination.geo.country_iso_code: 39 - palo_alto.network.pcap_id: 42 - palo_alto.file.hash: 43 + palo_alto.pan_os.network.pcap_id: 42 + palo_alto.pan_os.file.hash: 43 user_agent.original: 46 file.type: 47 network.forwarded_ip: 48 http.request.referer: 49 source.user.email: 50 - palo_alto.subject: 51 + palo_alto.pan_os.subject: 51 destination.user.email: 52 observer.hostname: 59 @@ -148,9 +148,9 @@ processors: - community_id: ~ - community_id: - target: palo_alto.network.nat.community_id + target: palo_alto.pan_os.network.nat.community_id fields: - source_ip: palo_alto.source.nat.ip - source_port: palo_alto.source.nat.port - destination_ip: palo_alto.destination.nat.ip - destination_port: palo_alto.destination.nat.port + source_ip: palo_alto.pan_os.source.nat.ip + source_port: palo_alto.pan_os.source.nat.port + destination_ip: palo_alto.pan_os.destination.nat.ip + destination_port: palo_alto.pan_os.destination.nat.port diff --git a/x-pack/filebeat/module/palo_alto/pan_os/ingest/pipeline.yml b/x-pack/filebeat/module/palo_alto/pan_os/ingest/pipeline.yml index 7ffa96225800..f4a87b6d04d9 100644 --- a/x-pack/filebeat/module/palo_alto/pan_os/ingest/pipeline.yml +++ b/x-pack/filebeat/module/palo_alto/pan_os/ingest/pipeline.yml @@ -55,15 +55,15 @@ processors: - convert: { type: long, ignore_missing: true, field: network.packets } - convert: { type: long, ignore_missing: true, field: event.duration } - convert: { type: long, ignore_missing: true, field: _temp_.labels } - - convert: { type: long, ignore_missing: true, field: palo_alto.sequence_number } - - convert: { type: long, ignore_missing: true, field: palo_alto.source.nat.port } - - convert: { type: long, ignore_missing: true, field: palo_alto.destination.nat.port } + - convert: { type: long, ignore_missing: true, field: palo_alto.pan_os.sequence_number } + - convert: { type: long, ignore_missing: true, field: palo_alto.pan_os.source.nat.port } + - convert: { type: long, ignore_missing: true, field: palo_alto.pan_os.destination.nat.port } # Remove PCAP ID when zero (no packet capture). - remove: - if: 'ctx?.palo_alto?.network?.pcap_id == "0"' + if: 'ctx?.palo_alto?.pan_os?.network?.pcap_id == "0"' field: - - palo_alto.network.pcap_id + - palo_alto.pan_os.network.pcap_id # Extract 'flags' bitfield into labels. - script: @@ -113,23 +113,23 @@ processors: - set: field: network.direction value: inbound - if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.palo_alto?.source?.zone == "untrust" && ctx?.palo_alto?.destination?.zone == "trust"' + if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.palo_alto?.pan_os?.source?.zone == "untrust" && ctx?.palo_alto?.pan_os?.destination?.zone == "trust"' - set: field: network.direction value: outbound - if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.palo_alto?.source?.zone == "trust" && ctx?.palo_alto?.destination?.zone == "untrust"' + if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.palo_alto?.pan_os?.source?.zone == "trust" && ctx?.palo_alto?.pan_os?.destination?.zone == "untrust"' - set: field: network.direction value: internal - if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.palo_alto?.source?.zone == "trust" && ctx?.palo_alto?.destination?.zone == "trust"' + if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.palo_alto?.pan_os?.source?.zone == "trust" && ctx?.palo_alto?.pan_os?.destination?.zone == "trust"' - set: field: network.direction value: external - if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.palo_alto?.source?.zone == "untrust" && ctx?.palo_alto?.destination?.zone == "untrust"' + if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.palo_alto?.pan_os?.source?.zone == "untrust" && ctx?.palo_alto?.pan_os?.destination?.zone == "untrust"' - set: field: network.direction value: unknown - if: 'ctx?._temp_?.message_type == "TRAFFIC" && ((ctx?.palo_alto?.source?.zone != "trust" && ctx?.palo_alto?.source?.zone != "untrust") || (ctx?.palo_alto?.destination?.zone != "trust" && ctx?.palo_alto?.destination?.zone != "untrust"))' + if: 'ctx?._temp_?.message_type == "TRAFFIC" && ((ctx?.palo_alto?.pan_os?.source?.zone != "trust" && ctx?.palo_alto?.pan_os?.source?.zone != "untrust") || (ctx?.palo_alto?.pan_os?.destination?.zone != "trust" && ctx?.palo_alto?.pan_os?.destination?.zone != "untrust"))' # Set network.direction from threat direction (Threat logs). - set: @@ -278,15 +278,15 @@ processors: value: - '{{destination.ip}}' - append: - if: 'ctx?.palo_alto?.source?.nat?.ip != null' + if: 'ctx?.palo_alto?.pan_os?.source?.nat?.ip != null' field: related.ip value: - - '{{palo_alto.source.nat.ip}}' + - '{{palo_alto.pan_os.source.nat.ip}}' - append: - if: 'ctx?.palo_alto?.destination?.nat?.ip != null' + if: 'ctx?.palo_alto?.pan_os?.destination?.nat?.ip != null' field: related.ip value: - - '{{palo_alto.destination.nat.ip}}' + - '{{palo_alto.pan_os.destination.nat.ip}}' # Geolocation for source. - geoip: diff --git a/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_other.log-expected.json b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_other.log-expected.json index fa663da2eba8..d5ab87113dea 100644 --- a/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_other.log-expected.json +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_other.log-expected.json @@ -38,18 +38,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25149", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25149", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", diff --git a/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_threat.log-expected.json b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_threat.log-expected.json index 7b15d0ba5b81..f95bcc19c5aa 100644 --- a/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_threat.log-expected.json +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_threat.log-expected.json @@ -32,19 +32,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25149", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "lorexx.cn/loader.exe", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "not-resolved", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25149", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "lorexx.cn/loader.exe", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -96,19 +96,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26067", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "lsiu.info/evo/count.php?o=2", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "not-resolved", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26067", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "lsiu.info/evo/count.php?o=2", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -160,19 +160,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26522", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "lsiu.info/evo/count.php?o=5", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "not-resolved", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26522", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "lsiu.info/evo/count.php?o=5", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -224,19 +224,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25112", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "lsiu.info/evo/count.php?o=7", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "not-resolved", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25112", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "lsiu.info/evo/count.php?o=7", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -288,19 +288,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25179", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "lsiu.info/evo/exploits/x18.php?o=2&t=1241403746&i=1365814122", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "not-resolved", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25179", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "lsiu.info/evo/exploits/x18.php?o=2&t=1241403746&i=1365814122", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -352,19 +352,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25848", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "lsiu.info/evo/exploits/x19.php?o=2&t=1241403746&i=1365814122", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "not-resolved", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25848", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "lsiu.info/evo/exploits/x19.php?o=2&t=1241403746&i=1365814122", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -416,19 +416,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24910", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "liteautobestguide.cn/load.php", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "not-resolved", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24910", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "liteautobestguide.cn/load.php", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -480,19 +480,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26862", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "liteautobestguide.cn/index.php", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "not-resolved", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26862", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "liteautobestguide.cn/index.php", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -544,19 +544,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "22860", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "litetopdetect.cn/index.php", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "not-resolved", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "22860", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "litetopdetect.cn/index.php", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -608,19 +608,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26360", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "lkmpmlm.com/fff9999.php?aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "not-resolved", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26360", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "lkmpmlm.com/fff9999.php?aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -672,19 +672,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25543", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "girlteenxxxfreemov.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "not-resolved", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25543", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "girlteenxxxfreemov.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -736,19 +736,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25437", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "imagesrepository.com/resolution.php", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "not-resolved", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25437", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "imagesrepository.com/resolution.php", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -800,19 +800,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26338", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "hottestfiles.com/search/search.php?q=xxx", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "search-engines", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26338", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "hottestfiles.com/search/search.php?q=xxx", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "search-engines", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -863,19 +863,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25713", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "infodist1.com/in.cgi?11¶meter=404", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "malware-sites", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25713", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "infodist1.com/in.cgi?11¶meter=404", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -927,19 +927,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25451", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "cls-softwares.com/suc.php", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "not-resolved", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25451", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "cls-softwares.com/suc.php", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -991,19 +991,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26414", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "cls-softwares.com/softwarefortubeview.40013.exe", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "not-resolved", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26414", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "cls-softwares.com/softwarefortubeview.40013.exe", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -1051,19 +1051,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26927", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "findmorepill.com/klik/search.php?q=xxx", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "online-gambling", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26927", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "findmorepill.com/klik/search.php?q=xxx", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "online-gambling", "related.ip": [ "192.168.0.2", "78.159.99.224", @@ -1115,19 +1115,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26127", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "allowedwebsurfing.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "not-resolved", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26127", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "allowedwebsurfing.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -1179,19 +1179,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25306", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "antivirus-remote.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "not-resolved", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25306", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "antivirus-remote.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -1243,19 +1243,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24561", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "bklinkov.ru/hi/start.cfg", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "not-resolved", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24561", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "bklinkov.ru/hi/start.cfg", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -1307,19 +1307,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "15099", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "blogsexnakedgirlxxx.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "not-resolved", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "15099", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "blogsexnakedgirlxxx.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -1371,19 +1371,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24955", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "bklinkov.ru/hi/start.exe", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "not-resolved", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24955", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "bklinkov.ru/hi/start.exe", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -1435,19 +1435,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25398", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "-/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "private-ip-addresses", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25398", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "-/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -1499,19 +1499,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25945", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "-/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "private-ip-addresses", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25945", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "-/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -1563,19 +1563,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "27111", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "-/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "private-ip-addresses", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "27111", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "-/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -1627,19 +1627,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25871", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "-/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "private-ip-addresses", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25871", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "-/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -1691,19 +1691,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26251", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "-/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "private-ip-addresses", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26251", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "-/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -1755,19 +1755,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24816", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "-/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "private-ip-addresses", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24816", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "-/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -1819,19 +1819,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25062", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "-/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "private-ip-addresses", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25062", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "-/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -1883,19 +1883,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26266", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "-/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "private-ip-addresses", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26266", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "-/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -1947,19 +1947,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "23898", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "-/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "private-ip-addresses", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23898", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "-/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -2011,19 +2011,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25259", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "-/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "private-ip-addresses", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25259", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "-/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -2075,19 +2075,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26466", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "-/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "private-ip-addresses", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26466", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "-/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -2135,19 +2135,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "4086", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "wantfinest.com/tds/in.cgi?default", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "unknown", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "4086", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "wantfinest.com/tds/in.cgi?default", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "unknown", "related.ip": [ "192.168.0.2", "69.43.161.167", @@ -2195,19 +2195,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26534", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "sameshitasiteverwas.com/traf/tds/in.cgi?2", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "malware-sites", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26534", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "sameshitasiteverwas.com/traf/tds/in.cgi?2", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", "related.ip": [ "192.168.0.2", "202.31.187.154", @@ -2258,19 +2258,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26965", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "svarkon.ru/update.exe", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "malware-sites", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26965", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "svarkon.ru/update.exe", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", "related.ip": [ "192.168.0.2", "89.111.176.67", @@ -2321,19 +2321,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26076", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "onlinescanxpp.com/land/eurl/1.php?code=", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "malware-sites", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26076", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "onlinescanxpp.com/land/eurl/1.php?code=", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -2381,19 +2381,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26198", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "malware-sites", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26198", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", "related.ip": [ "192.168.0.2", "208.73.210.29", @@ -2441,19 +2441,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26056", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "nolagtime.com/gwc.txt", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "malware-sites", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26056", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "nolagtime.com/gwc.txt", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", "related.ip": [ "192.168.0.2", "208.73.210.29", @@ -2504,19 +2504,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25465", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "karavan.us/bon/index.php", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "unknown", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25465", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "karavan.us/bon/index.php", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "unknown", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -2564,19 +2564,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24316", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "findnolimits.com/go.php?sid=1", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "dead-sites", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24316", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "findnolimits.com/go.php?sid=1", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "dead-sites", "related.ip": [ "192.168.0.2", "208.73.210.29", @@ -2624,19 +2624,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "17258", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "bizoplata.ru/moun.html", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "parked-domains", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "17258", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "bizoplata.ru/moun.html", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "parked-domains", "related.ip": [ "192.168.0.2", "89.108.64.156", @@ -2684,19 +2684,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24735", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "bizoplata.ru/palast.html", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "parked-domains", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24735", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "bizoplata.ru/palast.html", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "parked-domains", "related.ip": [ "192.168.0.2", "89.108.64.156", @@ -2741,19 +2741,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "23497", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "controller.php", - "palo_alto.threat_id": "Bredolab.Gen Command and Control Traffic(13024)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "23497", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "controller.php", + "palo_alto.pan_os.threat_id": "Bredolab.Gen Command and Control Traffic(13024)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "204.232.231.46", "192.168.0.2", @@ -2810,19 +2810,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "23711", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "www.15min.it/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "malware-sites", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23711", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "www.15min.it/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", "related.ip": [ "192.168.0.2", "216.8.179.25", @@ -2870,19 +2870,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "23659", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "tubemov.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "adult-and-pornography", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23659", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "tubemov.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "adult-and-pornography", "related.ip": [ "192.168.0.2", "69.43.161.154", @@ -2930,19 +2930,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "23782", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "pagesinxt.com/?dn=teenstube.us&flrdr=yes&nxte=js", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "malware-sites", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23782", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "pagesinxt.com/?dn=teenstube.us&flrdr=yes&nxte=js", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", "related.ip": [ "192.168.0.2", "208.91.196.252", @@ -2990,19 +2990,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "23239", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "movfree.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "spyware-and-adware", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23239", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "movfree.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "spyware-and-adware", "related.ip": [ "192.168.0.2", "208.73.210.29", @@ -3053,19 +3053,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "22479", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "gometascan.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "malware-sites", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "22479", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "gometascan.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -3116,19 +3116,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "21458", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "antivirus-powerful-scannerv2.com/download/Install_11-1.exe", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "malware-sites", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "21458", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "antivirus-powerful-scannerv2.com/download/Install_11-1.exe", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -3179,19 +3179,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "21577", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "antivirus-powerful-scannerv2.com/1/?id=11-1&back==TQzyDTyMUQNMI=N", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "malware-sites", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "21577", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "antivirus-powerful-scannerv2.com/1/?id=11-1&back==TQzyDTyMUQNMI=N", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -3242,19 +3242,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "1606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "21487", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "basdzsdas.com/poker/config.bin", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "malware-sites", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "21487", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "basdzsdas.com/poker/config.bin", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -3305,19 +3305,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "1606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "21487", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "basdzsdas.com/poker/config.bin", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "malware-sites", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "21487", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "basdzsdas.com/poker/config.bin", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -3362,19 +3362,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "1606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "64856", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "uLLGRaXP.exe", - "palo_alto.threat_id": "Windows Executable (EXE)(52020)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "64856", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "uLLGRaXP.exe", + "palo_alto.pan_os.threat_id": "Windows Executable (EXE)(52020)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "173.236.179.57", "192.168.0.2", @@ -3431,19 +3431,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "1606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "21487", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "basdzsdas.com/poker/config.bin", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "malware-sites", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "21487", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "basdzsdas.com/poker/config.bin", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -3488,19 +3488,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "37983", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "FunkyEmoticons_setup.exe", - "palo_alto.threat_id": "Windows Executable (EXE)(52020)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "37983", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "FunkyEmoticons_setup.exe", + "palo_alto.pan_os.threat_id": "Windows Executable (EXE)(52020)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "91.209.163.202", "192.168.0.2", @@ -3545,19 +3545,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "41989", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "52hxw.exe", - "palo_alto.threat_id": "Windows Executable (EXE)(52020)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "41989", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "52hxw.exe", + "palo_alto.pan_os.threat_id": "Windows Executable (EXE)(52020)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "122.226.169.183", "192.168.0.2", @@ -3613,19 +3613,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "49238", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "softsellfast.com/test/config.bin", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "malware-sites", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "49238", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "softsellfast.com/test/config.bin", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -3670,19 +3670,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "21592", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "setup.exe", - "palo_alto.threat_id": "Windows Executable (EXE)(52020)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "21592", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "setup.exe", + "palo_alto.pan_os.threat_id": "Windows Executable (EXE)(52020)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "109.201.131.15", "192.168.0.2", @@ -3730,19 +3730,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "33760", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "Live-Player_setup.exe", - "palo_alto.threat_id": "Windows Executable (EXE)(52020)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "33760", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "Live-Player_setup.exe", + "palo_alto.pan_os.threat_id": "Windows Executable (EXE)(52020)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "91.209.163.202", "192.168.0.2", @@ -3790,19 +3790,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28723", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "boialex.narod.ru/config.txt", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "malware-sites", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28723", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "boialex.narod.ru/config.txt", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", "related.ip": [ "192.168.0.2", "213.180.199.61", @@ -3850,19 +3850,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28932", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "edw-melon.narod.ru/config.txt", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "malware-sites", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28932", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "edw-melon.narod.ru/config.txt", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", "related.ip": [ "192.168.0.2", "213.180.199.61", @@ -3910,19 +3910,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28953", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "maximtushin.narod.ru/config.txt", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "malware-sites", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28953", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "maximtushin.narod.ru/config.txt", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", "related.ip": [ "192.168.0.2", "213.180.199.61", @@ -3967,19 +3967,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "64856", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "uLLGRaXP.exe", - "palo_alto.threat_id": "Windows Executable (EXE)(52020)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "64856", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "uLLGRaXP.exe", + "palo_alto.pan_os.threat_id": "Windows Executable (EXE)(52020)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "173.236.179.57", "192.168.0.2", @@ -4036,19 +4036,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "55402", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "marketingsoluchion.biz/fkn/config.bin", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "unknown", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "55402", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "marketingsoluchion.biz/fkn/config.bin", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "unknown", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -4099,19 +4099,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25217", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "default.aspx", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25217", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "default.aspx", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.6", "207.46.140.46", @@ -4156,19 +4156,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "25653", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "sck.aspx", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "25653", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "sck.aspx", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "65.54.161.34", "192.168.0.6", @@ -4219,19 +4219,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "25717", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "ADSAdClient31.dll", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "25717", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "ADSAdClient31.dll", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "65.55.5.231", "192.168.0.6", @@ -4288,19 +4288,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25290", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "c.gif", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25290", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "c.gif", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.6", "65.54.71.11", @@ -4345,19 +4345,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "25932", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "csi", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "25932", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "csi", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "74.125.239.17", "192.168.0.6", @@ -4408,19 +4408,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28264", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "internal-tuner.pandora.com", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28264", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "internal-tuner.pandora.com", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "208.85.40.48", @@ -4465,19 +4465,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "29312", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "js", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "29312", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "74.125.224.198", "192.168.0.2", @@ -4525,19 +4525,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "26747", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "about.exe", - "palo_alto.threat_id": "Windows Executable (EXE)(52020)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "26747", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "about.exe", + "palo_alto.pan_os.threat_id": "Windows Executable (EXE)(52020)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "188.190.124.75", "192.168.0.6", @@ -4582,19 +4582,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "19205", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "js", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "19205", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "74.125.224.200", "192.168.0.2", @@ -4642,19 +4642,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "19360", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "js", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "19360", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "74.125.239.3", "192.168.0.2", @@ -4702,19 +4702,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "19696", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "js", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "19696", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "74.125.239.3", "192.168.0.2", @@ -4762,19 +4762,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "19679", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "js", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "19679", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "74.125.224.200", "192.168.0.2", @@ -4825,19 +4825,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "19448", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "__utm.gif", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "19448", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "__utm.gif", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "74.125.239.6", @@ -4882,19 +4882,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "20422", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "js", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "20422", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "74.125.224.193", "192.168.0.2", @@ -4942,19 +4942,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "21267", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "nav_logo107.png", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "21267", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "nav_logo107.png", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "74.125.239.20", "192.168.0.2", @@ -5002,19 +5002,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "24567", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "Eadweard_Muybridge", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "24567", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "Eadweard_Muybridge", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "208.80.154.225", "192.168.0.2", @@ -5062,19 +5062,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "24646", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "load.php", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "24646", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "load.php", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "208.80.154.234", "192.168.0.2", @@ -5122,19 +5122,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "25874", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "8fe44cb728c0f40750c64ee906eb72.css", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "25874", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "8fe44cb728c0f40750c64ee906eb72.css", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "65.54.75.25", "192.168.0.6", @@ -5185,19 +5185,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "2175", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "js", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "2175", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "74.125.224.206", "192.168.0.2", @@ -5245,19 +5245,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "3046", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "js", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "3046", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "74.125.224.195", "192.168.0.2", @@ -5305,19 +5305,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "1560", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "appcast.xml", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "1560", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "appcast.xml", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "207.178.96.34", "192.168.0.2", @@ -5368,19 +5368,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "16852", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "js", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "16852", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "74.125.224.195", "192.168.0.2", @@ -5428,19 +5428,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "15948", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "csi", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "15948", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "csi", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "74.125.239.20", "192.168.0.2", @@ -5488,19 +5488,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "17028", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "index.php", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "17028", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "index.php", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "66.152.109.24", "192.168.0.2", @@ -5548,19 +5548,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "15878", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "js", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "15878", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "74.125.224.200", "192.168.0.2", @@ -5611,19 +5611,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "16602", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "__utm.gif", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "16602", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "__utm.gif", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "74.125.224.201", @@ -5668,19 +5668,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "17433", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "js", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "17433", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "74.125.224.200", "192.168.0.2", @@ -5728,19 +5728,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "17104", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "js", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "17104", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "74.125.224.200", "192.168.0.2", @@ -5791,19 +5791,19 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "63706", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "internal-tuner.pandora.com", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "63706", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "internal-tuner.pandora.com", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "208.85.40.48", @@ -5848,19 +5848,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "65257", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "js", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "65257", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "74.125.224.201", "192.168.0.2", @@ -5908,19 +5908,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "537", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "js", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "537", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "74.125.224.201", "192.168.0.2", @@ -5968,19 +5968,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "914", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "js", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "914", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "74.125.224.200", "192.168.0.2", @@ -6028,19 +6028,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "1475", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "js", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "1475", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "74.125.224.200", "192.168.0.2", @@ -6088,19 +6088,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "883", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "ga.js", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "883", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "ga.js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "74.125.224.198", "192.168.0.2", @@ -6148,19 +6148,19 @@ "network.direction": "outbound", "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "1965", - "palo_alto.ruleset": "rule1", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "untrust", - "palo_alto.threat_file_or_url": "js", - "palo_alto.threat_id": "PII(60000)", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "1965", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "74.125.224.200", "192.168.0.2", diff --git a/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_traffic.log-expected.json b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_traffic.log-expected.json index 4c9fe0725295..bc3ec74e09c1 100644 --- a/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_traffic.log-expected.json +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_traffic.log-expected.json @@ -38,18 +38,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "11449", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "11449", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -106,18 +106,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25572", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25572", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -174,18 +174,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26208", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26208", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -245,18 +245,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "14931", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "14931", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -316,18 +316,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25544", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25544", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -384,18 +384,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25308", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25308", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -452,18 +452,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26376", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26376", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -523,18 +523,18 @@ "network.packets": 10, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25118", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "private-ip-addresses", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25118", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -594,18 +594,18 @@ "network.packets": 10, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26146", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "private-ip-addresses", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26146", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -665,18 +665,18 @@ "network.packets": 10, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25272", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "private-ip-addresses", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25272", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -736,18 +736,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24069", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24069", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -807,18 +807,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25848", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25848", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -878,18 +878,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25179", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25179", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -949,18 +949,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25112", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25112", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -1020,18 +1020,18 @@ "network.packets": 10, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26161", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "private-ip-addresses", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26161", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -1091,18 +1091,18 @@ "network.packets": 10, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26000", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "private-ip-addresses", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26000", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -1162,18 +1162,18 @@ "network.packets": 21, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "65184", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "malware-sites", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "65184", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "malware-sites", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -1233,18 +1233,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26522", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26522", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -1304,18 +1304,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26067", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26067", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -1372,18 +1372,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26573", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26573", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -1440,18 +1440,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26894", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26894", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -1511,18 +1511,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25149", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25149", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -1579,18 +1579,18 @@ "network.packets": 2, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25258", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25258", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -1650,18 +1650,18 @@ "network.packets": 10, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25025", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "private-ip-addresses", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25025", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -1721,18 +1721,18 @@ "network.packets": 10, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26138", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "private-ip-addresses", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26138", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -1792,18 +1792,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "27175", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "27175", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -1860,18 +1860,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26261", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26261", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -1928,18 +1928,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25022", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25022", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -1996,18 +1996,18 @@ "network.packets": 16, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24027", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24027", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "98.149.55.63", @@ -2067,18 +2067,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26360", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26360", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -2135,18 +2135,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26394", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26394", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -2206,18 +2206,18 @@ "network.packets": 20, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24917", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "search-engines", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24917", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "search-engines", "related.ip": [ "192.168.0.2", "212.48.10.58", @@ -2277,18 +2277,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "22860", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "22860", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -2345,18 +2345,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "14146", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "14146", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -2413,18 +2413,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25876", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25876", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -2484,18 +2484,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24910", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24910", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -2555,18 +2555,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26862", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26862", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -2623,18 +2623,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26222", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26222", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -2691,18 +2691,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26329", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26329", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -2757,18 +2757,18 @@ "network.packets": 2, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25142", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25142", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.100", "8.8.8.8", @@ -2827,18 +2827,18 @@ "network.packets": 13, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25095", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "entertainment-and-arts", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25095", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "entertainment-and-arts", "related.ip": [ "192.168.0.2", "62.211.68.12", @@ -2896,18 +2896,18 @@ "network.packets": 17, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24787", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "computer-and-internet-security", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24787", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "computer-and-internet-security", "related.ip": [ "192.168.0.100", "50.19.102.116", @@ -2966,18 +2966,18 @@ "network.packets": 2, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25948", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25948", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "65.55.223.19", @@ -3037,18 +3037,18 @@ "network.packets": 2, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25444", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25444", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "65.55.223.24", @@ -3103,18 +3103,18 @@ "network.packets": 2, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25349", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25349", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.100", "8.8.8.8", @@ -3173,18 +3173,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25713", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25713", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -3241,18 +3241,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26499", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26499", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -3312,18 +3312,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25437", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25437", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -3380,18 +3380,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24848", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24848", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -3448,18 +3448,18 @@ "network.packets": 4, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24924", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24924", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -3516,18 +3516,18 @@ "network.packets": 2, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25899", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25899", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -3584,18 +3584,18 @@ "network.packets": 2, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26066", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26066", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -3655,18 +3655,18 @@ "network.packets": 13, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24908", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24908", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.0.2", "62.211.68.12", @@ -3726,18 +3726,18 @@ "network.packets": 22, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25105", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "search-engines", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25105", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "search-engines", "related.ip": [ "192.168.0.2", "212.48.10.58", @@ -3797,18 +3797,18 @@ "network.packets": 21, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "11964", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "malware-sites", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "11964", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "malware-sites", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -3865,18 +3865,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26502", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26502", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -3936,18 +3936,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26338", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26338", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -4004,18 +4004,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24919", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24919", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -4072,18 +4072,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26731", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26731", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -4143,18 +4143,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26504", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26504", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "65.55.223.31", @@ -4214,18 +4214,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25543", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25543", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -4282,18 +4282,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "21948", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "21948", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -4350,18 +4350,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26279", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26279", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -4421,18 +4421,18 @@ "network.packets": 13, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24894", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "entertainment-and-arts", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24894", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "entertainment-and-arts", "related.ip": [ "192.168.0.2", "62.211.68.12", @@ -4489,18 +4489,18 @@ "network.packets": 2, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24985", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24985", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -4557,18 +4557,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25380", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25380", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -4625,18 +4625,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24994", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24994", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -4696,18 +4696,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25451", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25451", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -4767,18 +4767,18 @@ "network.packets": 13, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24866", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24866", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.0.2", "62.211.68.12", @@ -4838,18 +4838,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26414", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26414", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -4906,18 +4906,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26131", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26131", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -4974,18 +4974,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26555", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26555", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -5045,18 +5045,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "15099", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "15099", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -5113,18 +5113,18 @@ "network.packets": 39, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24980", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "not-resolved", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24980", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "not-resolved", "related.ip": [ "192.168.0.2", "8.5.1.1", @@ -5181,18 +5181,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26215", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26215", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -5249,18 +5249,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25881", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25881", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -5320,18 +5320,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24955", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24955", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -5384,18 +5384,18 @@ "network.packets": 2, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24961", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24961", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "192.168.0.1", @@ -5455,18 +5455,18 @@ "network.packets": 21, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24226", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "search-engines", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24226", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "search-engines", "related.ip": [ "192.168.0.2", "212.48.10.58", @@ -5526,18 +5526,18 @@ "network.packets": 22, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25129", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "search-engines", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25129", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "search-engines", "related.ip": [ "192.168.0.2", "212.48.10.58", @@ -5590,18 +5590,18 @@ "network.packets": 2, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25194", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25194", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "192.168.0.1", @@ -5654,18 +5654,18 @@ "network.packets": 2, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26257", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26257", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "192.168.0.1", @@ -5725,18 +5725,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24561", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24561", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -5793,18 +5793,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26150", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26150", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -5861,18 +5861,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25676", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25676", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -5932,18 +5932,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25306", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25306", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -6000,18 +6000,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26411", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26411", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -6064,18 +6064,18 @@ "network.packets": 2, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24844", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24844", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "192.168.0.1", @@ -6132,18 +6132,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26335", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26335", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -6203,18 +6203,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26127", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26127", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -6271,18 +6271,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25488", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25488", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -6339,18 +6339,18 @@ "network.packets": 1, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25269", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25269", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "205.171.2.25", @@ -6410,18 +6410,18 @@ "network.packets": 13, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25715", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "entertainment-and-arts", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25715", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "entertainment-and-arts", "related.ip": [ "192.168.0.2", "62.211.68.12", @@ -6481,18 +6481,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "26251", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26251", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -6552,18 +6552,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25871", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25871", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -6623,18 +6623,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25945", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25945", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -6687,18 +6687,18 @@ "network.packets": 2, "network.transport": "udp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25310", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25310", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "192.168.0.1", @@ -6758,18 +6758,18 @@ "network.packets": 4, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "27111", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "27111", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -6829,18 +6829,18 @@ "network.packets": 4, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25398", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25398", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", @@ -6900,18 +6900,18 @@ "network.packets": 1, "network.transport": "tcp", "observer.serial_number": "01606001116", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "0.0.0.0", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "23898", - "palo_alto.ruleset": "rule1", - "palo_alto.sequence_number": 0, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "0.0.0.0", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23898", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.0.2", "204.232.231.46", diff --git a/x-pack/filebeat/module/palo_alto/pan_os/test/threat.log-expected.json b/x-pack/filebeat/module/palo_alto/pan_os/test/threat.log-expected.json index 2f3495524c39..5e68214fb0a4 100644 --- a/x-pack/filebeat/module/palo_alto/pan_os/test/threat.log-expected.json +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/threat.log-expected.json @@ -29,20 +29,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28191", - "palo_alto.network.nat.community_id": "1:qjpdroY6VaRSEUbSXzSWtUX00kc=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 37679, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28191", + "palo_alto.pan_os.network.nat.community_id": "1:qjpdroY6VaRSEUbSXzSWtUX00kc=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 37679, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -90,20 +90,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28219", - "palo_alto.network.nat.community_id": "1:j6so5fl9DGKhDhaNmjI+6ipOFyc=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 28249, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28219", + "palo_alto.pan_os.network.nat.community_id": "1:j6so5fl9DGKhDhaNmjI+6ipOFyc=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 28249, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -151,20 +151,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "27723", - "palo_alto.network.nat.community_id": "1:c4Xs8aAPhIYB760P+BLmrzOvjv4=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 63898, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "27723", + "palo_alto.pan_os.network.nat.community_id": "1:c4Xs8aAPhIYB760P+BLmrzOvjv4=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 63898, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -212,20 +212,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28172", - "palo_alto.network.nat.community_id": "1:RU/nMZByVkBbsckJ18XtpXhQlPg=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 7515, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28172", + "palo_alto.pan_os.network.nat.community_id": "1:RU/nMZByVkBbsckJ18XtpXhQlPg=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 7515, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -273,20 +273,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28151", - "palo_alto.network.nat.community_id": "1:FTVZK5v5Nqts17X+FJm/bQk1rwM=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 3225, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28151", + "palo_alto.pan_os.network.nat.community_id": "1:FTVZK5v5Nqts17X+FJm/bQk1rwM=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 3225, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -334,20 +334,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28076", - "palo_alto.network.nat.community_id": "1:iHTY/vpQo2TsRYJW2n+lqb0w5f4=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 60449, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28076", + "palo_alto.pan_os.network.nat.community_id": "1:iHTY/vpQo2TsRYJW2n+lqb0w5f4=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 60449, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -395,20 +395,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28173", - "palo_alto.network.nat.community_id": "1:f+u5A73xp5gqmRCSN2kCCSbvBRg=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 60559, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28173", + "palo_alto.pan_os.network.nat.community_id": "1:f+u5A73xp5gqmRCSN2kCCSbvBRg=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 60559, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -456,20 +456,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28186", - "palo_alto.network.nat.community_id": "1:v4+MIeqiGJJ9Z3SUTNLFEoYtw74=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 47414, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28186", + "palo_alto.pan_os.network.nat.community_id": "1:v4+MIeqiGJJ9Z3SUTNLFEoYtw74=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 47414, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -517,20 +517,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28192", - "palo_alto.network.nat.community_id": "1:BilmVEwf9nQIXodvin3X6lZuVAc=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 37673, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28192", + "palo_alto.pan_os.network.nat.community_id": "1:BilmVEwf9nQIXodvin3X6lZuVAc=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 37673, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -578,20 +578,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "27011", - "palo_alto.network.nat.community_id": "1:CmZ6KkZzaxpkJHXJn0lNskvvZLA=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 8232, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "27011", + "palo_alto.pan_os.network.nat.community_id": "1:CmZ6KkZzaxpkJHXJn0lNskvvZLA=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 8232, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -639,20 +639,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28240", - "palo_alto.network.nat.community_id": "1:Xy6vXuBmLPx1/PDpu/KMI1ZPnW0=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 32982, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28240", + "palo_alto.pan_os.network.nat.community_id": "1:Xy6vXuBmLPx1/PDpu/KMI1ZPnW0=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 32982, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -700,20 +700,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28143", - "palo_alto.network.nat.community_id": "1:nmxmtIja0z/MV5rgbBnScsKtW0U=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 10473, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28143", + "palo_alto.pan_os.network.nat.community_id": "1:nmxmtIja0z/MV5rgbBnScsKtW0U=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 10473, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -761,20 +761,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28272", - "palo_alto.network.nat.community_id": "1:XNlHvX7cDGGCkvSS/aFHGg/RnAk=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 20446, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28272", + "palo_alto.pan_os.network.nat.community_id": "1:XNlHvX7cDGGCkvSS/aFHGg/RnAk=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 20446, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -822,20 +822,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28146", - "palo_alto.network.nat.community_id": "1:DqCF4BufQU/spPG8UYok6IrChWo=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 34699, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28146", + "palo_alto.pan_os.network.nat.community_id": "1:DqCF4BufQU/spPG8UYok6IrChWo=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 34699, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -883,20 +883,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28278", - "palo_alto.network.nat.community_id": "1:lJHLfl+/x95GohXozN52zokIxvA=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 22820, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28278", + "palo_alto.pan_os.network.nat.community_id": "1:lJHLfl+/x95GohXozN52zokIxvA=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 22820, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -944,20 +944,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28185", - "palo_alto.network.nat.community_id": "1:OVE3ctnTt5X1L6qNDr4QILL0dFg=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 41060, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28185", + "palo_alto.pan_os.network.nat.community_id": "1:OVE3ctnTt5X1L6qNDr4QILL0dFg=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 41060, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1005,20 +1005,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28201", - "palo_alto.network.nat.community_id": "1:bzhUSIQYpz+jY7TA+j8UmFOdJ08=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 9058, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28201", + "palo_alto.pan_os.network.nat.community_id": "1:bzhUSIQYpz+jY7TA+j8UmFOdJ08=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 9058, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1066,20 +1066,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28148", - "palo_alto.network.nat.community_id": "1:NRiTxPYsIvfOnUXhwuF5KPucNf8=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 54846, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28148", + "palo_alto.pan_os.network.nat.community_id": "1:NRiTxPYsIvfOnUXhwuF5KPucNf8=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 54846, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1127,20 +1127,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28121", - "palo_alto.network.nat.community_id": "1:9noBCzeHKSZpuQWETkS7W5mOTT0=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 52731, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28121", + "palo_alto.pan_os.network.nat.community_id": "1:9noBCzeHKSZpuQWETkS7W5mOTT0=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 52731, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1188,20 +1188,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28228", - "palo_alto.network.nat.community_id": "1:NQ3UU1pIt7hTJ2TYkbe6yjIVIsw=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 15165, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28228", + "palo_alto.pan_os.network.nat.community_id": "1:NQ3UU1pIt7hTJ2TYkbe6yjIVIsw=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 15165, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1249,20 +1249,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "23.72.137.131", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28196", - "palo_alto.network.nat.community_id": "1:pzcUv98hFdzW07/5bQ15jcEOAAM=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 53918, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "b.scorecardresearch.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "23.72.137.131", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28196", + "palo_alto.pan_os.network.nat.community_id": "1:pzcUv98hFdzW07/5bQ15jcEOAAM=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 53918, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "b.scorecardresearch.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "23.72.137.131", @@ -1310,20 +1310,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28007", - "palo_alto.network.nat.community_id": "1:iHNZW72XqbNDDHf4ziF4MHkPsq8=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 40792, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28007", + "palo_alto.pan_os.network.nat.community_id": "1:iHNZW72XqbNDDHf4ziF4MHkPsq8=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 40792, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1371,20 +1371,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28117", - "palo_alto.network.nat.community_id": "1:WmnET8BZufXJpdVk04PIVGj+Kgk=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 54044, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28117", + "palo_alto.pan_os.network.nat.community_id": "1:WmnET8BZufXJpdVk04PIVGj+Kgk=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 54044, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1432,20 +1432,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28109", - "palo_alto.network.nat.community_id": "1:qCp/BEY5ANYRj3J+xhPpjW00kTA=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 19544, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28109", + "palo_alto.pan_os.network.nat.community_id": "1:qCp/BEY5ANYRj3J+xhPpjW00kTA=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 19544, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1493,20 +1493,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28260", - "palo_alto.network.nat.community_id": "1:QTdF07Qsc5riXT20oN+YWQ2Yt6U=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 13462, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28260", + "palo_alto.pan_os.network.nat.community_id": "1:QTdF07Qsc5riXT20oN+YWQ2Yt6U=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 13462, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1554,20 +1554,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28275", - "palo_alto.network.nat.community_id": "1:v9tvyVPSkJni3/nd8jUVgcsqqQk=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 44892, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28275", + "palo_alto.pan_os.network.nat.community_id": "1:v9tvyVPSkJni3/nd8jUVgcsqqQk=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 44892, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1615,20 +1615,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28266", - "palo_alto.network.nat.community_id": "1:00oN9bToRGtVdpy+GQ742sbkpfI=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 16487, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28266", + "palo_alto.pan_os.network.nat.community_id": "1:00oN9bToRGtVdpy+GQ742sbkpfI=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 16487, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1676,20 +1676,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28294", - "palo_alto.network.nat.community_id": "1:AmJtkqyAyzgRUMxNGxjT3hhwb8c=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 23952, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28294", + "palo_alto.pan_os.network.nat.community_id": "1:AmJtkqyAyzgRUMxNGxjT3hhwb8c=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 23952, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1737,20 +1737,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28248", - "palo_alto.network.nat.community_id": "1:CzGrIa22/gNrIvkcJMIh6eWNjFI=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 2810, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28248", + "palo_alto.pan_os.network.nat.community_id": "1:CzGrIa22/gNrIvkcJMIh6eWNjFI=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 2810, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1798,20 +1798,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28274", - "palo_alto.network.nat.community_id": "1:b3MpSidntZseAvCtO89765ETlyI=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 13272, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28274", + "palo_alto.pan_os.network.nat.community_id": "1:b3MpSidntZseAvCtO89765ETlyI=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 13272, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1859,20 +1859,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28285", - "palo_alto.network.nat.community_id": "1:wug3mTERsDOMF1R52vDi6SpWbMc=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 8663, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28285", + "palo_alto.pan_os.network.nat.community_id": "1:wug3mTERsDOMF1R52vDi6SpWbMc=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 8663, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1920,20 +1920,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28306", - "palo_alto.network.nat.community_id": "1:ktdKYACJa2q76tdS55sj5QaeMBs=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 55738, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28306", + "palo_alto.pan_os.network.nat.community_id": "1:ktdKYACJa2q76tdS55sj5QaeMBs=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 55738, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1981,20 +1981,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28116", - "palo_alto.network.nat.community_id": "1:sWvGFBOOisURcvYe5nB5HUSa6B8=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 10650, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28116", + "palo_alto.pan_os.network.nat.community_id": "1:sWvGFBOOisURcvYe5nB5HUSa6B8=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 10650, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2042,20 +2042,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28214", - "palo_alto.network.nat.community_id": "1:LHZawFx+zgZPTd01rJqX/31kNmE=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 44087, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28214", + "palo_alto.pan_os.network.nat.community_id": "1:LHZawFx+zgZPTd01rJqX/31kNmE=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 44087, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2103,20 +2103,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "152.195.55.192", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28080", - "palo_alto.network.nat.community_id": "1:XcghkvaiKIQS/KgINx7Mb5Vvn3M=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 15915, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "consent.cmp.oath.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28080", + "palo_alto.pan_os.network.nat.community_id": "1:XcghkvaiKIQS/KgINx7Mb5Vvn3M=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 15915, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2164,20 +2164,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "151.101.2.2", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28318", - "palo_alto.network.nat.community_id": "1:XdO4yHx+1HZM4GcutRTyur9ixdM=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 41165, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "cdn.taboola.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "151.101.2.2", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28318", + "palo_alto.pan_os.network.nat.community_id": "1:XdO4yHx+1HZM4GcutRTyur9ixdM=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 41165, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "cdn.taboola.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "151.101.2.2", @@ -2228,20 +2228,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "54.192.7.152", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28300", - "palo_alto.network.nat.community_id": "1:kCzU3MoZUMh7VlhTewngoP1twbw=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 54133, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "rules.quantcount.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.192.7.152", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28300", + "palo_alto.pan_os.network.nat.community_id": "1:kCzU3MoZUMh7VlhTewngoP1twbw=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 54133, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "rules.quantcount.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "54.192.7.152", @@ -2292,20 +2292,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "52.4.120.175", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28339", - "palo_alto.network.nat.community_id": "1:fj3W3hxHPqT4snZlcRibDiqLNvs=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 8485, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.4.120.175", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28339", + "palo_alto.pan_os.network.nat.community_id": "1:fj3W3hxHPqT4snZlcRibDiqLNvs=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 8485, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -2356,20 +2356,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "52.4.120.175", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28299", - "palo_alto.network.nat.community_id": "1:HLMiinoD9jzLzaYU394wqKksBUE=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 12496, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.4.120.175", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28299", + "palo_alto.pan_os.network.nat.community_id": "1:HLMiinoD9jzLzaYU394wqKksBUE=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 12496, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -2420,20 +2420,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "52.4.120.175", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28303", - "palo_alto.network.nat.community_id": "1:pNMLPgDpZv2+S840jW/Ggq8ng2I=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 17029, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.4.120.175", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28303", + "palo_alto.pan_os.network.nat.community_id": "1:pNMLPgDpZv2+S840jW/Ggq8ng2I=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 17029, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -2484,20 +2484,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "52.4.120.175", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28390", - "palo_alto.network.nat.community_id": "1:l6AkSmB92aDAHpLhiSCR28J+ANI=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 23696, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.4.120.175", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28390", + "palo_alto.pan_os.network.nat.community_id": "1:l6AkSmB92aDAHpLhiSCR28J+ANI=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 23696, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -2548,20 +2548,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "52.4.120.175", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28433", - "palo_alto.network.nat.community_id": "1:33ah/rOB1xL3Yy0FUH0sEGuRvx8=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 34769, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.4.120.175", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28433", + "palo_alto.pan_os.network.nat.community_id": "1:33ah/rOB1xL3Yy0FUH0sEGuRvx8=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 34769, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -2612,20 +2612,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "52.4.120.175", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28380", - "palo_alto.network.nat.community_id": "1:zOzoB9ZSg+/QZ7bt4sM6/I2TOXc=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 22486, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.4.120.175", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28380", + "palo_alto.pan_os.network.nat.community_id": "1:zOzoB9ZSg+/QZ7bt4sM6/I2TOXc=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 22486, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -2676,20 +2676,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "52.4.120.175", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28363", - "palo_alto.network.nat.community_id": "1:l+VVTNzHKEhzOIqE/8PVt4xidPQ=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 12894, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.4.120.175", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28363", + "palo_alto.pan_os.network.nat.community_id": "1:l+VVTNzHKEhzOIqE/8PVt4xidPQ=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 12894, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -2740,20 +2740,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "52.4.120.175", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28349", - "palo_alto.network.nat.community_id": "1:/GTSxrH684FoBXpyEBepCy2M81Q=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 62348, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.4.120.175", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28349", + "palo_alto.pan_os.network.nat.community_id": "1:/GTSxrH684FoBXpyEBepCy2M81Q=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 62348, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -2804,20 +2804,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "52.4.120.175", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28411", - "palo_alto.network.nat.community_id": "1:z/innn6bIUB0vbGtF+NoTKxtaCQ=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 6224, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.4.120.175", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28411", + "palo_alto.pan_os.network.nat.community_id": "1:z/innn6bIUB0vbGtF+NoTKxtaCQ=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 6224, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -2868,20 +2868,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "52.4.120.175", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28397", - "palo_alto.network.nat.community_id": "1:7H4lb05cbTOpCa4pIgruj3M2WrY=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 44120, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.4.120.175", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28397", + "palo_alto.pan_os.network.nat.community_id": "1:7H4lb05cbTOpCa4pIgruj3M2WrY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 44120, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -2932,20 +2932,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "52.4.120.175", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28347", - "palo_alto.network.nat.community_id": "1:G3GfJYWnCjo8Ato/aBgr49UKGTI=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 44228, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.4.120.175", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28347", + "palo_alto.pan_os.network.nat.community_id": "1:G3GfJYWnCjo8Ato/aBgr49UKGTI=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 44228, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -2996,20 +2996,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "52.4.120.175", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28443", - "palo_alto.network.nat.community_id": "1:Ni0ZlLTDuNH8F3hFm9nLZkj/SKI=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 31322, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.4.120.175", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28443", + "palo_alto.pan_os.network.nat.community_id": "1:Ni0ZlLTDuNH8F3hFm9nLZkj/SKI=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 31322, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -3060,20 +3060,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "216.58.194.98", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28439", - "palo_alto.network.nat.community_id": "1:WQC21tSR1QNUhWYgrcbgaLyTkos=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 1672, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "www.googleadservices.com/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "216.58.194.98", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28439", + "palo_alto.pan_os.network.nat.community_id": "1:WQC21tSR1QNUhWYgrcbgaLyTkos=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 1672, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "www.googleadservices.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "216.58.194.98", @@ -3121,20 +3121,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "23.72.145.245", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "25958", - "palo_alto.network.nat.community_id": "1:hYoXMUwV0cAKhYUb4hSHsLUSo1s=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 20801, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "service.maxymiser.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "23.72.145.245", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25958", + "palo_alto.pan_os.network.nat.community_id": "1:hYoXMUwV0cAKhYUb4hSHsLUSo1s=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 20801, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -3182,20 +3182,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "23.72.145.245", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28429", - "palo_alto.network.nat.community_id": "1:al192CljLcXBQ5a9fXhiLM+uAKg=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 24533, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "service.maxymiser.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "23.72.145.245", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28429", + "palo_alto.pan_os.network.nat.community_id": "1:al192CljLcXBQ5a9fXhiLM+uAKg=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 24533, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -3243,20 +3243,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "23.72.145.245", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28465", - "palo_alto.network.nat.community_id": "1:qI8dj7I/HOk1zkz/wkZBjQ/igsw=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 30150, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "service.maxymiser.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "23.72.145.245", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28465", + "palo_alto.pan_os.network.nat.community_id": "1:qI8dj7I/HOk1zkz/wkZBjQ/igsw=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 30150, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -3304,20 +3304,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "23.72.145.245", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28504", - "palo_alto.network.nat.community_id": "1:NTrpQ6lfrWcfRCXSB/tQ49z7sOQ=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 36305, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "service.maxymiser.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "23.72.145.245", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28504", + "palo_alto.pan_os.network.nat.community_id": "1:NTrpQ6lfrWcfRCXSB/tQ49z7sOQ=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 36305, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -3365,20 +3365,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "23.72.145.245", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28458", - "palo_alto.network.nat.community_id": "1:93oplAL+YibXq75Qng9iomHp97k=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 42682, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "service.maxymiser.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "23.72.145.245", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28458", + "palo_alto.pan_os.network.nat.community_id": "1:93oplAL+YibXq75Qng9iomHp97k=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 42682, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -3426,20 +3426,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "23.72.145.245", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28491", - "palo_alto.network.nat.community_id": "1:uhEHJXnnMaxBL0QYfNxS8lxZkls=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 22530, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "service.maxymiser.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "23.72.145.245", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28491", + "palo_alto.pan_os.network.nat.community_id": "1:uhEHJXnnMaxBL0QYfNxS8lxZkls=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 22530, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -3487,20 +3487,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "23.72.145.245", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28520", - "palo_alto.network.nat.community_id": "1:KtlZO5BbsoCg/ymqE05xAvw/iIA=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 43713, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "service.maxymiser.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "23.72.145.245", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28520", + "palo_alto.pan_os.network.nat.community_id": "1:KtlZO5BbsoCg/ymqE05xAvw/iIA=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 43713, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -3548,20 +3548,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "23.72.145.245", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28335", - "palo_alto.network.nat.community_id": "1:4MqfykfAOpIQmtvXcxzLNXqgyTs=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 60608, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "service.maxymiser.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "23.72.145.245", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28335", + "palo_alto.pan_os.network.nat.community_id": "1:4MqfykfAOpIQmtvXcxzLNXqgyTs=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 60608, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -3609,20 +3609,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "23.72.145.245", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28414", - "palo_alto.network.nat.community_id": "1:Qj+AYB26PhFUPHkeHTP+u0XmR3A=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 9302, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "service.maxymiser.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "23.72.145.245", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28414", + "palo_alto.pan_os.network.nat.community_id": "1:Qj+AYB26PhFUPHkeHTP+u0XmR3A=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 9302, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -3670,20 +3670,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "23.72.145.245", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28488", - "palo_alto.network.nat.community_id": "1:BQw3RXiNvT4NW4kw0J5Ol6rFN5A=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 11634, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "service.maxymiser.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "23.72.145.245", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28488", + "palo_alto.pan_os.network.nat.community_id": "1:BQw3RXiNvT4NW4kw0J5Ol6rFN5A=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 11634, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -3734,20 +3734,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "54.209.101.70", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28469", - "palo_alto.network.nat.community_id": "1:1XJhGS1EujYy5wSCA64wjjK7hwA=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 30818, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28469", + "palo_alto.pan_os.network.nat.community_id": "1:1XJhGS1EujYy5wSCA64wjjK7hwA=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 30818, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -3798,20 +3798,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "54.209.101.70", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28556", - "palo_alto.network.nat.community_id": "1:YHN6cU700Mp7622M1rIzbnPQ+ik=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 64260, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28556", + "palo_alto.pan_os.network.nat.community_id": "1:YHN6cU700Mp7622M1rIzbnPQ+ik=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 64260, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -3862,20 +3862,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "54.209.101.70", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28558", - "palo_alto.network.nat.community_id": "1:o5UB5uvp2ThXPXChyc7lgvBMH0s=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 7071, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28558", + "palo_alto.pan_os.network.nat.community_id": "1:o5UB5uvp2ThXPXChyc7lgvBMH0s=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 7071, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -3926,20 +3926,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "54.209.101.70", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28531", - "palo_alto.network.nat.community_id": "1:RRfOKybSMc/qYj1QHLEpuh+r0Eg=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 4512, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28531", + "palo_alto.pan_os.network.nat.community_id": "1:RRfOKybSMc/qYj1QHLEpuh+r0Eg=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 4512, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -3990,20 +3990,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "54.209.101.70", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28580", - "palo_alto.network.nat.community_id": "1:KhCfFcRk3sovsTfN9pRRfgjsP84=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 3422, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28580", + "palo_alto.pan_os.network.nat.community_id": "1:KhCfFcRk3sovsTfN9pRRfgjsP84=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 3422, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -4054,20 +4054,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "54.209.101.70", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28477", - "palo_alto.network.nat.community_id": "1:hZhkH3fz7n30Q+zsXnQejsna14Q=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 4651, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28477", + "palo_alto.pan_os.network.nat.community_id": "1:hZhkH3fz7n30Q+zsXnQejsna14Q=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 4651, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -4118,20 +4118,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "54.209.101.70", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28484", - "palo_alto.network.nat.community_id": "1:lFuLGvzKiGz77tAPKRWLQ7eIBNw=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 19068, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28484", + "palo_alto.pan_os.network.nat.community_id": "1:lFuLGvzKiGz77tAPKRWLQ7eIBNw=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 19068, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -4182,20 +4182,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "54.209.101.70", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28609", - "palo_alto.network.nat.community_id": "1:lXgqW6uer7QCnFv+5qVbgX4vM6E=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 5831, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28609", + "palo_alto.pan_os.network.nat.community_id": "1:lXgqW6uer7QCnFv+5qVbgX4vM6E=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 5831, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -4246,20 +4246,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "54.209.101.70", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28564", - "palo_alto.network.nat.community_id": "1:SDf7YJ4JLx2oja8SY0iCD/f9ZYk=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 7084, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28564", + "palo_alto.pan_os.network.nat.community_id": "1:SDf7YJ4JLx2oja8SY0iCD/f9ZYk=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 7084, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -4310,20 +4310,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "54.209.101.70", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28542", - "palo_alto.network.nat.community_id": "1:/wf94ECkqPez+fxVgk+3KErtaBQ=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 18633, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28542", + "palo_alto.pan_os.network.nat.community_id": "1:/wf94ECkqPez+fxVgk+3KErtaBQ=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 18633, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -4374,20 +4374,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "54.209.101.70", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28590", - "palo_alto.network.nat.community_id": "1:lGMn2sEJLK3qbOX02axD1srH/FY=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 25557, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28590", + "palo_alto.pan_os.network.nat.community_id": "1:lGMn2sEJLK3qbOX02axD1srH/FY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 25557, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -4438,20 +4438,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "54.209.101.70", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28455", - "palo_alto.network.nat.community_id": "1:O1zDnt5d52xTreiMgL/sHMRHiXA=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 20661, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28455", + "palo_alto.pan_os.network.nat.community_id": "1:O1zDnt5d52xTreiMgL/sHMRHiXA=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 20661, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -4502,20 +4502,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "54.209.101.70", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28585", - "palo_alto.network.nat.community_id": "1:CwNRTMQumfdoC3msd4z5PIYkKLU=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 65438, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28585", + "palo_alto.pan_os.network.nat.community_id": "1:CwNRTMQumfdoC3msd4z5PIYkKLU=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 65438, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -4566,20 +4566,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "54.209.101.70", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28462", - "palo_alto.network.nat.community_id": "1:0YBp8myYbHSoKWG2HvxutMfose0=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 53101, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28462", + "palo_alto.pan_os.network.nat.community_id": "1:0YBp8myYbHSoKWG2HvxutMfose0=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 53101, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -4630,20 +4630,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "54.209.101.70", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28839", - "palo_alto.network.nat.community_id": "1:CQrsQ2CJN8/aVtRj6kkSqGiLA4w=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 35463, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28839", + "palo_alto.pan_os.network.nat.community_id": "1:CQrsQ2CJN8/aVtRj6kkSqGiLA4w=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 35463, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -4694,20 +4694,20 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "54.209.101.70", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "28400", - "palo_alto.network.nat.community_id": "1:vbknc+k7pE33+aNpIggpIzlC7MY=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 45769, - "palo_alto.source.zone": "trust", - "palo_alto.threat_file_or_url": "segment-data.zqtk.net/", - "palo_alto.threat_id": "(9999)", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28400", + "palo_alto.pan_os.network.nat.community_id": "1:vbknc+k7pE33+aNpIggpIzlC7MY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 45769, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "54.209.101.70", diff --git a/x-pack/filebeat/module/palo_alto/pan_os/test/traffic.log-expected.json b/x-pack/filebeat/module/palo_alto/pan_os/test/traffic.log-expected.json index 43b0f21973b9..ef2e78f8eea4 100644 --- a/x-pack/filebeat/module/palo_alto/pan_os/test/traffic.log-expected.json +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/traffic.log-expected.json @@ -35,19 +35,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "184.51.253.152", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "22751", - "palo_alto.network.nat.community_id": "1:D1fZ8H3SfYS5p3yDzVdiwbnGJlU=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091112, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 16418, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "computer-and-internet-info", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "184.51.253.152", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "22751", + "palo_alto.pan_os.network.nat.community_id": "1:D1fZ8H3SfYS5p3yDzVdiwbnGJlU=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091112, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 16418, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "computer-and-internet-info", "related.ip": [ "192.168.15.207", "184.51.253.152", @@ -103,19 +103,19 @@ "network.transport": "icmp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24223", - "palo_alto.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091113, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24223", + "palo_alto.pan_os.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091113, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -171,19 +171,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "17.253.3.202", - "palo_alto.destination.nat.port": 80, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24138", - "palo_alto.network.nat.community_id": "1:VnGCPYRgvHZCFJBmPOwtCg7/sMY=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091114, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 51990, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "computer-and-internet-info", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "17.253.3.202", + "palo_alto.pan_os.destination.nat.port": 80, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24138", + "palo_alto.pan_os.network.nat.community_id": "1:VnGCPYRgvHZCFJBmPOwtCg7/sMY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091114, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 51990, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "computer-and-internet-info", "related.ip": [ "192.168.15.207", "17.253.3.202", @@ -239,19 +239,19 @@ "network.transport": "icmp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24043", - "palo_alto.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091115, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24043", + "palo_alto.pan_os.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091115, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -310,19 +310,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "216.58.194.99", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "23003", - "palo_alto.network.nat.community_id": "1:pvg9sIAzBs2eyqMclcdCIYEBO1Q=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091116, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 15252, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "216.58.194.99", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23003", + "palo_alto.pan_os.network.nat.community_id": "1:pvg9sIAzBs2eyqMclcdCIYEBO1Q=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091116, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 15252, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.196", "216.58.194.99", @@ -378,19 +378,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "209.234.224.22", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "23919", - "palo_alto.network.nat.community_id": "1:u81/Ahz4HsL4LAVrUEiPkbXlX9A=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091117, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 40763, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "web-advertisements", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "209.234.224.22", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23919", + "palo_alto.pan_os.network.nat.community_id": "1:u81/Ahz4HsL4LAVrUEiPkbXlX9A=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091117, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 40763, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "web-advertisements", "related.ip": [ "192.168.15.224", "209.234.224.22", @@ -446,19 +446,19 @@ "network.transport": "icmp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "21394", - "palo_alto.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091118, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "21394", + "palo_alto.pan_os.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091118, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -514,19 +514,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "172.217.2.238", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "23698", - "palo_alto.network.nat.community_id": "1:DoBKpBbAds/XQwbKPGjMrcuHTGo=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091119, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 52881, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "172.217.2.238", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23698", + "palo_alto.pan_os.network.nat.community_id": "1:DoBKpBbAds/XQwbKPGjMrcuHTGo=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091119, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 52881, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "172.217.2.238", @@ -582,19 +582,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24179", - "palo_alto.network.nat.community_id": "1:viuINkmqZ3Q7wH9NHmhVu6rZuOs=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091120, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 26654, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24179", + "palo_alto.pan_os.network.nat.community_id": "1:viuINkmqZ3Q7wH9NHmhVu6rZuOs=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091120, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 26654, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -650,19 +650,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "23933", - "palo_alto.network.nat.community_id": "1:wR8JpmqlhC4f7BvxdzxRlKdkPiQ=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091121, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 2486, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23933", + "palo_alto.pan_os.network.nat.community_id": "1:wR8JpmqlhC4f7BvxdzxRlKdkPiQ=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091121, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 2486, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -718,19 +718,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "17.249.60.78", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "22662", - "palo_alto.network.nat.community_id": "1:JuPhgq+FyomxcGW/tt851C0l4Hg=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091122, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 42021, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "computer-and-internet-info", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "17.249.60.78", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "22662", + "palo_alto.pan_os.network.nat.community_id": "1:JuPhgq+FyomxcGW/tt851C0l4Hg=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091122, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 42021, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "computer-and-internet-info", "related.ip": [ "192.168.15.207", "17.249.60.78", @@ -786,19 +786,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24161", - "palo_alto.network.nat.community_id": "1:rsDXUIQYGBC2VYTxep2/bVIc3Xs=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091123, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 24377, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24161", + "palo_alto.pan_os.network.nat.community_id": "1:rsDXUIQYGBC2VYTxep2/bVIc3Xs=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091123, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 24377, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -854,19 +854,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24107", - "palo_alto.network.nat.community_id": "1:ewaPydF3S4wOU8oEi8ykj+ETSIY=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091124, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 48792, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24107", + "palo_alto.pan_os.network.nat.community_id": "1:ewaPydF3S4wOU8oEi8ykj+ETSIY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091124, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 48792, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -922,19 +922,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24063", - "palo_alto.network.nat.community_id": "1:+6FjOLCCWY+JDxSWKn7tYpAXksA=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091125, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 2987, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24063", + "palo_alto.pan_os.network.nat.community_id": "1:+6FjOLCCWY+JDxSWKn7tYpAXksA=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091125, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 2987, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -990,19 +990,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24145", - "palo_alto.network.nat.community_id": "1:rR5F8eZHI1nwmznedxqG9e8vUQE=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091126, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 6945, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24145", + "palo_alto.pan_os.network.nat.community_id": "1:rR5F8eZHI1nwmznedxqG9e8vUQE=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091126, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 6945, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -1058,19 +1058,19 @@ "network.transport": "icmp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24245", - "palo_alto.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091127, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24245", + "palo_alto.pan_os.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091127, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -1126,19 +1126,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24167", - "palo_alto.network.nat.community_id": "1:81Mi4MwpmNYtUrc7CMJH0MPRelU=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091128, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 42208, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24167", + "palo_alto.pan_os.network.nat.community_id": "1:81Mi4MwpmNYtUrc7CMJH0MPRelU=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091128, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 42208, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -1194,19 +1194,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "98.138.49.44", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24212", - "palo_alto.network.nat.community_id": "1:FfbVY/+5Mds7zDjSs5/Yfw5bxNQ=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091129, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 14660, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "web-advertisements", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "98.138.49.44", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24212", + "palo_alto.pan_os.network.nat.community_id": "1:FfbVY/+5Mds7zDjSs5/Yfw5bxNQ=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091129, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 14660, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "web-advertisements", "related.ip": [ "192.168.15.224", "98.138.49.44", @@ -1262,19 +1262,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "72.30.3.43", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24149", - "palo_alto.network.nat.community_id": "1:TGvDRLypWuNWkuMsAxPzc5TSbAo=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091130, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 16483, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "web-advertisements", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "72.30.3.43", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24149", + "palo_alto.pan_os.network.nat.community_id": "1:TGvDRLypWuNWkuMsAxPzc5TSbAo=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091130, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 16483, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "web-advertisements", "related.ip": [ "192.168.15.224", "72.30.3.43", @@ -1330,19 +1330,19 @@ "network.transport": "icmp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24185", - "palo_alto.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091131, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24185", + "palo_alto.pan_os.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091131, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.196", "8.8.8.8", @@ -1398,19 +1398,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "172.217.9.142", - "palo_alto.destination.nat.port": 80, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "23856", - "palo_alto.network.nat.community_id": "1:NNgF+9vrbBFNpCI3JhUT4YWepd4=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091132, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 5570, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "computer-and-internet-info", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "172.217.9.142", + "palo_alto.pan_os.destination.nat.port": 80, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23856", + "palo_alto.pan_os.network.nat.community_id": "1:NNgF+9vrbBFNpCI3JhUT4YWepd4=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091132, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 5570, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "computer-and-internet-info", "related.ip": [ "192.168.15.224", "172.217.9.142", @@ -1466,19 +1466,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24173", - "palo_alto.network.nat.community_id": "1:9T+RKr8xDB21pvAf/Fihyq72sLY=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091133, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 24430, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24173", + "palo_alto.pan_os.network.nat.community_id": "1:9T+RKr8xDB21pvAf/Fihyq72sLY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091133, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 24430, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -1537,19 +1537,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "54.84.80.198", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24257", - "palo_alto.network.nat.community_id": "1:k69UBIONLgCiGo9UhMOEY0pQnZ4=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091134, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 12122, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "computer-and-internet-info", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.84.80.198", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24257", + "palo_alto.pan_os.network.nat.community_id": "1:k69UBIONLgCiGo9UhMOEY0pQnZ4=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091134, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 12122, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "computer-and-internet-info", "related.ip": [ "192.168.15.224", "54.84.80.198", @@ -1608,19 +1608,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "199.167.55.52", - "palo_alto.destination.nat.port": 4282, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24090", - "palo_alto.network.nat.community_id": "1:07q7McJtir76GhJwAJffz+C0sNo=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091135, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 49145, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "199.167.55.52", + "palo_alto.pan_os.destination.nat.port": 4282, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24090", + "palo_alto.pan_os.network.nat.community_id": "1:07q7McJtir76GhJwAJffz+C0sNo=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091135, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 49145, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "199.167.55.52", @@ -1676,19 +1676,19 @@ "network.transport": "icmp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24242", - "palo_alto.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091136, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24242", + "palo_alto.pan_os.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091136, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -1743,19 +1743,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24190", - "palo_alto.network.nat.community_id": "1:JM1EdN05nKTy8Sq9WGpY15fCNJk=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091137, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 33110, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24190", + "palo_alto.pan_os.network.nat.community_id": "1:JM1EdN05nKTy8Sq9WGpY15fCNJk=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091137, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 33110, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.210", "8.8.8.8", @@ -1810,19 +1810,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "172.217.9.142", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "23892", - "palo_alto.network.nat.community_id": "1:3vS12CJ5QBY6RbGXOUPYKL9E0+U=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091138, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 9299, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "172.217.9.142", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23892", + "palo_alto.pan_os.network.nat.community_id": "1:3vS12CJ5QBY6RbGXOUPYKL9E0+U=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091138, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 9299, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "172.217.9.142", @@ -1878,19 +1878,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "151.101.2.2", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24360", - "palo_alto.network.nat.community_id": "1:l6nFWeOSs/2aQaVCfYhfQ09l0ko=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091139, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 47194, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "151.101.2.2", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24360", + "palo_alto.pan_os.network.nat.community_id": "1:l6nFWeOSs/2aQaVCfYhfQ09l0ko=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091139, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 47194, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "151.101.2.2", @@ -1949,19 +1949,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "216.58.194.66", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "23952", - "palo_alto.network.nat.community_id": "1:hVpNmZPedeB/gYRm9U4/gS+LNkQ=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091140, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 62921, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "216.58.194.66", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23952", + "palo_alto.pan_os.network.nat.community_id": "1:hVpNmZPedeB/gYRm9U4/gS+LNkQ=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091140, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 62921, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "216.58.194.66", @@ -2017,19 +2017,19 @@ "network.transport": "icmp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24328", - "palo_alto.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091141, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24328", + "palo_alto.pan_os.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091141, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -2085,19 +2085,19 @@ "network.transport": "icmp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24385", - "palo_alto.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091142, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24385", + "palo_alto.pan_os.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091142, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.210", "8.8.8.8", @@ -2153,19 +2153,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "184.51.253.193", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24172", - "palo_alto.network.nat.community_id": "1:zBrhHOnlJT7YZV7WXiPAQBEhScI=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091143, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 41958, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "web-advertisements", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "184.51.253.193", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24172", + "palo_alto.pan_os.network.nat.community_id": "1:zBrhHOnlJT7YZV7WXiPAQBEhScI=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091143, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 41958, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "web-advertisements", "related.ip": [ "192.168.15.224", "184.51.253.193", @@ -2221,19 +2221,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24131", - "palo_alto.network.nat.community_id": "1:QjiWUuclXv+JzWhbuYDyyP+YyTk=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091144, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 51374, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24131", + "palo_alto.pan_os.network.nat.community_id": "1:QjiWUuclXv+JzWhbuYDyyP+YyTk=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091144, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 51374, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -2292,19 +2292,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "199.167.55.52", - "palo_alto.destination.nat.port": 4282, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24393", - "palo_alto.network.nat.community_id": "1:WSYAeVnYXY4WmfLFYEEo/atQJE8=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091145, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 25566, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "199.167.55.52", + "palo_alto.pan_os.destination.nat.port": 4282, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24393", + "palo_alto.pan_os.network.nat.community_id": "1:WSYAeVnYXY4WmfLFYEEo/atQJE8=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091145, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 25566, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "199.167.55.52", @@ -2363,19 +2363,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "199.167.52.219", - "palo_alto.destination.nat.port": 17472, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24976", - "palo_alto.network.nat.community_id": "1:XrQuj5ypAzAqGAy0lpIvWQVVZ2E=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091146, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 63757, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "199.167.52.219", + "palo_alto.pan_os.destination.nat.port": 17472, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24976", + "palo_alto.pan_os.network.nat.community_id": "1:XrQuj5ypAzAqGAy0lpIvWQVVZ2E=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091146, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 63757, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "199.167.52.219", @@ -2434,19 +2434,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "52.71.117.196", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24348", - "palo_alto.network.nat.community_id": "1:EG9O/WtvoWuYwaB1MXJTgr43kac=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091147, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 3803, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "computer-and-internet-info", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.71.117.196", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24348", + "palo_alto.pan_os.network.nat.community_id": "1:EG9O/WtvoWuYwaB1MXJTgr43kac=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091147, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 3803, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "computer-and-internet-info", "related.ip": [ "192.168.15.224", "52.71.117.196", @@ -2502,19 +2502,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24046", - "palo_alto.network.nat.community_id": "1:eI0W7/EQJgRBimA1ZM4XVOSKMqo=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091148, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 34994, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24046", + "palo_alto.pan_os.network.nat.community_id": "1:eI0W7/EQJgRBimA1ZM4XVOSKMqo=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091148, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 34994, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -2570,19 +2570,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24196", - "palo_alto.network.nat.community_id": "1:uSrPYHIl4eJpdC+J0IAMuGStuNc=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091149, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 38064, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24196", + "palo_alto.pan_os.network.nat.community_id": "1:uSrPYHIl4eJpdC+J0IAMuGStuNc=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091149, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 38064, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -2641,19 +2641,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "35.186.194.41", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24264", - "palo_alto.network.nat.community_id": "1:djhBHAw6H+Q9Bcz6i7V+GTrjtzA=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091150, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 42924, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "insufficient-content", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "35.186.194.41", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24264", + "palo_alto.pan_os.network.nat.community_id": "1:djhBHAw6H+Q9Bcz6i7V+GTrjtzA=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091150, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 42924, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "insufficient-content", "related.ip": [ "192.168.15.224", "35.186.194.41", @@ -2708,19 +2708,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "35.201.124.9", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24248", - "palo_alto.network.nat.community_id": "1:hIY5A8O11VWtEfpYG2l5voTvbVQ=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091151, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 58977, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "insufficient-content", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "35.201.124.9", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24248", + "palo_alto.pan_os.network.nat.community_id": "1:hIY5A8O11VWtEfpYG2l5voTvbVQ=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091151, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 58977, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "insufficient-content", "related.ip": [ "192.168.15.224", "35.201.124.9", @@ -2779,19 +2779,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "100.24.131.237", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24268", - "palo_alto.network.nat.community_id": "1:sXYelUOdA/EfjcKKE8M5kPe+M+c=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091152, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 64732, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "100.24.131.237", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24268", + "palo_alto.pan_os.network.nat.community_id": "1:sXYelUOdA/EfjcKKE8M5kPe+M+c=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091152, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 64732, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "100.24.131.237", @@ -2847,19 +2847,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "184.51.252.247", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24175", - "palo_alto.network.nat.community_id": "1:D6pPzYoIWTOXxVzuweKvZYK6FVE=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091153, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 58292, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "computer-and-internet-info", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "184.51.252.247", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24175", + "palo_alto.pan_os.network.nat.community_id": "1:D6pPzYoIWTOXxVzuweKvZYK6FVE=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091153, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 58292, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "computer-and-internet-info", "related.ip": [ "192.168.15.224", "184.51.252.247", @@ -2918,19 +2918,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "35.190.88.148", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24312", - "palo_alto.network.nat.community_id": "1:VFQjrA+iaNcIu6vFJNU6ls7+4Is=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091154, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 32209, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "computer-and-internet-info", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "35.190.88.148", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24312", + "palo_alto.pan_os.network.nat.community_id": "1:VFQjrA+iaNcIu6vFJNU6ls7+4Is=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091154, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 32209, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "computer-and-internet-info", "related.ip": [ "192.168.15.224", "35.190.88.148", @@ -2989,19 +2989,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "35.186.243.83", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24164", - "palo_alto.network.nat.community_id": "1:Xx31zYZNYc/mjf2GOihkp6JogmA=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091155, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 38822, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "computer-and-internet-info", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "35.186.243.83", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24164", + "palo_alto.pan_os.network.nat.community_id": "1:Xx31zYZNYc/mjf2GOihkp6JogmA=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091155, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 38822, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "computer-and-internet-info", "related.ip": [ "192.168.15.224", "35.186.243.83", @@ -3057,19 +3057,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24198", - "palo_alto.network.nat.community_id": "1:445AeHI1LAvb+ii4arRZeLAO4zM=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091156, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 16044, - "palo_alto.source.zone": "untrust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24198", + "palo_alto.pan_os.network.nat.community_id": "1:445AeHI1LAvb+ii4arRZeLAO4zM=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091156, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 16044, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -3125,19 +3125,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "24184", - "palo_alto.network.nat.community_id": "1:+5KwsEYW+tFecEENSBwHbKTvUv8=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091157, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 56614, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "24184", + "palo_alto.pan_os.network.nat.community_id": "1:+5KwsEYW+tFecEENSBwHbKTvUv8=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091157, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 56614, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -3196,19 +3196,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "100.24.165.74", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "trust", - "palo_alto.flow_id": "24314", - "palo_alto.network.nat.community_id": "1:DRqq/mx90TOYq1a5yLf562kwIvc=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091158, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 53168, - "palo_alto.source.zone": "untrust", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "100.24.165.74", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "24314", + "palo_alto.pan_os.network.nat.community_id": "1:DRqq/mx90TOYq1a5yLf562kwIvc=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091158, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 53168, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "100.24.165.74", @@ -3264,19 +3264,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "184.51.252.247", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24204", - "palo_alto.network.nat.community_id": "1:vx03vuDn4sh2/e89Lm3RoSpVIVM=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091159, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 28012, - "palo_alto.source.zone": "xtrust", - "palo_alto.url.category": "computer-and-internet-info", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "184.51.252.247", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24204", + "palo_alto.pan_os.network.nat.community_id": "1:vx03vuDn4sh2/e89Lm3RoSpVIVM=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091159, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 28012, + "palo_alto.pan_os.source.zone": "xtrust", + "palo_alto.pan_os.url.category": "computer-and-internet-info", "related.ip": [ "192.168.15.224", "184.51.252.247", @@ -3331,19 +3331,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "35.201.94.140", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "xuntrust", - "palo_alto.flow_id": "24234", - "palo_alto.network.nat.community_id": "1:u1uvQ3wfJoaG/nNiBhvQMHQSVlU=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091160, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 16050, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "computer-and-internet-info", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "35.201.94.140", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "xuntrust", + "palo_alto.pan_os.flow_id": "24234", + "palo_alto.pan_os.network.nat.community_id": "1:u1uvQ3wfJoaG/nNiBhvQMHQSVlU=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091160, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 16050, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "computer-and-internet-info", "related.ip": [ "192.168.15.224", "35.201.94.140", @@ -3399,17 +3399,17 @@ "network.transport": "icmp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 0, - "palo_alto.flow_id": "24390", - "palo_alto.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091161, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 0, - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.flow_id": "24390", + "palo_alto.pan_os.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091161, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -3465,19 +3465,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24093", - "palo_alto.network.nat.community_id": "1:lz0ZCL4R4wwyqmvefpkiJk7yR18=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091162, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 61722, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24093", + "palo_alto.pan_os.network.nat.community_id": "1:lz0ZCL4R4wwyqmvefpkiJk7yR18=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091162, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 61722, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -3533,19 +3533,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24117", - "palo_alto.network.nat.community_id": "1:DkOVz0BGrlh9OPZZ8+58eugW7gU=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091163, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 14247, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24117", + "palo_alto.pan_os.network.nat.community_id": "1:DkOVz0BGrlh9OPZZ8+58eugW7gU=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091163, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 14247, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -3601,19 +3601,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24142", - "palo_alto.network.nat.community_id": "1:twx1eOqehbazvI0g0nkTeVynrY0=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091164, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 33580, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24142", + "palo_alto.pan_os.network.nat.community_id": "1:twx1eOqehbazvI0g0nkTeVynrY0=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091164, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 33580, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -3669,19 +3669,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24195", - "palo_alto.network.nat.community_id": "1:hcgjXpi+ne3QnFDBLeskkVg4V+M=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091165, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 13498, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24195", + "palo_alto.pan_os.network.nat.community_id": "1:hcgjXpi+ne3QnFDBLeskkVg4V+M=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091165, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 13498, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -3737,19 +3737,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24124", - "palo_alto.network.nat.community_id": "1:C91XK45Q10iqwwp4XYM+Wg1Ua8A=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091166, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 20365, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24124", + "palo_alto.pan_os.network.nat.community_id": "1:C91XK45Q10iqwwp4XYM+Wg1Ua8A=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091166, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 20365, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -3805,19 +3805,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24153", - "palo_alto.network.nat.community_id": "1:hsTAFtOdeb7+Ofe152B+9h69mbE=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091167, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 61464, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24153", + "palo_alto.pan_os.network.nat.community_id": "1:hsTAFtOdeb7+Ofe152B+9h69mbE=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091167, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 61464, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -3873,19 +3873,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24122", - "palo_alto.network.nat.community_id": "1:htOXUg3QOGd0fpgLjYzQlvRMzUQ=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091168, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 42877, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24122", + "palo_alto.pan_os.network.nat.community_id": "1:htOXUg3QOGd0fpgLjYzQlvRMzUQ=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091168, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 42877, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.196", "8.8.8.8", @@ -3941,19 +3941,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24171", - "palo_alto.network.nat.community_id": "1:gHWCOTtilTTqOn7fOKh7zVq45Xw=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091169, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 5918, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24171", + "palo_alto.pan_os.network.nat.community_id": "1:gHWCOTtilTTqOn7fOKh7zVq45Xw=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091169, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 5918, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -4009,19 +4009,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24069", - "palo_alto.network.nat.community_id": "1:OGDvpe1+4KQfCsxk0I61jm0+DIc=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091170, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 28944, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24069", + "palo_alto.pan_os.network.nat.community_id": "1:OGDvpe1+4KQfCsxk0I61jm0+DIc=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091170, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 28944, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -4077,19 +4077,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24282", - "palo_alto.network.nat.community_id": "1:po/vy4RoD5WeFPgCZnduQkE47yY=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091171, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 13415, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24282", + "palo_alto.pan_os.network.nat.community_id": "1:po/vy4RoD5WeFPgCZnduQkE47yY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091171, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 13415, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -4145,19 +4145,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24218", - "palo_alto.network.nat.community_id": "1:wIxYOe++IxscmxBcRwrPGEIlZF4=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091172, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 2489, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24218", + "palo_alto.pan_os.network.nat.community_id": "1:wIxYOe++IxscmxBcRwrPGEIlZF4=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091172, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 2489, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -4213,19 +4213,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24200", - "palo_alto.network.nat.community_id": "1:xN7R3QI47jVAQhgJrOAvdsu+oes=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091173, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 49328, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24200", + "palo_alto.pan_os.network.nat.community_id": "1:xN7R3QI47jVAQhgJrOAvdsu+oes=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091173, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 49328, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -4281,19 +4281,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24224", - "palo_alto.network.nat.community_id": "1:BxuDgAhR5Rh55XOXYnYF+6GKhps=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091174, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 36036, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24224", + "palo_alto.pan_os.network.nat.community_id": "1:BxuDgAhR5Rh55XOXYnYF+6GKhps=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091174, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 36036, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -4352,19 +4352,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "66.28.0.45", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24240", - "palo_alto.network.nat.community_id": "1:Yv+Yq/7HK9SajeKHOV50RYQWjRU=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091175, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 33744, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "66.28.0.45", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24240", + "palo_alto.pan_os.network.nat.community_id": "1:Yv+Yq/7HK9SajeKHOV50RYQWjRU=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091175, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 33744, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "66.28.0.45", @@ -4420,19 +4420,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24183", - "palo_alto.network.nat.community_id": "1:MxVcaRP5Y1xyEiYiNsmO1lVcN+A=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091176, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 45809, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24183", + "palo_alto.pan_os.network.nat.community_id": "1:MxVcaRP5Y1xyEiYiNsmO1lVcN+A=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091176, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 45809, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -4488,19 +4488,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24211", - "palo_alto.network.nat.community_id": "1:p8DU1xLXG63f/3s/r6ZKJcQo9u8=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091177, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 3675, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24211", + "palo_alto.pan_os.network.nat.community_id": "1:p8DU1xLXG63f/3s/r6ZKJcQo9u8=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091177, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 3675, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -4556,19 +4556,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24253", - "palo_alto.network.nat.community_id": "1:bU3nBIz+M3cDoPKg8azcJgVx+8Q=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091178, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 5787, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24253", + "palo_alto.pan_os.network.nat.community_id": "1:bU3nBIz+M3cDoPKg8azcJgVx+8Q=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091178, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 5787, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -4624,19 +4624,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24221", - "palo_alto.network.nat.community_id": "1:vnb4ttnFy2i39tg89p3jkGs6eDg=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091179, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 12342, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24221", + "palo_alto.pan_os.network.nat.community_id": "1:vnb4ttnFy2i39tg89p3jkGs6eDg=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091179, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 12342, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -4692,19 +4692,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24310", - "palo_alto.network.nat.community_id": "1:71/qcXOmOV3sXCqZ1T6JVPlE9y8=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091180, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 18729, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24310", + "palo_alto.pan_os.network.nat.community_id": "1:71/qcXOmOV3sXCqZ1T6JVPlE9y8=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091180, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 18729, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -4760,19 +4760,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "23.52.174.25", - "palo_alto.destination.nat.port": 80, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24326", - "palo_alto.network.nat.community_id": "1:5ECmBtgiSUvWFJAA318pVeeu5Pw=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091181, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 57858, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "computer-and-internet-info", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "23.52.174.25", + "palo_alto.pan_os.destination.nat.port": 80, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24326", + "palo_alto.pan_os.network.nat.community_id": "1:5ECmBtgiSUvWFJAA318pVeeu5Pw=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091181, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 57858, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "computer-and-internet-info", "related.ip": [ "192.168.15.224", "23.52.174.25", @@ -4828,19 +4828,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24201", - "palo_alto.network.nat.community_id": "1:hxrz+dYE5XEf60JMlFz6JKWD6Ek=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091182, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 2722, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24201", + "palo_alto.pan_os.network.nat.community_id": "1:hxrz+dYE5XEf60JMlFz6JKWD6Ek=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091182, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 2722, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -4896,19 +4896,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24130", - "palo_alto.network.nat.community_id": "1:8cb9oPS9OJnzqGAkowgmRpiqmJU=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091183, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 6674, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24130", + "palo_alto.pan_os.network.nat.community_id": "1:8cb9oPS9OJnzqGAkowgmRpiqmJU=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091183, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 6674, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -4967,19 +4967,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "54.230.5.228", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24237", - "palo_alto.network.nat.community_id": "1:Qc2oBV7ermdHPwGTWFOi4D1TcLg=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091184, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 37427, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.230.5.228", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24237", + "palo_alto.pan_os.network.nat.community_id": "1:Qc2oBV7ermdHPwGTWFOi4D1TcLg=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091184, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 37427, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "54.230.5.228", @@ -5035,19 +5035,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24108", - "palo_alto.network.nat.community_id": "1:5IHTDvzRd4yPLPdpI4ErHcRK4/w=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091185, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 22408, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24108", + "palo_alto.pan_os.network.nat.community_id": "1:5IHTDvzRd4yPLPdpI4ErHcRK4/w=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091185, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 22408, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5103,19 +5103,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24247", - "palo_alto.network.nat.community_id": "1:0s4n+/itsIbV3mUc8OnOxmZ6exs=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091186, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 27899, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24247", + "palo_alto.pan_os.network.nat.community_id": "1:0s4n+/itsIbV3mUc8OnOxmZ6exs=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091186, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 27899, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5171,19 +5171,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24098", - "palo_alto.network.nat.community_id": "1:+GsjKlESn/QeXwrAsS8c8EaMzi0=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091187, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 52939, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24098", + "palo_alto.pan_os.network.nat.community_id": "1:+GsjKlESn/QeXwrAsS8c8EaMzi0=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091187, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 52939, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5239,19 +5239,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "208.83.246.20", - "palo_alto.destination.nat.port": 123, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24263", - "palo_alto.network.nat.community_id": "1:OSARbLstqz9D5CGo0NQuv0a9g20=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091188, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 42907, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "208.83.246.20", + "palo_alto.pan_os.destination.nat.port": 123, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24263", + "palo_alto.pan_os.network.nat.community_id": "1:OSARbLstqz9D5CGo0NQuv0a9g20=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091188, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 42907, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.195", "208.83.246.20", @@ -5307,19 +5307,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24258", - "palo_alto.network.nat.community_id": "1:Cc+ekkpKaB3f2BPdSyd/esY/QVI=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091189, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 19658, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24258", + "palo_alto.pan_os.network.nat.community_id": "1:Cc+ekkpKaB3f2BPdSyd/esY/QVI=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091189, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 19658, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.196", "8.8.8.8", @@ -5375,19 +5375,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24155", - "palo_alto.network.nat.community_id": "1:uPFYX4KL/wjyCp4kt+08v7myT3w=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091190, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 64352, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24155", + "palo_alto.pan_os.network.nat.community_id": "1:uPFYX4KL/wjyCp4kt+08v7myT3w=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091190, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 64352, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5443,19 +5443,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24232", - "palo_alto.network.nat.community_id": "1:f3vxOCmoOo/FOLV6VRqKjZ7eUVE=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091191, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 60126, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24232", + "palo_alto.pan_os.network.nat.community_id": "1:f3vxOCmoOo/FOLV6VRqKjZ7eUVE=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091191, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 60126, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5513,19 +5513,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "35.185.88.112", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24330", - "palo_alto.network.nat.community_id": "1:/rmnQ6QBbJzgkfNBrkCgvu5UHiU=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091192, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 59771, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "35.185.88.112", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24330", + "palo_alto.pan_os.network.nat.community_id": "1:/rmnQ6QBbJzgkfNBrkCgvu5UHiU=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091192, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 59771, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "35.185.88.112", @@ -5581,19 +5581,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "23960", - "palo_alto.network.nat.community_id": "1:9Ub1pskil4C0tLo85OJa61g1D0Q=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091193, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 35748, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23960", + "palo_alto.pan_os.network.nat.community_id": "1:9Ub1pskil4C0tLo85OJa61g1D0Q=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091193, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 35748, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5649,19 +5649,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24236", - "palo_alto.network.nat.community_id": "1:rh7nCIUBzUAekx4F+OTwBbpRh+E=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091194, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 63701, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24236", + "palo_alto.pan_os.network.nat.community_id": "1:rh7nCIUBzUAekx4F+OTwBbpRh+E=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091194, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 63701, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5717,19 +5717,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24276", - "palo_alto.network.nat.community_id": "1:eIIc+AXkJtZLyfNqUAVZLumaYVQ=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091195, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 57872, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24276", + "palo_alto.pan_os.network.nat.community_id": "1:eIIc+AXkJtZLyfNqUAVZLumaYVQ=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091195, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 57872, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5788,19 +5788,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "50.19.85.24", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24299", - "palo_alto.network.nat.community_id": "1:Mn7w9ScywW3qjDMNsO8QsGj6BY0=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091196, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 37581, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "50.19.85.24", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24299", + "palo_alto.pan_os.network.nat.community_id": "1:Mn7w9ScywW3qjDMNsO8QsGj6BY0=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091196, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 37581, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "50.19.85.24", @@ -5859,19 +5859,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "50.19.85.24", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24229", - "palo_alto.network.nat.community_id": "1:8oAG19bm5FROhazDy0CcTH+Cfqc=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091197, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 19226, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "50.19.85.24", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24229", + "palo_alto.pan_os.network.nat.community_id": "1:8oAG19bm5FROhazDy0CcTH+Cfqc=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091197, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 19226, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "50.19.85.24", @@ -5930,19 +5930,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "50.19.85.24", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24283", - "palo_alto.network.nat.community_id": "1:ZhVElLU1QcpGayhElc2L/+Rp+xw=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091198, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 61721, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "50.19.85.24", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24283", + "palo_alto.pan_os.network.nat.community_id": "1:ZhVElLU1QcpGayhElc2L/+Rp+xw=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091198, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 61721, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "50.19.85.24", @@ -5998,19 +5998,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "104.254.150.9", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24369", - "palo_alto.network.nat.community_id": "1:aHhDlT3Bx285CJRrBykpRsei1a0=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091199, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 10098, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "web-advertisements", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "104.254.150.9", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24369", + "palo_alto.pan_os.network.nat.community_id": "1:aHhDlT3Bx285CJRrBykpRsei1a0=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091199, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 10098, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "web-advertisements", "related.ip": [ "192.168.15.224", "104.254.150.9", @@ -6069,19 +6069,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "50.19.85.24", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24354", - "palo_alto.network.nat.community_id": "1:RLfRarGPGl+PnGhB8fb+S+uTX1o=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091200, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 4564, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "business-and-economy", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "50.19.85.24", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24354", + "palo_alto.pan_os.network.nat.community_id": "1:RLfRarGPGl+PnGhB8fb+S+uTX1o=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091200, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 4564, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "business-and-economy", "related.ip": [ "192.168.15.224", "50.19.85.24", @@ -6140,19 +6140,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "52.0.218.108", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24254", - "palo_alto.network.nat.community_id": "1:/0iCZCsnpk+5MR4Tc26unyr/T4Q=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091201, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 32104, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.0.218.108", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24254", + "palo_alto.pan_os.network.nat.community_id": "1:/0iCZCsnpk+5MR4Tc26unyr/T4Q=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091201, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 32104, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "52.0.218.108", @@ -6211,19 +6211,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "52.6.117.19", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24246", - "palo_alto.network.nat.community_id": "1:486dmnLzuTH8P7j6jI6JsUtW2VU=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091202, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 14172, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.6.117.19", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24246", + "palo_alto.pan_os.network.nat.community_id": "1:486dmnLzuTH8P7j6jI6JsUtW2VU=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091202, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 14172, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "52.6.117.19", @@ -6282,19 +6282,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "34.238.96.22", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24343", - "palo_alto.network.nat.community_id": "1:6LTK93w8ZdfxzSfZXzebKR6jWxo=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091203, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 10286, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "34.238.96.22", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24343", + "palo_alto.pan_os.network.nat.community_id": "1:6LTK93w8ZdfxzSfZXzebKR6jWxo=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091203, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 10286, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "34.238.96.22", @@ -6353,19 +6353,19 @@ "network.transport": "tcp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "130.211.47.17", - "palo_alto.destination.nat.port": 443, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24262", - "palo_alto.network.nat.community_id": "1:roV5JFl0FdQHIRUkgeZm+ZeyeCQ=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091204, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 30799, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "130.211.47.17", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24262", + "palo_alto.pan_os.network.nat.community_id": "1:roV5JFl0FdQHIRUkgeZm+ZeyeCQ=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091204, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 30799, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "130.211.47.17", @@ -6421,19 +6421,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24281", - "palo_alto.network.nat.community_id": "1:5G+JVi/ClM/MfHhUL//vH/GmuaA=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091205, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 13490, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24281", + "palo_alto.pan_os.network.nat.community_id": "1:5G+JVi/ClM/MfHhUL//vH/GmuaA=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091205, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 13490, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6489,19 +6489,19 @@ "network.transport": "icmp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 0, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24424", - "palo_alto.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091206, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 0, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24424", + "palo_alto.pan_os.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091206, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6557,19 +6557,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24230", - "palo_alto.network.nat.community_id": "1:mdksC4jGw6MN7g3nGdquiqQ95vU=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091207, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 53751, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24230", + "palo_alto.pan_os.network.nat.community_id": "1:mdksC4jGw6MN7g3nGdquiqQ95vU=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091207, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 53751, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6625,19 +6625,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24243", - "palo_alto.network.nat.community_id": "1:+zC2Y+UE7UqApr01oqb755Xyuf4=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091208, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 21643, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24243", + "palo_alto.pan_os.network.nat.community_id": "1:+zC2Y+UE7UqApr01oqb755Xyuf4=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091208, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 21643, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6693,19 +6693,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24077", - "palo_alto.network.nat.community_id": "1:xawqUBgLyfe1E61ObEXv4nbO590=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091209, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 22446, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24077", + "palo_alto.pan_os.network.nat.community_id": "1:xawqUBgLyfe1E61ObEXv4nbO590=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091209, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 22446, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6761,19 +6761,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24266", - "palo_alto.network.nat.community_id": "1:PDWWOeDVqKGZ/hwjVVdCDdF6qB4=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091210, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 22301, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24266", + "palo_alto.pan_os.network.nat.community_id": "1:PDWWOeDVqKGZ/hwjVVdCDdF6qB4=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091210, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 22301, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6829,19 +6829,19 @@ "network.transport": "udp", "observer.hostname": "PA-220", "observer.serial_number": "012801096514", - "palo_alto.destination.interface": "ethernet1/1", - "palo_alto.destination.nat.ip": "8.8.8.8", - "palo_alto.destination.nat.port": 53, - "palo_alto.destination.zone": "untrust", - "palo_alto.flow_id": "24269", - "palo_alto.network.nat.community_id": "1:yNIHAg1M08IChho9000mtg7zUOc=", - "palo_alto.ruleset": "new_outbound_from_trust", - "palo_alto.sequence_number": 32091211, - "palo_alto.source.interface": "ethernet1/2", - "palo_alto.source.nat.ip": "192.168.1.63", - "palo_alto.source.nat.port": 58124, - "palo_alto.source.zone": "trust", - "palo_alto.url.category": "any", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24269", + "palo_alto.pan_os.network.nat.community_id": "1:yNIHAg1M08IChho9000mtg7zUOc=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091211, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 58124, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", "related.ip": [ "192.168.15.224", "8.8.8.8", From 51517c71378004139828fcbc5911908cc13be5af Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Thu, 9 May 2019 00:17:25 +0200 Subject: [PATCH 04/10] Make network.community_id into an array --- .../palo_alto/pan_os/ingest/pipeline.yml | 7 + .../pan_os/test/threat.log-expected.json | 380 ++++++++++--- .../pan_os/test/traffic.log-expected.json | 500 ++++++++++++++---- 3 files changed, 711 insertions(+), 176 deletions(-) diff --git a/x-pack/filebeat/module/palo_alto/pan_os/ingest/pipeline.yml b/x-pack/filebeat/module/palo_alto/pan_os/ingest/pipeline.yml index f4a87b6d04d9..afb1ba8f2ea6 100644 --- a/x-pack/filebeat/module/palo_alto/pan_os/ingest/pipeline.yml +++ b/x-pack/filebeat/module/palo_alto/pan_os/ingest/pipeline.yml @@ -300,6 +300,13 @@ processors: field: destination.ip target_field: destination.geo +# Append NAT community_id to network.community_id + - append: + if: 'ctx?.palo_alto?.pan_os?.network?.nat?.community_id != null && ctx.palo_alto.pan_os.network.nat.community_id != ctx?.network?.community_id' + field: network.community_id + value: + - '{{palo_alto.pan_os.network.nat.community_id}}' + # Remove temporary fields. - remove: field: diff --git a/x-pack/filebeat/module/palo_alto/pan_os/test/threat.log-expected.json b/x-pack/filebeat/module/palo_alto/pan_os/test/threat.log-expected.json index 5e68214fb0a4..42ed5e737454 100644 --- a/x-pack/filebeat/module/palo_alto/pan_os/test/threat.log-expected.json +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/threat.log-expected.json @@ -24,7 +24,10 @@ "log.offset": 0, "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:mDxnuNGkonQEEYcMT0Dur/FCt/I=", + "network.community_id": [ + "1:mDxnuNGkonQEEYcMT0Dur/FCt/I=", + "1:qjpdroY6VaRSEUbSXzSWtUX00kc=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -85,7 +88,10 @@ "log.offset": 546, "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28219,1,52983,443,28249,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7727,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:svoGHRUXQeOT1QlGYhMbEalRiPU=", + "network.community_id": [ + "1:svoGHRUXQeOT1QlGYhMbEalRiPU=", + "1:j6so5fl9DGKhDhaNmjI+6ipOFyc=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -146,7 +152,10 @@ "log.offset": 1092, "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27723,1,52986,443,63898,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7728,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:cl1ZW9fCG1bKgQuAww26hYqxyq0=", + "network.community_id": [ + "1:cl1ZW9fCG1bKgQuAww26hYqxyq0=", + "1:c4Xs8aAPhIYB760P+BLmrzOvjv4=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -207,7 +216,10 @@ "log.offset": 1638, "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28172,1,52985,443,7515,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7729,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:0KdQcz2+OQg8Kuyqn3tvtzrtAtk=", + "network.community_id": [ + "1:0KdQcz2+OQg8Kuyqn3tvtzrtAtk=", + "1:RU/nMZByVkBbsckJ18XtpXhQlPg=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -268,7 +280,10 @@ "log.offset": 2183, "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28151,1,52987,443,3225,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7730,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:ZuULYSnnlQSsdqWsfJBHQTPqbJo=", + "network.community_id": [ + "1:ZuULYSnnlQSsdqWsfJBHQTPqbJo=", + "1:FTVZK5v5Nqts17X+FJm/bQk1rwM=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -329,7 +344,10 @@ "log.offset": 2728, "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28076,1,52988,443,60449,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7731,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:ovf/7i/MclKhY1UKalpHzmmlthk=", + "network.community_id": [ + "1:ovf/7i/MclKhY1UKalpHzmmlthk=", + "1:iHTY/vpQo2TsRYJW2n+lqb0w5f4=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -390,7 +408,10 @@ "log.offset": 3274, "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28173,1,52990,443,60559,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7732,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:K7vLQF60EynWhcmrB6/wjEG8qzI=", + "network.community_id": [ + "1:K7vLQF60EynWhcmrB6/wjEG8qzI=", + "1:f+u5A73xp5gqmRCSN2kCCSbvBRg=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -451,7 +472,10 @@ "log.offset": 3820, "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28186,1,52989,443,47414,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7733,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:nMc/XZ2HhyrMMpTfW7UK0Q7QRJM=", + "network.community_id": [ + "1:nMc/XZ2HhyrMMpTfW7UK0Q7QRJM=", + "1:v4+MIeqiGJJ9Z3SUTNLFEoYtw74=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -512,7 +536,10 @@ "log.offset": 4366, "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28192,1,52992,443,37673,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7734,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:UDkY52oWrSsYAqwPSTAKyKhwzvQ=", + "network.community_id": [ + "1:UDkY52oWrSsYAqwPSTAKyKhwzvQ=", + "1:BilmVEwf9nQIXodvin3X6lZuVAc=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -573,7 +600,10 @@ "log.offset": 4912, "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27011,1,52991,443,8232,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7735,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:pWCQCkwDKmw2APwAJ2GcT6QNXQg=", + "network.community_id": [ + "1:pWCQCkwDKmw2APwAJ2GcT6QNXQg=", + "1:CmZ6KkZzaxpkJHXJn0lNskvvZLA=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -634,7 +664,10 @@ "log.offset": 5457, "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28240,1,52994,443,32982,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7736,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:3V7ODANn0gD6PFiGWb7LVZcr3TY=", + "network.community_id": [ + "1:3V7ODANn0gD6PFiGWb7LVZcr3TY=", + "1:Xy6vXuBmLPx1/PDpu/KMI1ZPnW0=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -695,7 +728,10 @@ "log.offset": 6003, "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28143,1,52993,443,10473,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7737,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:7WQBEq/QCPNFLId7r93vN98nPHQ=", + "network.community_id": [ + "1:7WQBEq/QCPNFLId7r93vN98nPHQ=", + "1:nmxmtIja0z/MV5rgbBnScsKtW0U=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -756,7 +792,10 @@ "log.offset": 6549, "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28272,1,52995,443,20446,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7738,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:r3rve3ghPTa/BACcRlan0FEgZFw=", + "network.community_id": [ + "1:r3rve3ghPTa/BACcRlan0FEgZFw=", + "1:XNlHvX7cDGGCkvSS/aFHGg/RnAk=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -817,7 +856,10 @@ "log.offset": 7095, "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28146,1,52996,443,34699,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7739,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:2A2PtRAEa2EIbgp0B+6pQMVyM1o=", + "network.community_id": [ + "1:2A2PtRAEa2EIbgp0B+6pQMVyM1o=", + "1:DqCF4BufQU/spPG8UYok6IrChWo=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -878,7 +920,10 @@ "log.offset": 7641, "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28278,1,52997,443,22820,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7740,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:ttgSlbqHs+GKueSexHsquCbfjCk=", + "network.community_id": [ + "1:ttgSlbqHs+GKueSexHsquCbfjCk=", + "1:lJHLfl+/x95GohXozN52zokIxvA=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -939,7 +984,10 @@ "log.offset": 8187, "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28185,1,52998,443,41060,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7741,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:h4Yhxi4lfeFiizTNiugYzEk9CM4=", + "network.community_id": [ + "1:h4Yhxi4lfeFiizTNiugYzEk9CM4=", + "1:OVE3ctnTt5X1L6qNDr4QILL0dFg=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -1000,7 +1048,10 @@ "log.offset": 8733, "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28201,1,52999,443,9058,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7742,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:SsYXkesHdCi9Tx1qsjfCIH8mHm4=", + "network.community_id": [ + "1:SsYXkesHdCi9Tx1qsjfCIH8mHm4=", + "1:bzhUSIQYpz+jY7TA+j8UmFOdJ08=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -1061,7 +1112,10 @@ "log.offset": 9278, "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28148,1,53001,443,54846,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7743,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:84WYKtahMlLwf+ZletWf/DNnE30=", + "network.community_id": [ + "1:84WYKtahMlLwf+ZletWf/DNnE30=", + "1:NRiTxPYsIvfOnUXhwuF5KPucNf8=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -1122,7 +1176,10 @@ "log.offset": 9824, "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28121,1,53002,443,52731,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7744,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:X4Zvg9D/bP0EYECRSLna3za4r68=", + "network.community_id": [ + "1:X4Zvg9D/bP0EYECRSLna3za4r68=", + "1:9noBCzeHKSZpuQWETkS7W5mOTT0=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -1183,7 +1240,10 @@ "log.offset": 10370, "log.original": "Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28228,1,53003,443,15165,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7745,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:greC2ffRfw5diAvjZvd+je5rhrk=", + "network.community_id": [ + "1:greC2ffRfw5diAvjZvd+je5rhrk=", + "1:NQ3UU1pIt7hTJ2TYkbe6yjIVIsw=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -1244,7 +1304,10 @@ "log.offset": 10916, "log.original": "Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,23.72.137.131,192.168.1.63,23.72.137.131,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28196,1,53004,443,53918,443,0x403000,tcp,block-url,\"b.scorecardresearch.com/\",(9999),business-and-economy,informational,client-to-server,7746,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:EcYXcH6rGmgtHGDCjUQcmM+hR0c=", + "network.community_id": [ + "1:EcYXcH6rGmgtHGDCjUQcmM+hR0c=", + "1:pzcUv98hFdzW07/5bQ15jcEOAAM=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -1305,7 +1368,10 @@ "log.offset": 11463, "log.original": "Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28007,1,53000,443,40792,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7747,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:OX20k3mW9JzBo4RmzVjTtvOawu4=", + "network.community_id": [ + "1:OX20k3mW9JzBo4RmzVjTtvOawu4=", + "1:iHNZW72XqbNDDHf4ziF4MHkPsq8=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -1366,7 +1432,10 @@ "log.offset": 12009, "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28117,1,53006,443,54044,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7748,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:oWKucHrzLhzCpDmWJPLBELyMrzw=", + "network.community_id": [ + "1:oWKucHrzLhzCpDmWJPLBELyMrzw=", + "1:WmnET8BZufXJpdVk04PIVGj+Kgk=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -1427,7 +1496,10 @@ "log.offset": 12555, "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28109,1,53007,443,19544,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7749,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:63h3SPrH4/pr2GMJEkpg++zeJMU=", + "network.community_id": [ + "1:63h3SPrH4/pr2GMJEkpg++zeJMU=", + "1:qCp/BEY5ANYRj3J+xhPpjW00kTA=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -1488,7 +1560,10 @@ "log.offset": 13101, "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28260,1,53008,443,13462,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7750,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:MpnxD3AYYy43RYm8rBQmgxv2NQ0=", + "network.community_id": [ + "1:MpnxD3AYYy43RYm8rBQmgxv2NQ0=", + "1:QTdF07Qsc5riXT20oN+YWQ2Yt6U=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -1549,7 +1624,10 @@ "log.offset": 13647, "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28275,1,53010,443,44892,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7752,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:kibVei9WSdxBMV8iUIg8nZMCiss=", + "network.community_id": [ + "1:kibVei9WSdxBMV8iUIg8nZMCiss=", + "1:v9tvyVPSkJni3/nd8jUVgcsqqQk=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -1610,7 +1688,10 @@ "log.offset": 14193, "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28266,1,53011,443,16487,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7753,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:l33FK2i+ASkvlnDYQYRCH4evHcI=", + "network.community_id": [ + "1:l33FK2i+ASkvlnDYQYRCH4evHcI=", + "1:00oN9bToRGtVdpy+GQ742sbkpfI=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -1671,7 +1752,10 @@ "log.offset": 14739, "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28294,1,53012,443,23952,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7754,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:cSD3ZfDTv0BFEStL/v2rRm0wow0=", + "network.community_id": [ + "1:cSD3ZfDTv0BFEStL/v2rRm0wow0=", + "1:AmJtkqyAyzgRUMxNGxjT3hhwb8c=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -1732,7 +1816,10 @@ "log.offset": 15285, "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28248,1,53013,443,2810,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7755,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:l8cnTJWO0qdKrXtvCBWHbQUpvgE=", + "network.community_id": [ + "1:l8cnTJWO0qdKrXtvCBWHbQUpvgE=", + "1:CzGrIa22/gNrIvkcJMIh6eWNjFI=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -1793,7 +1880,10 @@ "log.offset": 15830, "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28274,1,53014,443,13272,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7756,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:2dLIQC1NuJw/6kPkSukOc7rN5UE=", + "network.community_id": [ + "1:2dLIQC1NuJw/6kPkSukOc7rN5UE=", + "1:b3MpSidntZseAvCtO89765ETlyI=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -1854,7 +1944,10 @@ "log.offset": 16376, "log.original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28285,1,53022,443,8663,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7762,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:39KkS/Y1cEc0OLIWR3+26TPoFhQ=", + "network.community_id": [ + "1:39KkS/Y1cEc0OLIWR3+26TPoFhQ=", + "1:wug3mTERsDOMF1R52vDi6SpWbMc=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -1915,7 +2008,10 @@ "log.offset": 16921, "log.original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28306,1,53023,443,55738,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7763,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:IFLzwMkLmz8UfCYPFfRgTIBIzSI=", + "network.community_id": [ + "1:IFLzwMkLmz8UfCYPFfRgTIBIzSI=", + "1:ktdKYACJa2q76tdS55sj5QaeMBs=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -1976,7 +2072,10 @@ "log.offset": 17467, "log.original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28116,1,53024,443,10650,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7764,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:spPQtp0F92JeXKXtvGndU6vymNo=", + "network.community_id": [ + "1:spPQtp0F92JeXKXtvGndU6vymNo=", + "1:sWvGFBOOisURcvYe5nB5HUSa6B8=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -2037,7 +2136,10 @@ "log.offset": 18013, "log.original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28214,1,53025,443,44087,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7765,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:xBwOt7zrEs9oyuV1oEHKLKXdg1Q=", + "network.community_id": [ + "1:xBwOt7zrEs9oyuV1oEHKLKXdg1Q=", + "1:LHZawFx+zgZPTd01rJqX/31kNmE=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -2098,7 +2200,10 @@ "log.offset": 18559, "log.original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28080,1,53026,443,15915,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7766,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:z5jHjldbSP1U0TqDWR9Uox2k3Js=", + "network.community_id": [ + "1:z5jHjldbSP1U0TqDWR9Uox2k3Js=", + "1:XcghkvaiKIQS/KgINx7Mb5Vvn3M=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -2159,7 +2264,10 @@ "log.offset": 19105, "log.original": "Nov 30 16:44:53 PA-220 1,2018/11/30 16:44:53,012801096514,THREAT,url,2049,2018/11/30 16:44:53,192.168.15.224,151.101.2.2,192.168.1.63,151.101.2.2,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:53,28318,1,53041,443,41165,443,0x403000,tcp,block-url,\"cdn.taboola.com/\",(9999),business-and-economy,informational,client-to-server,7768,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:tQxUFWF1PJh9XS+U53oZgNQELoA=", + "network.community_id": [ + "1:tQxUFWF1PJh9XS+U53oZgNQELoA=", + "1:XdO4yHx+1HZM4GcutRTyur9ixdM=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -2223,7 +2331,10 @@ "log.offset": 19640, "log.original": "Nov 30 16:44:54 PA-220 1,2018/11/30 16:44:54,012801096514,THREAT,url,2049,2018/11/30 16:44:54,192.168.15.224,54.192.7.152,192.168.1.63,54.192.7.152,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:54,28300,1,53040,443,54133,443,0x403000,tcp,block-url,\"rules.quantcount.com/\",(9999),business-and-economy,informational,client-to-server,7769,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:J9ymoylt3wkbcwWFUbTc1FK8W6k=", + "network.community_id": [ + "1:J9ymoylt3wkbcwWFUbTc1FK8W6k=", + "1:kCzU3MoZUMh7VlhTewngoP1twbw=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -2287,7 +2398,10 @@ "log.offset": 20182, "log.original": "Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28339,1,53093,443,8485,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7770,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:DDpR8PTbIvvnd+7Hcre+jZQVtaY=", + "network.community_id": [ + "1:DDpR8PTbIvvnd+7Hcre+jZQVtaY=", + "1:fj3W3hxHPqT4snZlcRibDiqLNvs=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -2351,7 +2465,10 @@ "log.offset": 20739, "log.original": "Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28299,1,53094,443,12496,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7771,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:1dccHKUcnMkeYh68uGS1Jhl6+Hk=", + "network.community_id": [ + "1:1dccHKUcnMkeYh68uGS1Jhl6+Hk=", + "1:HLMiinoD9jzLzaYU394wqKksBUE=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -2415,7 +2532,10 @@ "log.offset": 21297, "log.original": "Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28303,1,53095,443,17029,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7772,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:URFNGbFKOwT3Iaugo33D1mB/ndw=", + "network.community_id": [ + "1:URFNGbFKOwT3Iaugo33D1mB/ndw=", + "1:pNMLPgDpZv2+S840jW/Ggq8ng2I=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -2479,7 +2599,10 @@ "log.offset": 21855, "log.original": "Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28390,1,53096,443,23696,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7773,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:/KMTfFetIlydTraxch89t5PYve0=", + "network.community_id": [ + "1:/KMTfFetIlydTraxch89t5PYve0=", + "1:l6AkSmB92aDAHpLhiSCR28J+ANI=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -2543,7 +2666,10 @@ "log.offset": 22413, "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28433,1,53097,443,34769,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7774,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:Z8gFtZEJJ5xho2+kyaSyoXp1O/I=", + "network.community_id": [ + "1:Z8gFtZEJJ5xho2+kyaSyoXp1O/I=", + "1:33ah/rOB1xL3Yy0FUH0sEGuRvx8=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -2607,7 +2733,10 @@ "log.offset": 22971, "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28380,1,53099,443,22486,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7775,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:dS0Vb9L/suztc58TuCJc5kLrnd4=", + "network.community_id": [ + "1:dS0Vb9L/suztc58TuCJc5kLrnd4=", + "1:zOzoB9ZSg+/QZ7bt4sM6/I2TOXc=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -2671,7 +2800,10 @@ "log.offset": 23529, "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28363,1,53100,443,12894,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7776,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:ZWPOx8XRihDI9+WqUDIHe1OyInQ=", + "network.community_id": [ + "1:ZWPOx8XRihDI9+WqUDIHe1OyInQ=", + "1:l+VVTNzHKEhzOIqE/8PVt4xidPQ=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -2735,7 +2867,10 @@ "log.offset": 24087, "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28349,1,53101,443,62348,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7777,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:T7UcACShDtZytIaufQKjiQ8jkhM=", + "network.community_id": [ + "1:T7UcACShDtZytIaufQKjiQ8jkhM=", + "1:/GTSxrH684FoBXpyEBepCy2M81Q=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -2799,7 +2934,10 @@ "log.offset": 24645, "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28411,1,53104,443,6224,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7778,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:v2q2MvHECPCP6FDhZOfU9EhWDmw=", + "network.community_id": [ + "1:v2q2MvHECPCP6FDhZOfU9EhWDmw=", + "1:z/innn6bIUB0vbGtF+NoTKxtaCQ=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -2863,7 +3001,10 @@ "log.offset": 25202, "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28397,1,53107,443,44120,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7779,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:/FL+10fyEBLqVR4oJrH3NBEx/pg=", + "network.community_id": [ + "1:/FL+10fyEBLqVR4oJrH3NBEx/pg=", + "1:7H4lb05cbTOpCa4pIgruj3M2WrY=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -2927,7 +3068,10 @@ "log.offset": 25760, "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28347,1,53108,443,44228,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7780,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:abQPCp6V8x2Fumiz5x/+vZnuNfM=", + "network.community_id": [ + "1:abQPCp6V8x2Fumiz5x/+vZnuNfM=", + "1:G3GfJYWnCjo8Ato/aBgr49UKGTI=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -2991,7 +3135,10 @@ "log.offset": 26318, "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28443,1,53109,443,31322,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7781,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:Ix3Fldb6W5hQx30Bw7Vd5/lm8hw=", + "network.community_id": [ + "1:Ix3Fldb6W5hQx30Bw7Vd5/lm8hw=", + "1:Ni0ZlLTDuNH8F3hFm9nLZkj/SKI=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -3055,7 +3202,10 @@ "log.offset": 26876, "log.original": "Nov 30 16:45:14 PA-220 1,2018/11/30 16:45:13,012801096514,THREAT,url,2049,2018/11/30 16:45:13,192.168.15.224,216.58.194.98,192.168.1.63,216.58.194.98,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:13,28439,1,53118,443,1672,443,0x403000,tcp,block-url,\"www.googleadservices.com/\",(9999),business-and-economy,informational,client-to-server,7782,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:iBwlaPm6awPJaLJMdMMVOH9f5RU=", + "network.community_id": [ + "1:iBwlaPm6awPJaLJMdMMVOH9f5RU=", + "1:WQC21tSR1QNUhWYgrcbgaLyTkos=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -3116,7 +3266,10 @@ "log.offset": 27423, "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,25958,1,53126,443,20801,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7783,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:0TIOUPyQekmpFSgX6VlMP7asdJs=", + "network.community_id": [ + "1:0TIOUPyQekmpFSgX6VlMP7asdJs=", + "1:hYoXMUwV0cAKhYUb4hSHsLUSo1s=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -3177,7 +3330,10 @@ "log.offset": 27968, "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28429,1,53127,443,24533,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7784,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:5CeaDtLLJAW4qpNe5rR3zJ3u1KM=", + "network.community_id": [ + "1:5CeaDtLLJAW4qpNe5rR3zJ3u1KM=", + "1:al192CljLcXBQ5a9fXhiLM+uAKg=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -3238,7 +3394,10 @@ "log.offset": 28513, "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28465,1,53128,443,30150,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7785,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:HYgrk1tiJGzjAjdHLQJ54QqqEH0=", + "network.community_id": [ + "1:HYgrk1tiJGzjAjdHLQJ54QqqEH0=", + "1:qI8dj7I/HOk1zkz/wkZBjQ/igsw=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -3299,7 +3458,10 @@ "log.offset": 29058, "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28504,1,53129,443,36305,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7786,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:8k83tpdWoK7nNJrq4t81UXuScHA=", + "network.community_id": [ + "1:8k83tpdWoK7nNJrq4t81UXuScHA=", + "1:NTrpQ6lfrWcfRCXSB/tQ49z7sOQ=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -3360,7 +3522,10 @@ "log.offset": 29603, "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28458,1,53130,443,42682,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7787,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:Ob0VEjF8YeGq1hR7SbX0pZ+5/EI=", + "network.community_id": [ + "1:Ob0VEjF8YeGq1hR7SbX0pZ+5/EI=", + "1:93oplAL+YibXq75Qng9iomHp97k=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -3421,7 +3586,10 @@ "log.offset": 30148, "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28491,1,53131,443,22530,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7788,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:WlDGM7WbDrN83JffZtwB6PNK3Y8=", + "network.community_id": [ + "1:WlDGM7WbDrN83JffZtwB6PNK3Y8=", + "1:uhEHJXnnMaxBL0QYfNxS8lxZkls=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -3482,7 +3650,10 @@ "log.offset": 30693, "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28520,1,53132,443,43713,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7789,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:U5qBRasQ13RQONeFOyA2+9QbWK8=", + "network.community_id": [ + "1:U5qBRasQ13RQONeFOyA2+9QbWK8=", + "1:KtlZO5BbsoCg/ymqE05xAvw/iIA=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -3543,7 +3714,10 @@ "log.offset": 31238, "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28335,1,53133,443,60608,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7790,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:S99EiT3uXg1VHeNM5TVPoeW1Zrk=", + "network.community_id": [ + "1:S99EiT3uXg1VHeNM5TVPoeW1Zrk=", + "1:4MqfykfAOpIQmtvXcxzLNXqgyTs=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -3604,7 +3778,10 @@ "log.offset": 31783, "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28414,1,53134,443,9302,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7791,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:IMZ08eMrtDP/qCq8+cruyYo5r98=", + "network.community_id": [ + "1:IMZ08eMrtDP/qCq8+cruyYo5r98=", + "1:Qj+AYB26PhFUPHkeHTP+u0XmR3A=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -3665,7 +3842,10 @@ "log.offset": 32327, "log.original": "Nov 30 16:45:17 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28488,1,53135,443,11634,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7792,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:Z6zBvBoA+0NQryjJ96nYaFcOuXw=", + "network.community_id": [ + "1:Z6zBvBoA+0NQryjJ96nYaFcOuXw=", + "1:BQw3RXiNvT4NW4kw0J5Ol6rFN5A=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -3729,7 +3909,10 @@ "log.offset": 32872, "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28469,1,53152,443,30818,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7793,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:Qo8vSWzvn9QN5ADlmHxjJft+bxA=", + "network.community_id": [ + "1:Qo8vSWzvn9QN5ADlmHxjJft+bxA=", + "1:1XJhGS1EujYy5wSCA64wjjK7hwA=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -3793,7 +3976,10 @@ "log.offset": 33417, "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28556,1,53155,443,64260,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7794,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:N2DPhwTnklulMwYKpcc4j0nLwu4=", + "network.community_id": [ + "1:N2DPhwTnklulMwYKpcc4j0nLwu4=", + "1:YHN6cU700Mp7622M1rIzbnPQ+ik=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -3857,7 +4043,10 @@ "log.offset": 33962, "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28558,1,53158,443,7071,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7795,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:j5m21kfahBuP4jLMiqVnsVTJZ+Q=", + "network.community_id": [ + "1:j5m21kfahBuP4jLMiqVnsVTJZ+Q=", + "1:o5UB5uvp2ThXPXChyc7lgvBMH0s=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -3921,7 +4110,10 @@ "log.offset": 34506, "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28531,1,53160,443,4512,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7796,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:8jQcqVCl+Q8N6jDNJlJwuydmDsA=", + "network.community_id": [ + "1:8jQcqVCl+Q8N6jDNJlJwuydmDsA=", + "1:RRfOKybSMc/qYj1QHLEpuh+r0Eg=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -3985,7 +4177,10 @@ "log.offset": 35050, "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28580,1,53161,443,3422,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7797,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:zcJ3HhZj3urz6vGwVhseviLv7kY=", + "network.community_id": [ + "1:zcJ3HhZj3urz6vGwVhseviLv7kY=", + "1:KhCfFcRk3sovsTfN9pRRfgjsP84=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -4049,7 +4244,10 @@ "log.offset": 35594, "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28477,1,53162,443,4651,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7798,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:DJHoN3ahXiIF4S4aGocL7KS/AhY=", + "network.community_id": [ + "1:DJHoN3ahXiIF4S4aGocL7KS/AhY=", + "1:hZhkH3fz7n30Q+zsXnQejsna14Q=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -4113,7 +4311,10 @@ "log.offset": 36138, "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28484,1,53163,443,19068,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7799,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:oQCUvcNDUq8NlFsOiIljRD/md2E=", + "network.community_id": [ + "1:oQCUvcNDUq8NlFsOiIljRD/md2E=", + "1:lFuLGvzKiGz77tAPKRWLQ7eIBNw=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -4177,7 +4378,10 @@ "log.offset": 36683, "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28609,1,53164,443,5831,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7800,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:DjIyvY/MLQ8U4RrMwFVhfq30m6g=", + "network.community_id": [ + "1:DjIyvY/MLQ8U4RrMwFVhfq30m6g=", + "1:lXgqW6uer7QCnFv+5qVbgX4vM6E=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -4241,7 +4445,10 @@ "log.offset": 37227, "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28564,1,53165,443,7084,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7801,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:fsi7g4zFbrFG09Mvo8P/WofCEKc=", + "network.community_id": [ + "1:fsi7g4zFbrFG09Mvo8P/WofCEKc=", + "1:SDf7YJ4JLx2oja8SY0iCD/f9ZYk=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -4305,7 +4512,10 @@ "log.offset": 37771, "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28542,1,53166,443,18633,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7802,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:wICcAfDG87s8YdjIhDgBqv6mTws=", + "network.community_id": [ + "1:wICcAfDG87s8YdjIhDgBqv6mTws=", + "1:/wf94ECkqPez+fxVgk+3KErtaBQ=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -4369,7 +4579,10 @@ "log.offset": 38316, "log.original": "Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28590,1,53167,443,25557,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7803,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:L9I6mLjr15WmWcGfC1vPrN0NmY0=", + "network.community_id": [ + "1:L9I6mLjr15WmWcGfC1vPrN0NmY0=", + "1:lGMn2sEJLK3qbOX02axD1srH/FY=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -4433,7 +4646,10 @@ "log.offset": 38861, "log.original": "Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28455,1,53150,443,20661,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7804,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:pvzPjqjqA6kLTjxiRDVSDxuidwg=", + "network.community_id": [ + "1:pvzPjqjqA6kLTjxiRDVSDxuidwg=", + "1:O1zDnt5d52xTreiMgL/sHMRHiXA=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -4497,7 +4713,10 @@ "log.offset": 39406, "log.original": "Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28585,1,53185,443,65438,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7805,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:hu8p8gkxiimZqTLhIkgVfSePEqk=", + "network.community_id": [ + "1:hu8p8gkxiimZqTLhIkgVfSePEqk=", + "1:CwNRTMQumfdoC3msd4z5PIYkKLU=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -4561,7 +4780,10 @@ "log.offset": 39951, "log.original": "Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28462,1,53187,443,53101,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7806,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:z12wzV1bKYppHPfC9LypWH+RtE4=", + "network.community_id": [ + "1:z12wzV1bKYppHPfC9LypWH+RtE4=", + "1:0YBp8myYbHSoKWG2HvxutMfose0=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -4625,7 +4847,10 @@ "log.offset": 40496, "log.original": "Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28839,1,53188,443,35463,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7807,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:eJYKKiIqzYxe5ja/6/hDB3CgzSI=", + "network.community_id": [ + "1:eJYKKiIqzYxe5ja/6/hDB3CgzSI=", + "1:CQrsQ2CJN8/aVtRj6kkSqGiLA4w=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", @@ -4689,7 +4914,10 @@ "log.offset": 41041, "log.original": "Nov 30 16:45:30 PA-220 1,2018/11/30 16:45:29,012801096514,THREAT,url,2049,2018/11/30 16:45:29,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:29,28400,1,53178,443,45769,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7808,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", - "network.community_id": "1:f+00RNTWn2IGrM2JmEAnEPoRwDg=", + "network.community_id": [ + "1:f+00RNTWn2IGrM2JmEAnEPoRwDg=", + "1:vbknc+k7pE33+aNpIggpIzlC7MY=" + ], "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", diff --git a/x-pack/filebeat/module/palo_alto/pan_os/test/traffic.log-expected.json b/x-pack/filebeat/module/palo_alto/pan_os/test/traffic.log-expected.json index ef2e78f8eea4..aebb63fb703c 100644 --- a/x-pack/filebeat/module/palo_alto/pan_os/test/traffic.log-expected.json +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/traffic.log-expected.json @@ -29,7 +29,10 @@ "log.original": "Nov 30 16:09:08 PA-220 1,2018/11/30 16:09:07,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:07,192.168.15.207,184.51.253.152,192.168.1.63,184.51.253.152,new_outbound_from_trust,,,apple-maps,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:07,22751,1,55113,443,16418,443,0x400053,tcp,allow,7734,1758,5976,36,2018/11/30 15:59:04,586,computer-and-internet-info,0,32091112,0x0,192.168.0.0-192.168.255.255,United States,0,16,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "apple-maps", "network.bytes": 7734, - "network.community_id": "1:MhgXJlTEvCKgoyqMC+Xo7qMVGqc=", + "network.community_id": [ + "1:MhgXJlTEvCKgoyqMC+Xo7qMVGqc=", + "1:D1fZ8H3SfYS5p3yDzVdiwbnGJlU=" + ], "network.direction": "outbound", "network.packets": 36, "network.transport": "tcp", @@ -97,7 +100,10 @@ "log.original": "Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24223,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:08:55,0,any,0,32091113,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ping", "network.bytes": 1176, - "network.community_id": "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "network.community_id": [ + "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + ], "network.direction": "outbound", "network.packets": 12, "network.transport": "icmp", @@ -165,7 +171,10 @@ "log.original": "Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.207,17.253.3.202,192.168.1.63,17.253.3.202,new_outbound_from_trust,,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24138,1,55114,80,51990,80,0x40001c,tcp,allow,1574,539,1035,11,2018/11/30 16:08:51,1,computer-and-internet-info,0,32091114,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "web-browsing", "network.bytes": 1574, - "network.community_id": "1:L9wP4JYo+V/38JhXYBMQf/hWYoQ=", + "network.community_id": [ + "1:L9wP4JYo+V/38JhXYBMQf/hWYoQ=", + "1:VnGCPYRgvHZCFJBmPOwtCg7/sMY=" + ], "network.direction": "outbound", "network.packets": 11, "network.transport": "tcp", @@ -233,7 +242,10 @@ "log.original": "Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,24043,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:01,0,any,0,32091115,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ping", "network.bytes": 1176, - "network.community_id": "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "network.community_id": [ + "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + ], "network.direction": "outbound", "network.packets": 12, "network.transport": "icmp", @@ -304,7 +316,10 @@ "log.original": "Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.196,216.58.194.99,192.168.1.63,216.58.194.99,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23003,1,46774,443,15252,443,0x400019,udp,allow,3627,2014,1613,8,2018/11/30 16:07:13,0,any,0,32091116,0x0,192.168.0.0-192.168.255.255,United States,0,5,3,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "quic", "network.bytes": 3627, - "network.community_id": "1:bfDHy9SG4Mhm/ohGXQNZR3yF5sI=", + "network.community_id": [ + "1:bfDHy9SG4Mhm/ohGXQNZR3yF5sI=", + "1:pvg9sIAzBs2eyqMclcdCIYEBO1Q=" + ], "network.direction": "outbound", "network.packets": 8, "network.transport": "udp", @@ -372,7 +387,10 @@ "log.original": "Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,209.234.224.22,192.168.1.63,209.234.224.22,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23919,1,52408,443,40763,443,0x400053,tcp,allow,41753,20642,21111,113,2018/11/30 16:07:33,85,web-advertisements,0,32091117,0x0,192.168.0.0-192.168.255.255,United States,0,62,51,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ssl", "network.bytes": 41753, - "network.community_id": "1:A+0qkq/2rxZS/+I/sm0SFOWOkwY=", + "network.community_id": [ + "1:A+0qkq/2rxZS/+I/sm0SFOWOkwY=", + "1:u81/Ahz4HsL4LAVrUEiPkbXlX9A=" + ], "network.direction": "outbound", "network.packets": 113, "network.transport": "tcp", @@ -440,7 +458,10 @@ "log.original": "Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,21394,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:07,0,any,0,32091118,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ping", "network.bytes": 1176, - "network.community_id": "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "network.community_id": [ + "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + ], "network.direction": "outbound", "network.packets": 12, "network.transport": "icmp", @@ -508,7 +529,10 @@ "log.original": "Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,172.217.2.238,192.168.1.63,172.217.2.238,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,23698,1,59190,443,52881,443,0x400019,udp,allow,7097,3365,3732,16,2018/11/30 16:07:04,15,any,0,32091119,0x0,192.168.0.0-192.168.255.255,United States,0,7,9,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "quic", "network.bytes": 7097, - "network.community_id": "1:q1tj6dPFkb+U8mUSdFp3CbUFXUk=", + "network.community_id": [ + "1:q1tj6dPFkb+U8mUSdFp3CbUFXUk=", + "1:DoBKpBbAds/XQwbKPGjMrcuHTGo=" + ], "network.direction": "outbound", "network.packets": 16, "network.transport": "udp", @@ -576,7 +600,10 @@ "log.original": "Nov 30 16:09:23 PA-220 1,2018/11/30 16:09:22,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:22,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:22,24179,1,49728,53,26654,53,0x400019,udp,allow,301,80,221,2,2018/11/30 16:08:50,0,any,0,32091120,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 301, - "network.community_id": "1:l1lEn2QIKjwJgww02PEndRveudE=", + "network.community_id": [ + "1:l1lEn2QIKjwJgww02PEndRveudE=", + "1:viuINkmqZ3Q7wH9NHmhVu6rZuOs=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -644,7 +671,10 @@ "log.original": "Nov 30 16:09:24 PA-220 1,2018/11/30 16:09:23,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:23,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:23,23933,1,50500,53,2486,53,0x400019,udp,allow,298,77,221,2,2018/11/30 16:08:51,0,any,0,32091121,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 298, - "network.community_id": "1:RK6Ut4Rb0DTrl9IRf27cop79UwI=", + "network.community_id": [ + "1:RK6Ut4Rb0DTrl9IRf27cop79UwI=", + "1:wR8JpmqlhC4f7BvxdzxRlKdkPiQ=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -712,7 +742,10 @@ "log.original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,17.249.60.78,192.168.1.63,17.249.60.78,new_outbound_from_trust,,,apple-push-notifications,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,22662,1,55112,443,42021,443,0x400053,tcp,allow,9978,4509,5469,32,2018/11/30 15:58:59,593,computer-and-internet-info,0,32091122,0x0,192.168.0.0-192.168.255.255,United States,0,16,16,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "apple-push-notifications", "network.bytes": 9978, - "network.community_id": "1:89DsXq0JlAcm8a60Q9a+OELsT0Y=", + "network.community_id": [ + "1:89DsXq0JlAcm8a60Q9a+OELsT0Y=", + "1:JuPhgq+FyomxcGW/tt851C0l4Hg=" + ], "network.direction": "outbound", "network.packets": 32, "network.transport": "tcp", @@ -780,7 +813,10 @@ "log.original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24161,1,57632,53,24377,53,0x400019,udp,allow,297,73,224,2,2018/11/30 16:08:52,0,any,0,32091123,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 297, - "network.community_id": "1:5lGtGtzRH+NHOqMOFVuXwxg5nCo=", + "network.community_id": [ + "1:5lGtGtzRH+NHOqMOFVuXwxg5nCo=", + "1:rsDXUIQYGBC2VYTxep2/bVIc3Xs=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -848,7 +884,10 @@ "log.original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24107,1,50271,53,48792,53,0x400019,udp,allow,186,69,117,2,2018/11/30 16:08:52,0,any,0,32091124,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 186, - "network.community_id": "1:WbAIgVVT23pzqAJkSDF68HGSPY4=", + "network.community_id": [ + "1:WbAIgVVT23pzqAJkSDF68HGSPY4=", + "1:ewaPydF3S4wOU8oEi8ykj+ETSIY=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -916,7 +955,10 @@ "log.original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24063,1,54061,53,2987,53,0x400019,udp,allow,392,85,307,2,2018/11/30 16:08:52,0,any,0,32091125,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 392, - "network.community_id": "1:b+lWViOjpbOZConz3JzrSDR609Q=", + "network.community_id": [ + "1:b+lWViOjpbOZConz3JzrSDR609Q=", + "1:+6FjOLCCWY+JDxSWKn7tYpAXksA=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -984,7 +1026,10 @@ "log.original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24145,1,52701,53,6945,53,0x400019,udp,allow,440,75,365,2,2018/11/30 16:08:52,0,any,0,32091126,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 440, - "network.community_id": "1:dnGaTG13rwIh66+Pj0GQSdJMhu8=", + "network.community_id": [ + "1:dnGaTG13rwIh66+Pj0GQSdJMhu8=", + "1:rR5F8eZHI1nwmznedxqG9e8vUQE=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -1052,7 +1097,10 @@ "log.original": "Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24245,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:13,0,any,0,32091127,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ping", "network.bytes": 1176, - "network.community_id": "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "network.community_id": [ + "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + ], "network.direction": "outbound", "network.packets": 12, "network.transport": "icmp", @@ -1120,7 +1168,10 @@ "log.original": "Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24167,1,62503,53,42208,53,0x400019,udp,allow,258,97,161,2,2018/11/30 16:08:54,1,any,0,32091128,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 258, - "network.community_id": "1:Jof66SUOY3j4C+WrZwbgtKls1/Y=", + "network.community_id": [ + "1:Jof66SUOY3j4C+WrZwbgtKls1/Y=", + "1:81Mi4MwpmNYtUrc7CMJH0MPRelU=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -1188,7 +1239,10 @@ "log.original": "Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,98.138.49.44,192.168.1.63,98.138.49.44,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24212,1,52442,443,14660,443,0x40001c,tcp,allow,9891,2086,7805,27,2018/11/30 16:08:54,17,web-advertisements,0,32091129,0x0,192.168.0.0-192.168.255.255,United States,0,14,13,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ssl", "network.bytes": 9891, - "network.community_id": "1:08BinpWe/JWymiOV0oCsRR8Lo4Q=", + "network.community_id": [ + "1:08BinpWe/JWymiOV0oCsRR8Lo4Q=", + "1:FfbVY/+5Mds7zDjSs5/Yfw5bxNQ=" + ], "network.direction": "outbound", "network.packets": 27, "network.transport": "tcp", @@ -1256,7 +1310,10 @@ "log.original": "Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,72.30.3.43,192.168.1.63,72.30.3.43,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24149,1,52441,443,16483,443,0x40001c,tcp,allow,8460,2354,6106,24,2018/11/30 16:08:54,17,web-advertisements,0,32091130,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ssl", "network.bytes": 8460, - "network.community_id": "1:2NNXjZpDcB9oYU1TRLRSU5v7hoQ=", + "network.community_id": [ + "1:2NNXjZpDcB9oYU1TRLRSU5v7hoQ=", + "1:TGvDRLypWuNWkuMsAxPzc5TSbAo=" + ], "network.direction": "outbound", "network.packets": 24, "network.transport": "tcp", @@ -1324,7 +1381,10 @@ "log.original": "Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24185,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:15,0,any,0,32091131,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ping", "network.bytes": 392, - "network.community_id": "1:/l9vT9UwjkUeC6vNW93wy71+TBk=", + "network.community_id": [ + "1:/l9vT9UwjkUeC6vNW93wy71+TBk=", + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + ], "network.direction": "outbound", "network.packets": 4, "network.transport": "icmp", @@ -1392,7 +1452,10 @@ "log.original": "Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.224,172.217.9.142,192.168.1.63,172.217.9.142,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,23856,1,52355,80,5570,80,0x40001c,tcp,allow,5790,2545,3245,36,2018/11/30 16:07:16,116,computer-and-internet-info,0,32091132,0x0,192.168.0.0-192.168.255.255,United States,0,19,17,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ocsp", "network.bytes": 5790, - "network.community_id": "1:JJQ4CQTTE3x7lV+Npo80V7dd6ts=", + "network.community_id": [ + "1:JJQ4CQTTE3x7lV+Npo80V7dd6ts=", + "1:NNgF+9vrbBFNpCI3JhUT4YWepd4=" + ], "network.direction": "outbound", "network.packets": 36, "network.transport": "tcp", @@ -1460,7 +1523,10 @@ "log.original": "Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24173,1,50196,53,24430,53,0x400019,udp,allow,261,82,179,2,2018/11/30 16:08:57,0,any,0,32091133,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 261, - "network.community_id": "1:URR/wC9NPuHbnjGQ1Y7LffVYlTc=", + "network.community_id": [ + "1:URR/wC9NPuHbnjGQ1Y7LffVYlTc=", + "1:9T+RKr8xDB21pvAf/Fihyq72sLY=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -1531,7 +1597,10 @@ "log.original": "Nov 30 16:09:31 PA-220 1,2018/11/30 16:09:30,012801096514,TRAFFIC,start,2049,2018/11/30 16:09:30,192.168.15.224,54.84.80.198,192.168.1.63,54.84.80.198,new_outbound_from_trust,,,traps-management-service,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:30,24257,1,52454,443,12122,443,0x400053,tcp,allow,6295,1758,4537,25,2018/11/30 16:09:13,0,computer-and-internet-info,0,32091134,0x0,192.168.0.0-192.168.255.255,United States,0,13,12,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "traps-management-service", "network.bytes": 6295, - "network.community_id": "1:OnS/uikvrbdse63UYQtmHKrEk7k=", + "network.community_id": [ + "1:OnS/uikvrbdse63UYQtmHKrEk7k=", + "1:k69UBIONLgCiGo9UhMOEY0pQnZ4=" + ], "network.direction": "outbound", "network.packets": 25, "network.transport": "tcp", @@ -1602,7 +1671,10 @@ "log.original": "Nov 30 16:09:33 PA-220 1,2018/11/30 16:09:32,012801096514,TRAFFIC,drop,2049,2018/11/30 16:09:32,192.168.15.224,199.167.55.52,192.168.1.63,199.167.55.52,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:32,24090,1,52445,4282,49145,4282,0x400019,tcp,allow,624,624,0,8,2018/11/30 16:09:12,13,any,0,32091135,0x0,192.168.0.0-192.168.255.255,United States,0,8,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "incomplete", "network.bytes": 624, - "network.community_id": "1:wFD93203ukPDpbZjVJE5SAMYrw4=", + "network.community_id": [ + "1:wFD93203ukPDpbZjVJE5SAMYrw4=", + "1:07q7McJtir76GhJwAJffz+C0sNo=" + ], "network.direction": "outbound", "network.packets": 8, "network.transport": "tcp", @@ -1670,7 +1742,10 @@ "log.original": "Nov 30 16:09:34 PA-220 1,2018/11/30 16:09:33,012801096514,TRAFFIC,deny,2049,2018/11/30 16:09:33,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:33,24242,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:19,0,any,0,32091136,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ping", "network.bytes": 1176, - "network.community_id": "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "network.community_id": [ + "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + ], "network.direction": "outbound", "network.packets": 12, "network.transport": "icmp", @@ -1737,7 +1812,10 @@ "log.original": "Nov 30 16:09:35 PA-220 1,2018/11/30 16:09:34,012801096514,TRAFFIC,,2049,2018/11/30 16:09:34,192.168.15.210,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:34,24190,1,35485,53,33110,53,0x400019,udp,allow,215,85,130,2,2018/11/30 16:09:02,0,any,0,32091137,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 215, - "network.community_id": "1:XjmNQR0k4Z9rGS6dXH+3mvmrqzA=", + "network.community_id": [ + "1:XjmNQR0k4Z9rGS6dXH+3mvmrqzA=", + "1:JM1EdN05nKTy8Sq9WGpY15fCNJk=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -1804,7 +1882,10 @@ "log.original": "Nov 30 16:09:38 PA-220 1,2018/11/30 16:09:37,012801096514,TRAFFIC,test,2049,2018/11/30 16:09:37,192.168.15.224,172.217.9.142,192.168.1.63,172.217.9.142,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:37,23892,1,62730,443,9299,443,0x400019,udp,allow,4867,2876,1991,12,2018/11/30 16:07:20,15,any,0,32091138,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "quic", "network.bytes": 4867, - "network.community_id": "1:lVJii2BraOSOIissazAe7/enqkQ=", + "network.community_id": [ + "1:lVJii2BraOSOIissazAe7/enqkQ=", + "1:3vS12CJ5QBY6RbGXOUPYKL9E0+U=" + ], "network.direction": "outbound", "network.packets": 12, "network.transport": "udp", @@ -1872,7 +1953,10 @@ "log.original": "Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,151.101.2.2,192.168.1.63,151.101.2.2,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,24360,1,52506,443,47194,443,0x40001c,tcp,allow,1623,1100,523,13,2018/11/30 16:09:21,0,business-and-economy,0,32091139,0x0,192.168.0.0-192.168.255.255,United States,0,8,5,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ssl", "network.bytes": 1623, - "network.community_id": "1:Te0H9rrEbN0bNEjgdC1n6hD8kQU=", + "network.community_id": [ + "1:Te0H9rrEbN0bNEjgdC1n6hD8kQU=", + "1:l6nFWeOSs/2aQaVCfYhfQ09l0ko=" + ], "network.direction": "outbound", "network.packets": 13, "network.transport": "tcp", @@ -1943,7 +2027,10 @@ "log.original": "Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,216.58.194.66,192.168.1.63,216.58.194.66,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,23952,1,60596,443,62921,443,0x400019,udp,allow,4405,1977,2428,9,2018/11/30 16:07:36,0,any,0,32091140,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "quic", "network.bytes": 4405, - "network.community_id": "1:5umxbSgQhlPOZM9gbu1iBMqzRr8=", + "network.community_id": [ + "1:5umxbSgQhlPOZM9gbu1iBMqzRr8=", + "1:hVpNmZPedeB/gYRm9U4/gS+LNkQ=" + ], "network.direction": "outbound", "network.packets": 9, "network.transport": "udp", @@ -2011,7 +2098,10 @@ "log.original": "Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24328,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:25,0,any,0,32091141,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ping", "network.bytes": 1176, - "network.community_id": "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "network.community_id": [ + "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + ], "network.direction": "outbound", "network.packets": 12, "network.transport": "icmp", @@ -2079,7 +2169,10 @@ "log.original": "Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.210,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24385,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:25,0,any,0,32091142,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ping", "network.bytes": 392, - "network.community_id": "1:7LdGPOlsucPADJQxcTlIy8FSIxU=", + "network.community_id": [ + "1:7LdGPOlsucPADJQxcTlIy8FSIxU=", + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + ], "network.direction": "outbound", "network.packets": 4, "network.transport": "icmp", @@ -2147,7 +2240,10 @@ "log.original": "Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,184.51.253.193,192.168.1.63,184.51.253.193,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24172,1,52514,443,41958,443,0x40001c,tcp,allow,7231,2228,5003,22,2018/11/30 16:09:22,0,web-advertisements,0,32091143,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ssl", "network.bytes": 7231, - "network.community_id": "1:zaX+BV1nxniPCPzIGKhVpm2i7CE=", + "network.community_id": [ + "1:zaX+BV1nxniPCPzIGKhVpm2i7CE=", + "1:zBrhHOnlJT7YZV7WXiPAQBEhScI=" + ], "network.direction": "outbound", "network.packets": 22, "network.transport": "tcp", @@ -2215,7 +2311,10 @@ "log.original": "Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24131,1,55155,53,51374,53,0x400019,udp,allow,267,96,171,2,2018/11/30 16:09:08,0,any,0,32091144,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 267, - "network.community_id": "1:BengLCKQRlHSjje1eFQLdxgTKJc=", + "network.community_id": [ + "1:BengLCKQRlHSjje1eFQLdxgTKJc=", + "1:QjiWUuclXv+JzWhbuYDyyP+YyTk=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -2286,7 +2385,10 @@ "log.original": "Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,199.167.55.52,192.168.1.63,199.167.55.52,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24393,1,52445,4282,25566,4282,0x400019,tcp,allow,78,78,0,1,2018/11/30 16:09:33,0,any,0,32091145,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "incomplete", "network.bytes": 78, - "network.community_id": "1:wFD93203ukPDpbZjVJE5SAMYrw4=", + "network.community_id": [ + "1:wFD93203ukPDpbZjVJE5SAMYrw4=", + "1:WSYAeVnYXY4WmfLFYEEo/atQJE8=" + ], "network.direction": "outbound", "network.packets": 1, "network.transport": "tcp", @@ -2357,7 +2459,10 @@ "log.original": "Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,199.167.52.219,192.168.1.63,199.167.52.219,new_outbound_from_trust,,,tanium,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24976,1,52516,17472,63757,17472,0x40005e,tcp,allow,3402,1086,2316,20,2018/11/30 16:09:25,0,any,0,32091146,0x0,192.168.0.0-192.168.255.255,United States,0,11,9,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "tanium", "network.bytes": 3402, - "network.community_id": "1:9oIDq1tuilAK1JGhtfp35vZpz4w=", + "network.community_id": [ + "1:9oIDq1tuilAK1JGhtfp35vZpz4w=", + "1:XrQuj5ypAzAqGAy0lpIvWQVVZ2E=" + ], "network.direction": "outbound", "network.packets": 20, "network.transport": "tcp", @@ -2428,7 +2533,10 @@ "log.original": "Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,52.71.117.196,192.168.1.63,52.71.117.196,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24348,1,52511,443,3803,443,0x400053,tcp,allow,16594,2628,13966,38,2018/11/30 16:09:21,4,computer-and-internet-info,0,32091147,0x0,192.168.0.0-192.168.255.255,United States,0,19,19,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ssl", "network.bytes": 16594, - "network.community_id": "1:lrruE+4dZreV0/+v9V1CpxRnfsE=", + "network.community_id": [ + "1:lrruE+4dZreV0/+v9V1CpxRnfsE=", + "1:EG9O/WtvoWuYwaB1MXJTgr43kac=" + ], "network.direction": "outbound", "network.packets": 38, "network.transport": "tcp", @@ -2496,7 +2604,10 @@ "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24046,1,3018,53,34994,53,0x400019,udp,allow,323,79,244,2,2018/11/30 16:09:12,0,any,0,32091148,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 323, - "network.community_id": "1:b/0kdGUcINh0ryiR0w0QTg0t0jQ=", + "network.community_id": [ + "1:b/0kdGUcINh0ryiR0w0QTg0t0jQ=", + "1:eI0W7/EQJgRBimA1ZM4XVOSKMqo=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -2564,7 +2675,10 @@ "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24196,1,16569,53,38064,53,0x400019,udp,allow,300,95,205,2,2018/11/30 16:09:12,0,any,0,32091149,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 300, - "network.community_id": "1:SsNvr7qdck7W52PZqREypGPIglo=", + "network.community_id": [ + "1:SsNvr7qdck7W52PZqREypGPIglo=", + "1:uSrPYHIl4eJpdC+J0IAMuGStuNc=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -2635,7 +2749,10 @@ "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.186.194.41,192.168.1.63,35.186.194.41,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24264,1,52479,443,42924,443,0x400053,tcp,allow,6598,4296,2302,44,2018/11/30 16:09:19,8,insufficient-content,0,32091150,0x0,192.168.0.0-192.168.255.255,United States,0,24,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ssl", "network.bytes": 6598, - "network.community_id": "1:oy06sQtSbOzvWgK/dr7N5HKE5Ng=", + "network.community_id": [ + "1:oy06sQtSbOzvWgK/dr7N5HKE5Ng=", + "1:djhBHAw6H+Q9Bcz6i7V+GTrjtzA=" + ], "network.direction": "outbound", "network.packets": 44, "network.transport": "tcp", @@ -2702,7 +2819,10 @@ "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.201.124.9,192.168.1.63,35.201.124.9,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24248,1,52478,443,58977,443,0x400053,tcp,allow,65588,58831,6757,104,2018/11/30 16:09:19,8,insufficient-content,0,32091151,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,63,41,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ssl", "network.bytes": 65588, - "network.community_id": "1:DBvAD0JZYsb+pmUJkhTQYOcLJls=", + "network.community_id": [ + "1:DBvAD0JZYsb+pmUJkhTQYOcLJls=", + "1:hIY5A8O11VWtEfpYG2l5voTvbVQ=" + ], "network.direction": "outbound", "network.packets": 104, "network.transport": "tcp", @@ -2773,7 +2893,10 @@ "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,100.24.131.237,192.168.1.63,100.24.131.237,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24268,1,52502,443,64732,443,0x400053,tcp,allow,13076,4069,9007,32,2018/11/30 16:09:21,6,business-and-economy,0,32091152,0x0,192.168.0.0-192.168.255.255,United States,0,17,15,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ssl", "network.bytes": 13076, - "network.community_id": "1:3G8yDLybfwtFo10J4I/c5Ayd4Qk=", + "network.community_id": [ + "1:3G8yDLybfwtFo10J4I/c5Ayd4Qk=", + "1:sXYelUOdA/EfjcKKE8M5kPe+M+c=" + ], "network.direction": "outbound", "network.packets": 32, "network.transport": "tcp", @@ -2841,7 +2964,10 @@ "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,184.51.252.247,192.168.1.63,184.51.252.247,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24175,1,52458,443,58292,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091153,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ssl", "network.bytes": 1761, - "network.community_id": "1:ZTCXYP/obCmlK+BT3BISstdxpCk=", + "network.community_id": [ + "1:ZTCXYP/obCmlK+BT3BISstdxpCk=", + "1:D6pPzYoIWTOXxVzuweKvZYK6FVE=" + ], "network.direction": "outbound", "network.packets": 15, "network.transport": "tcp", @@ -2912,7 +3038,10 @@ "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.190.88.148,192.168.1.63,35.190.88.148,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24312,1,52484,443,32209,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091154,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ssl", "network.bytes": 14732, - "network.community_id": "1:DEAqTvDzZjanGG1P2CcnR3CKUfc=", + "network.community_id": [ + "1:DEAqTvDzZjanGG1P2CcnR3CKUfc=", + "1:VFQjrA+iaNcIu6vFJNU6ls7+4Is=" + ], "network.direction": "outbound", "network.packets": 31, "network.transport": "tcp", @@ -2983,7 +3112,10 @@ "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.186.243.83,192.168.1.63,35.186.243.83,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24164,1,52482,443,38822,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091155,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ssl", "network.bytes": 14732, - "network.community_id": "1:t/ErTuEXtgYIkRnq4+UdhVKcFnA=", + "network.community_id": [ + "1:t/ErTuEXtgYIkRnq4+UdhVKcFnA=", + "1:Xx31zYZNYc/mjf2GOihkp6JogmA=" + ], "network.direction": "outbound", "network.packets": 31, "network.transport": "tcp", @@ -3051,7 +3183,10 @@ "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,untrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24198,1,33769,53,16044,53,0x400019,udp,allow,266,84,182,2,2018/11/30 16:09:12,0,any,0,32091156,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 266, - "network.community_id": "1:Y7iOj20be5Di4rx5iGHLO9k0YoU=", + "network.community_id": [ + "1:Y7iOj20be5Di4rx5iGHLO9k0YoU=", + "1:445AeHI1LAvb+ii4arRZeLAO4zM=" + ], "network.direction": "external", "network.packets": 2, "network.transport": "udp", @@ -3119,7 +3254,10 @@ "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24184,1,14106,53,56614,53,0x400019,udp,allow,164,74,90,2,2018/11/30 16:09:12,0,any,0,32091157,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 164, - "network.community_id": "1:8HlDMcJ2vfYtzQNW4/YDX7avDu8=", + "network.community_id": [ + "1:8HlDMcJ2vfYtzQNW4/YDX7avDu8=", + "1:+5KwsEYW+tFecEENSBwHbKTvUv8=" + ], "network.direction": "internal", "network.packets": 2, "network.transport": "udp", @@ -3190,7 +3328,10 @@ "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,100.24.165.74,192.168.1.63,100.24.165.74,new_outbound_from_trust,,,ssl,vsys1,untrust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24314,1,52503,443,53168,443,0x400053,tcp,allow,9400,2731,6669,30,2018/11/30 16:09:21,6,business-and-economy,0,32091158,0x0,192.168.0.0-192.168.255.255,United States,0,17,13,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ssl", "network.bytes": 9400, - "network.community_id": "1:dDqHJ1Y91GSM0iyiXXbBnOasVJM=", + "network.community_id": [ + "1:dDqHJ1Y91GSM0iyiXXbBnOasVJM=", + "1:DRqq/mx90TOYq1a5yLf562kwIvc=" + ], "network.direction": "inbound", "network.packets": 30, "network.transport": "tcp", @@ -3258,7 +3399,10 @@ "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,184.51.252.247,192.168.1.63,184.51.252.247,new_outbound_from_trust,,,ssl,vsys1,xtrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24204,1,52459,443,28012,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091159,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ssl", "network.bytes": 1761, - "network.community_id": "1:LeVVxJ/qJ69xMnerDRfh9DhS1wg=", + "network.community_id": [ + "1:LeVVxJ/qJ69xMnerDRfh9DhS1wg=", + "1:vx03vuDn4sh2/e89Lm3RoSpVIVM=" + ], "network.direction": "unknown", "network.packets": 15, "network.transport": "tcp", @@ -3325,7 +3469,10 @@ "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.201.94.140,192.168.1.63,35.201.94.140,new_outbound_from_trust,,,ssl,vsys1,trust,xuntrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24234,1,52483,443,16050,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091160,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ssl", "network.bytes": 14732, - "network.community_id": "1:b6jBmvbfVzb1LGTW2RD80kK1rMs=", + "network.community_id": [ + "1:b6jBmvbfVzb1LGTW2RD80kK1rMs=", + "1:u1uvQ3wfJoaG/nNiBhvQMHQSVlU=" + ], "network.direction": "unknown", "network.packets": 31, "network.transport": "tcp", @@ -3393,7 +3540,10 @@ "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,,,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24390,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:31,0,any,0,32091161,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ping", "network.bytes": 1176, - "network.community_id": "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "network.community_id": [ + "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + ], "network.direction": "unknown", "network.packets": 12, "network.transport": "icmp", @@ -3459,7 +3609,10 @@ "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24093,1,38663,53,61722,53,0x400019,udp,allow,228,84,144,2,2018/11/30 16:09:13,0,any,0,32091162,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 228, - "network.community_id": "1:jK1/samUe1w5J1uVlmH7SIXX1YE=", + "network.community_id": [ + "1:jK1/samUe1w5J1uVlmH7SIXX1YE=", + "1:lz0ZCL4R4wwyqmvefpkiJk7yR18=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -3527,7 +3680,10 @@ "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24117,1,50443,53,14247,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091163,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 337, - "network.community_id": "1:pe+tF7SEY/Km9LRsrGI4UWHmV8E=", + "network.community_id": [ + "1:pe+tF7SEY/Km9LRsrGI4UWHmV8E=", + "1:DkOVz0BGrlh9OPZZ8+58eugW7gU=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -3595,7 +3751,10 @@ "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24142,1,54215,53,33580,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091164,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 337, - "network.community_id": "1:qHh6xeCGBZ5pLwaBsFDRVbP5MZU=", + "network.community_id": [ + "1:qHh6xeCGBZ5pLwaBsFDRVbP5MZU=", + "1:twx1eOqehbazvI0g0nkTeVynrY0=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -3663,7 +3822,10 @@ "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24195,1,35827,53,13498,53,0x400019,udp,allow,252,83,169,2,2018/11/30 16:09:13,0,any,0,32091165,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 252, - "network.community_id": "1:7yZMN4i1Gxii2+FmEtBbvDk3lvA=", + "network.community_id": [ + "1:7yZMN4i1Gxii2+FmEtBbvDk3lvA=", + "1:hcgjXpi+ne3QnFDBLeskkVg4V+M=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -3731,7 +3893,10 @@ "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24124,1,60609,53,20365,53,0x400019,udp,allow,232,100,132,2,2018/11/30 16:09:13,0,any,0,32091166,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 232, - "network.community_id": "1:0vV/bWp15XA8ntbAvsV9+ktbx6E=", + "network.community_id": [ + "1:0vV/bWp15XA8ntbAvsV9+ktbx6E=", + "1:C91XK45Q10iqwwp4XYM+Wg1Ua8A=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -3799,7 +3964,10 @@ "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24153,1,3248,53,61464,53,0x400019,udp,allow,206,79,127,2,2018/11/30 16:09:13,0,any,0,32091167,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 206, - "network.community_id": "1:v2Rn2HMvdhM3B2CXYva9UePt+Og=", + "network.community_id": [ + "1:v2Rn2HMvdhM3B2CXYva9UePt+Og=", + "1:hsTAFtOdeb7+Ofe152B+9h69mbE=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -3867,7 +4035,10 @@ "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24122,1,49284,53,42877,53,0x400019,udp,allow,194,89,105,2,2018/11/30 16:09:13,0,any,0,32091168,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 194, - "network.community_id": "1:tO559KwdaAXfBh7HmZSLp9/JUJQ=", + "network.community_id": [ + "1:tO559KwdaAXfBh7HmZSLp9/JUJQ=", + "1:htOXUg3QOGd0fpgLjYzQlvRMzUQ=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -3935,7 +4106,10 @@ "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24171,1,57732,53,5918,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:13,0,any,0,32091169,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 269, - "network.community_id": "1:aMEfJV/f54B1+0RNtWjw49JfNFU=", + "network.community_id": [ + "1:aMEfJV/f54B1+0RNtWjw49JfNFU=", + "1:gHWCOTtilTTqOn7fOKh7zVq45Xw=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -4003,7 +4177,10 @@ "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24069,1,49195,53,28944,53,0x400019,udp,allow,212,78,134,2,2018/11/30 16:09:13,0,any,0,32091170,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 212, - "network.community_id": "1:WgGQfntwYS3voQPhGfI/qhx0SVk=", + "network.community_id": [ + "1:WgGQfntwYS3voQPhGfI/qhx0SVk=", + "1:OGDvpe1+4KQfCsxk0I61jm0+DIc=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -4071,7 +4248,10 @@ "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24282,1,17266,53,13415,53,0x400019,udp,allow,252,73,179,2,2018/11/30 16:09:13,0,any,0,32091171,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 252, - "network.community_id": "1:RM5edUgZPywM/hIejzFVba+A4co=", + "network.community_id": [ + "1:RM5edUgZPywM/hIejzFVba+A4co=", + "1:po/vy4RoD5WeFPgCZnduQkE47yY=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -4139,7 +4319,10 @@ "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24218,1,48631,53,2489,53,0x400019,udp,allow,308,90,218,2,2018/11/30 16:09:13,0,any,0,32091172,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 308, - "network.community_id": "1:jJo7FJWI3gHbC96nTsyT17hVP98=", + "network.community_id": [ + "1:jJo7FJWI3gHbC96nTsyT17hVP98=", + "1:wIxYOe++IxscmxBcRwrPGEIlZF4=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -4207,7 +4390,10 @@ "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24200,1,58540,53,49328,53,0x400019,udp,allow,249,77,172,2,2018/11/30 16:09:13,0,any,0,32091173,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 249, - "network.community_id": "1:eWhg/7DfJGJNfW90sKt5WEYnI9g=", + "network.community_id": [ + "1:eWhg/7DfJGJNfW90sKt5WEYnI9g=", + "1:xN7R3QI47jVAQhgJrOAvdsu+oes=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -4275,7 +4461,10 @@ "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24224,1,42678,53,36036,53,0x400019,udp,allow,379,74,305,2,2018/11/30 16:09:13,0,any,0,32091174,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 379, - "network.community_id": "1:dhAcAsMUxJrHfinQA5Q7eglS7T0=", + "network.community_id": [ + "1:dhAcAsMUxJrHfinQA5Q7eglS7T0=", + "1:BxuDgAhR5Rh55XOXYnYF+6GKhps=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -4346,7 +4535,10 @@ "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,66.28.0.45,192.168.1.63,66.28.0.45,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24240,1,16576,53,33744,53,0x400019,udp,allow,603,76,527,2,2018/11/30 16:09:14,0,any,0,32091175,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 603, - "network.community_id": "1:4i/owhGS2IpySKH+SyV4sXRj0+A=", + "network.community_id": [ + "1:4i/owhGS2IpySKH+SyV4sXRj0+A=", + "1:Yv+Yq/7HK9SajeKHOV50RYQWjRU=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -4414,7 +4606,10 @@ "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24183,1,39830,53,45809,53,0x400019,udp,allow,242,89,153,2,2018/11/30 16:09:14,0,any,0,32091176,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 242, - "network.community_id": "1:KZzZcwEN4cbaTck1z2Wa/3P3YjU=", + "network.community_id": [ + "1:KZzZcwEN4cbaTck1z2Wa/3P3YjU=", + "1:MxVcaRP5Y1xyEiYiNsmO1lVcN+A=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -4482,7 +4677,10 @@ "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24211,1,6185,53,3675,53,0x400019,udp,allow,240,71,169,2,2018/11/30 16:09:14,0,any,0,32091177,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 240, - "network.community_id": "1:LJ6ZkdUI9SYHDvi3B2Yn/9ILMbM=", + "network.community_id": [ + "1:LJ6ZkdUI9SYHDvi3B2Yn/9ILMbM=", + "1:p8DU1xLXG63f/3s/r6ZKJcQo9u8=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -4550,7 +4748,10 @@ "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24253,1,8781,53,5787,53,0x400019,udp,allow,208,80,128,2,2018/11/30 16:09:14,0,any,0,32091178,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 208, - "network.community_id": "1:8CDWB7X3kkKjoV2bprSLSQY1py4=", + "network.community_id": [ + "1:8CDWB7X3kkKjoV2bprSLSQY1py4=", + "1:bU3nBIz+M3cDoPKg8azcJgVx+8Q=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -4618,7 +4819,10 @@ "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24221,1,16788,53,12342,53,0x400019,udp,allow,253,72,181,2,2018/11/30 16:09:14,0,any,0,32091179,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 253, - "network.community_id": "1:ScmRIn+bxqoJafQfJfEaH/CdCjE=", + "network.community_id": [ + "1:ScmRIn+bxqoJafQfJfEaH/CdCjE=", + "1:vnb4ttnFy2i39tg89p3jkGs6eDg=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -4686,7 +4890,10 @@ "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24310,1,45307,53,18729,53,0x400019,udp,allow,197,76,121,2,2018/11/30 16:09:14,0,any,0,32091180,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 197, - "network.community_id": "1:eupsSNkv67+oInX/FQ2hHpUMyR8=", + "network.community_id": [ + "1:eupsSNkv67+oInX/FQ2hHpUMyR8=", + "1:71/qcXOmOV3sXCqZ1T6JVPlE9y8=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -4754,7 +4961,10 @@ "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,23.52.174.25,192.168.1.63,23.52.174.25,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24326,1,52520,80,57858,80,0x400053,tcp,allow,1927,681,1246,11,2018/11/30 16:09:29,0,computer-and-internet-info,0,32091181,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ocsp", "network.bytes": 1927, - "network.community_id": "1://eZmJioBenLsE0zEL0rhbQ7JT8=", + "network.community_id": [ + "1://eZmJioBenLsE0zEL0rhbQ7JT8=", + "1:5ECmBtgiSUvWFJAA318pVeeu5Pw=" + ], "network.direction": "outbound", "network.packets": 11, "network.transport": "tcp", @@ -4822,7 +5032,10 @@ "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24201,1,8503,53,2722,53,0x400019,udp,allow,394,79,315,2,2018/11/30 16:09:13,1,any,0,32091182,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 394, - "network.community_id": "1:5CL0nRdjk2Nab0PzB6vfyC1FbtI=", + "network.community_id": [ + "1:5CL0nRdjk2Nab0PzB6vfyC1FbtI=", + "1:hxrz+dYE5XEf60JMlFz6JKWD6Ek=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -4890,7 +5103,10 @@ "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24130,1,6910,53,6674,53,0x400019,udp,allow,212,82,130,2,2018/11/30 16:09:14,0,any,0,32091183,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 212, - "network.community_id": "1:3cIrQ2yt0QUupDVmbBJXH54+2pA=", + "network.community_id": [ + "1:3cIrQ2yt0QUupDVmbBJXH54+2pA=", + "1:8cb9oPS9OJnzqGAkowgmRpiqmJU=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -4961,7 +5177,10 @@ "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,54.230.5.228,192.168.1.63,54.230.5.228,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24237,1,52475,443,37427,443,0x40001c,tcp,allow,642,354,288,9,2018/11/30 16:09:17,12,any,0,32091184,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "incomplete", "network.bytes": 642, - "network.community_id": "1:ArbNq6iF9i1NLk5zDU1qThAZf4g=", + "network.community_id": [ + "1:ArbNq6iF9i1NLk5zDU1qThAZf4g=", + "1:Qc2oBV7ermdHPwGTWFOi4D1TcLg=" + ], "network.direction": "outbound", "network.packets": 9, "network.transport": "tcp", @@ -5029,7 +5248,10 @@ "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24108,1,14342,53,22408,53,0x400019,udp,allow,225,76,149,2,2018/11/30 16:09:14,0,any,0,32091185,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 225, - "network.community_id": "1:uTxp5xDc9k43Sc1xNxNrsxzfM/I=", + "network.community_id": [ + "1:uTxp5xDc9k43Sc1xNxNrsxzfM/I=", + "1:5IHTDvzRd4yPLPdpI4ErHcRK4/w=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -5097,7 +5319,10 @@ "log.original": "Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24247,1,48197,53,27899,53,0x400019,udp,allow,273,71,202,2,2018/11/30 16:09:15,0,any,0,32091186,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 273, - "network.community_id": "1:hwpLJFJeocCuki/uuS7DMUwYAcc=", + "network.community_id": [ + "1:hwpLJFJeocCuki/uuS7DMUwYAcc=", + "1:0s4n+/itsIbV3mUc8OnOxmZ6exs=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -5165,7 +5390,10 @@ "log.original": "Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24098,1,32296,53,52939,53,0x400019,udp,allow,270,75,195,2,2018/11/30 16:09:15,0,any,0,32091187,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 270, - "network.community_id": "1:PL/uhiXbtv9YRtGDNEfmkWyMpEw=", + "network.community_id": [ + "1:PL/uhiXbtv9YRtGDNEfmkWyMpEw=", + "1:+GsjKlESn/QeXwrAsS8c8EaMzi0=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -5233,7 +5461,10 @@ "log.original": "Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.195,208.83.246.20,192.168.1.63,208.83.246.20,new_outbound_from_trust,,,ntp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24263,1,33870,123,42907,123,0x400053,udp,allow,180,90,90,2,2018/11/30 16:09:15,0,any,0,32091188,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ntp", "network.bytes": 180, - "network.community_id": "1:zSTxlbsV3qi7ri6QQifUc6oMz/o=", + "network.community_id": [ + "1:zSTxlbsV3qi7ri6QQifUc6oMz/o=", + "1:OSARbLstqz9D5CGo0NQuv0a9g20=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -5301,7 +5532,10 @@ "log.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24258,1,54659,53,19658,53,0x400019,udp,drop ICMP,340,148,192,4,2018/11/30 16:09:16,0,any,0,32091189,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 340, - "network.community_id": "1:E2LqiKHR3ZQXGMA0QsH84jNNC/0=", + "network.community_id": [ + "1:E2LqiKHR3ZQXGMA0QsH84jNNC/0=", + "1:Cc+ekkpKaB3f2BPdSyd/esY/QVI=" + ], "network.direction": "outbound", "network.packets": 4, "network.transport": "udp", @@ -5369,7 +5603,10 @@ "log.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24155,1,57446,53,64352,53,0x400019,udp,reset client,291,83,208,2,2018/11/30 16:09:16,0,any,0,32091190,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 291, - "network.community_id": "1:wZXxVANJq0JID3j0Sh2o/qnIa7A=", + "network.community_id": [ + "1:wZXxVANJq0JID3j0Sh2o/qnIa7A=", + "1:uPFYX4KL/wjyCp4kt+08v7myT3w=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -5437,7 +5674,10 @@ "log.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24232,1,22655,53,60126,53,0x400019,udp,reset server,184,84,100,2,2018/11/30 16:09:16,0,any,0,32091191,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 184, - "network.community_id": "1:GzSDvCcBuprowvf40RNRaGTOn+A=", + "network.community_id": [ + "1:GzSDvCcBuprowvf40RNRaGTOn+A=", + "1:f3vxOCmoOo/FOLV6VRqKjZ7eUVE=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -5507,7 +5747,10 @@ "log.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,35.185.88.112,192.168.1.63,35.185.88.112,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24330,1,52509,443,59771,443,0x40001a,tcp,reset both,9290,2053,7237,24,2018/11/30 16:09:21,10,business-and-economy,0,32091192,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ssl", "network.bytes": 9290, - "network.community_id": "1:WVDXvoZNkWqELBhlp2DzAjKS6V4=", + "network.community_id": [ + "1:WVDXvoZNkWqELBhlp2DzAjKS6V4=", + "1:/rmnQ6QBbJzgkfNBrkCgvu5UHiU=" + ], "network.direction": "outbound", "network.packets": 24, "network.transport": "tcp", @@ -5575,7 +5818,10 @@ "log.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,23960,1,27192,53,35748,53,0x400019,udp,allow,202,93,109,2,2018/11/30 16:09:16,0,any,0,32091193,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 202, - "network.community_id": "1:SaW9SLCHEmuQYbHgbCLPVZmIrWo=", + "network.community_id": [ + "1:SaW9SLCHEmuQYbHgbCLPVZmIrWo=", + "1:9Ub1pskil4C0tLo85OJa61g1D0Q=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -5643,7 +5889,10 @@ "log.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24236,1,30221,53,63701,53,0x400019,udp,allow,200,84,116,2,2018/11/30 16:09:16,0,any,0,32091194,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 200, - "network.community_id": "1:UKGEn5x2xKPJhb0aLNUd3IM2xP0=", + "network.community_id": [ + "1:UKGEn5x2xKPJhb0aLNUd3IM2xP0=", + "1:rh7nCIUBzUAekx4F+OTwBbpRh+E=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -5711,7 +5960,10 @@ "log.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24276,1,30570,53,57872,53,0x400019,udp,allow,160,64,96,2,2018/11/30 16:09:16,0,any,0,32091195,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 160, - "network.community_id": "1:7WDGZhY7X3GTZLGCIDWzxK5juF4=", + "network.community_id": [ + "1:7WDGZhY7X3GTZLGCIDWzxK5juF4=", + "1:eIIc+AXkJtZLyfNqUAVZLumaYVQ=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -5782,7 +6034,10 @@ "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24299,1,52497,443,37581,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091196,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ssl", "network.bytes": 1754, - "network.community_id": "1:wOhR5YstpLgnt5WE19sGYKCmyZU=", + "network.community_id": [ + "1:wOhR5YstpLgnt5WE19sGYKCmyZU=", + "1:Mn7w9ScywW3qjDMNsO8QsGj6BY0=" + ], "network.direction": "outbound", "network.packets": 15, "network.transport": "tcp", @@ -5853,7 +6108,10 @@ "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24229,1,52498,443,19226,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091197,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ssl", "network.bytes": 1754, - "network.community_id": "1:6h8eY2s13iXP9cVx+C3Odlnn4+A=", + "network.community_id": [ + "1:6h8eY2s13iXP9cVx+C3Odlnn4+A=", + "1:8oAG19bm5FROhazDy0CcTH+Cfqc=" + ], "network.direction": "outbound", "network.packets": 15, "network.transport": "tcp", @@ -5924,7 +6182,10 @@ "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24283,1,52496,443,61721,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091198,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ssl", "network.bytes": 1754, - "network.community_id": "1:/ZL4TDk4BgzLIyz/Xp1oJ9ew5cE=", + "network.community_id": [ + "1:/ZL4TDk4BgzLIyz/Xp1oJ9ew5cE=", + "1:ZhVElLU1QcpGayhElc2L/+Rp+xw=" + ], "network.direction": "outbound", "network.packets": 15, "network.transport": "tcp", @@ -5992,7 +6253,10 @@ "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,104.254.150.9,192.168.1.63,104.254.150.9,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24369,1,52510,443,10098,443,0x40001a,tcp,allow,10511,2691,7820,22,2018/11/30 16:09:21,11,web-advertisements,0,32091199,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ssl", "network.bytes": 10511, - "network.community_id": "1:xYiSF9gJFyCzwbXQPyFt8YU2J78=", + "network.community_id": [ + "1:xYiSF9gJFyCzwbXQPyFt8YU2J78=", + "1:aHhDlT3Bx285CJRrBykpRsei1a0=" + ], "network.direction": "outbound", "network.packets": 22, "network.transport": "tcp", @@ -6063,7 +6327,10 @@ "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24354,1,52495,443,4564,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091200,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ssl", "network.bytes": 1754, - "network.community_id": "1:QTH4ra5ZOxMb5v4tYy8DkqQsSus=", + "network.community_id": [ + "1:QTH4ra5ZOxMb5v4tYy8DkqQsSus=", + "1:RLfRarGPGl+PnGhB8fb+S+uTX1o=" + ], "network.direction": "outbound", "network.packets": 15, "network.transport": "tcp", @@ -6134,7 +6401,10 @@ "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,52.0.218.108,192.168.1.63,52.0.218.108,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24254,1,52486,443,32104,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091201,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "incomplete", "network.bytes": 490, - "network.community_id": "1:pRGS72RJ+/RdCMjmtcrBxdR6i9w=", + "network.community_id": [ + "1:pRGS72RJ+/RdCMjmtcrBxdR6i9w=", + "1:/0iCZCsnpk+5MR4Tc26unyr/T4Q=" + ], "network.direction": "outbound", "network.packets": 7, "network.transport": "tcp", @@ -6205,7 +6475,10 @@ "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,52.6.117.19,192.168.1.63,52.6.117.19,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24246,1,52489,443,14172,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091202,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "incomplete", "network.bytes": 490, - "network.community_id": "1:zaENYnP2VlZewYNuHhpqTvNAf4Y=", + "network.community_id": [ + "1:zaENYnP2VlZewYNuHhpqTvNAf4Y=", + "1:486dmnLzuTH8P7j6jI6JsUtW2VU=" + ], "network.direction": "outbound", "network.packets": 7, "network.transport": "tcp", @@ -6276,7 +6549,10 @@ "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,34.238.96.22,192.168.1.63,34.238.96.22,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24343,1,52490,443,10286,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091203,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "incomplete", "network.bytes": 490, - "network.community_id": "1:FdupsUbF1ju1djczW9JAKlxKNC4=", + "network.community_id": [ + "1:FdupsUbF1ju1djczW9JAKlxKNC4=", + "1:6LTK93w8ZdfxzSfZXzebKR6jWxo=" + ], "network.direction": "outbound", "network.packets": 7, "network.transport": "tcp", @@ -6347,7 +6623,10 @@ "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,130.211.47.17,192.168.1.63,130.211.47.17,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24262,1,52493,443,30799,443,0x40001c,tcp,allow,556,276,280,8,2018/11/30 16:09:20,12,any,0,32091204,0x0,192.168.0.0-192.168.255.255,United States,0,4,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "incomplete", "network.bytes": 556, - "network.community_id": "1:fHitWYVd9RNFs7M5hQrqw/dmY8Y=", + "network.community_id": [ + "1:fHitWYVd9RNFs7M5hQrqw/dmY8Y=", + "1:roV5JFl0FdQHIRUkgeZm+ZeyeCQ=" + ], "network.direction": "outbound", "network.packets": 8, "network.transport": "tcp", @@ -6415,7 +6694,10 @@ "log.original": "Nov 30 16:09:51 PA-220 1,2018/11/30 16:09:51,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:51,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:51,24281,1,59320,53,13490,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:18,0,any,0,32091205,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 269, - "network.community_id": "1:n/IZF37E/7cErtK4po3ewuEQScY=", + "network.community_id": [ + "1:n/IZF37E/7cErtK4po3ewuEQScY=", + "1:5G+JVi/ClM/MfHhUL//vH/GmuaA=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -6483,7 +6765,10 @@ "log.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24424,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:37,0,any,0,32091206,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "ping", "network.bytes": 1176, - "network.community_id": "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "network.community_id": [ + "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + ], "network.direction": "outbound", "network.packets": 12, "network.transport": "icmp", @@ -6551,7 +6836,10 @@ "log.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24230,1,13076,53,53751,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091207,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 172, - "network.community_id": "1:jKueIOIhkRRjHQyRO93QyuKEiP8=", + "network.community_id": [ + "1:jKueIOIhkRRjHQyRO93QyuKEiP8=", + "1:mdksC4jGw6MN7g3nGdquiqQ95vU=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -6619,7 +6907,10 @@ "log.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24243,1,5511,53,21643,53,0x400019,udp,allow,242,72,170,2,2018/11/30 16:09:19,0,any,0,32091208,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 242, - "network.community_id": "1:mci4o+GZJDLvZr11UdJH9bepPqU=", + "network.community_id": [ + "1:mci4o+GZJDLvZr11UdJH9bepPqU=", + "1:+zC2Y+UE7UqApr01oqb755Xyuf4=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -6687,7 +6978,10 @@ "log.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24077,1,9799,53,22446,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091209,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 172, - "network.community_id": "1:Px8uRfOgVDuaWj/VKxjTwyAzHAM=", + "network.community_id": [ + "1:Px8uRfOgVDuaWj/VKxjTwyAzHAM=", + "1:xawqUBgLyfe1E61ObEXv4nbO590=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -6755,7 +7049,10 @@ "log.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24266,1,39169,53,22301,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091210,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 172, - "network.community_id": "1:6tSek5GUc9k56LSY4NgTMd0igd8=", + "network.community_id": [ + "1:6tSek5GUc9k56LSY4NgTMd0igd8=", + "1:PDWWOeDVqKGZ/hwjVVdCDdF6qB4=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", @@ -6823,7 +7120,10 @@ "log.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24269,1,42476,53,58124,53,0x400019,udp,allow,238,72,166,2,2018/11/30 16:09:19,0,any,0,32091211,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "network.application": "dns", "network.bytes": 238, - "network.community_id": "1:xl0u/+SYGciPtyPuv813G1aTEdI=", + "network.community_id": [ + "1:xl0u/+SYGciPtyPuv813G1aTEdI=", + "1:yNIHAg1M08IChho9000mtg7zUOc=" + ], "network.direction": "outbound", "network.packets": 2, "network.transport": "udp", From 4da1d502ee8b20383f4a037095a5ee27ac504223 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Thu, 9 May 2019 00:30:33 +0200 Subject: [PATCH 05/10] Set source and destination address fields --- .../module/palo_alto/pan_os/config/input.yml | 4 + .../test/pan_inc_other.log-expected.json | 2 + .../test/pan_inc_threat.log-expected.json | 200 ++++++++++++++++++ .../test/pan_inc_traffic.log-expected.json | 200 ++++++++++++++++++ .../pan_os/test/threat.log-expected.json | 152 +++++++++++++ .../pan_os/test/traffic.log-expected.json | 200 ++++++++++++++++++ 6 files changed, 758 insertions(+) diff --git a/x-pack/filebeat/module/palo_alto/pan_os/config/input.yml b/x-pack/filebeat/module/palo_alto/pan_os/config/input.yml index 2fefed18a0ad..be15016ae311 100644 --- a/x-pack/filebeat/module/palo_alto/pan_os/config/input.yml +++ b/x-pack/filebeat/module/palo_alto/pan_os/config/input.yml @@ -47,8 +47,10 @@ processors: mappings: client.ip: 7 source.ip: 7 + source.address: 7 server.ip: 8 destination.ip: 8 + destination.address: 8 palo_alto.pan_os.source.nat.ip: 9 palo_alto.pan_os.destination.nat.ip: 10 palo_alto.pan_os.ruleset: 11 @@ -98,8 +100,10 @@ processors: mappings: client.ip: 7 source.ip: 7 + source.address: 7 server.ip: 8 destination.ip: 8 + destination.address: 8 palo_alto.pan_os.source.nat.ip: 9 palo_alto.pan_os.destination.nat.ip: 10 palo_alto.pan_os.ruleset: 11 diff --git a/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_other.log-expected.json b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_other.log-expected.json index d5ab87113dea..45de9e62f21d 100644 --- a/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_other.log-expected.json +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_other.log-expected.json @@ -6,6 +6,7 @@ "client.packets": 0, "client.port": 59309, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -61,6 +62,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, diff --git a/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_threat.log-expected.json b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_threat.log-expected.json index f95bcc19c5aa..29373236d667 100644 --- a/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_threat.log-expected.json +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_threat.log-expected.json @@ -4,6 +4,7 @@ "client.ip": "192.168.0.2", "client.port": 59309, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -54,6 +55,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59309, @@ -68,6 +70,7 @@ "client.ip": "192.168.0.2", "client.port": 59313, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -118,6 +121,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59313, @@ -132,6 +136,7 @@ "client.ip": "192.168.0.2", "client.port": 59314, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -182,6 +187,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59314, @@ -196,6 +202,7 @@ "client.ip": "192.168.0.2", "client.port": 59315, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -246,6 +253,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59315, @@ -260,6 +268,7 @@ "client.ip": "192.168.0.2", "client.port": 59316, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -310,6 +319,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59316, @@ -324,6 +334,7 @@ "client.ip": "192.168.0.2", "client.port": 59317, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -374,6 +385,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59317, @@ -388,6 +400,7 @@ "client.ip": "192.168.0.2", "client.port": 59302, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -438,6 +451,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59302, @@ -452,6 +466,7 @@ "client.ip": "192.168.0.2", "client.port": 59301, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -502,6 +517,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59301, @@ -516,6 +532,7 @@ "client.ip": "192.168.0.2", "client.port": 59303, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -566,6 +583,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59303, @@ -580,6 +598,7 @@ "client.ip": "192.168.0.2", "client.port": 59304, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -630,6 +649,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59304, @@ -644,6 +664,7 @@ "client.ip": "192.168.0.2", "client.port": 59297, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -694,6 +715,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59297, @@ -708,6 +730,7 @@ "client.ip": "192.168.0.2", "client.port": 59299, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -758,6 +781,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59299, @@ -772,6 +796,7 @@ "client.ip": "192.168.0.2", "client.port": 59298, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -822,6 +847,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59298, @@ -836,6 +862,7 @@ "client.ip": "192.168.0.2", "client.port": 59300, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -885,6 +912,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59300, @@ -899,6 +927,7 @@ "client.ip": "192.168.0.2", "client.port": 59295, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -949,6 +978,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59295, @@ -963,6 +993,7 @@ "client.ip": "192.168.0.2", "client.port": 59291, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1013,6 +1044,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59291, @@ -1027,6 +1059,7 @@ "client.ip": "192.168.0.2", "client.port": 59296, "client.user.name": "crusher", + "destination.address": "78.159.99.224", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", "destination.geo.location.lat": 51.2993, @@ -1073,6 +1106,7 @@ "server.ip": "78.159.99.224", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59296, @@ -1087,6 +1121,7 @@ "client.ip": "192.168.0.2", "client.port": 59280, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1137,6 +1172,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59280, @@ -1151,6 +1187,7 @@ "client.ip": "192.168.0.2", "client.port": 59281, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1201,6 +1238,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59281, @@ -1215,6 +1253,7 @@ "client.ip": "192.168.0.2", "client.port": 59282, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1265,6 +1304,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59282, @@ -1279,6 +1319,7 @@ "client.ip": "192.168.0.2", "client.port": 59290, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1329,6 +1370,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59290, @@ -1343,6 +1385,7 @@ "client.ip": "192.168.0.2", "client.port": 59286, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1393,6 +1436,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59286, @@ -1407,6 +1451,7 @@ "client.ip": "192.168.0.2", "client.port": 59275, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1457,6 +1502,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59275, @@ -1471,6 +1517,7 @@ "client.ip": "192.168.0.2", "client.port": 59277, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1521,6 +1568,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59277, @@ -1535,6 +1583,7 @@ "client.ip": "192.168.0.2", "client.port": 59276, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1585,6 +1634,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59276, @@ -1599,6 +1649,7 @@ "client.ip": "192.168.0.2", "client.port": 59278, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1649,6 +1700,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59278, @@ -1663,6 +1715,7 @@ "client.ip": "192.168.0.2", "client.port": 59279, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1713,6 +1766,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59279, @@ -1727,6 +1781,7 @@ "client.ip": "192.168.0.2", "client.port": 59271, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1777,6 +1832,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59271, @@ -1791,6 +1847,7 @@ "client.ip": "192.168.0.2", "client.port": 59269, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1841,6 +1898,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59269, @@ -1855,6 +1913,7 @@ "client.ip": "192.168.0.2", "client.port": 59270, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1905,6 +1964,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59270, @@ -1919,6 +1979,7 @@ "client.ip": "192.168.0.2", "client.port": 59274, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1969,6 +2030,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59274, @@ -1983,6 +2045,7 @@ "client.ip": "192.168.0.2", "client.port": 59273, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2033,6 +2096,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59273, @@ -2047,6 +2111,7 @@ "client.ip": "192.168.0.2", "client.port": 59272, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2097,6 +2162,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59272, @@ -2111,6 +2177,7 @@ "client.ip": "192.168.0.2", "client.port": 59261, "client.user.name": "crusher", + "destination.address": "69.43.161.167", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -2157,6 +2224,7 @@ "server.ip": "69.43.161.167", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59261, @@ -2171,6 +2239,7 @@ "client.ip": "192.168.0.2", "client.port": 59248, "client.user.name": "crusher", + "destination.address": "202.31.187.154", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "KR", "destination.geo.location.lat": 37.5112, @@ -2217,6 +2286,7 @@ "server.ip": "202.31.187.154", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59248, @@ -2231,6 +2301,7 @@ "client.ip": "192.168.0.2", "client.port": 59251, "client.user.name": "crusher", + "destination.address": "89.111.176.67", "destination.geo.city_name": "Moscow", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", @@ -2280,6 +2351,7 @@ "server.ip": "89.111.176.67", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59251, @@ -2294,6 +2366,7 @@ "client.ip": "192.168.0.2", "client.port": 59244, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2343,6 +2416,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59244, @@ -2357,6 +2431,7 @@ "client.ip": "192.168.0.2", "client.port": 59237, "client.user.name": "crusher", + "destination.address": "208.73.210.29", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -2403,6 +2478,7 @@ "server.ip": "208.73.210.29", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59237, @@ -2417,6 +2493,7 @@ "client.ip": "192.168.0.2", "client.port": 59238, "client.user.name": "crusher", + "destination.address": "208.73.210.29", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -2463,6 +2540,7 @@ "server.ip": "208.73.210.29", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59238, @@ -2477,6 +2555,7 @@ "client.ip": "192.168.0.2", "client.port": 59010, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2526,6 +2605,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59010, @@ -2540,6 +2620,7 @@ "client.ip": "192.168.0.2", "client.port": 58969, "client.user.name": "crusher", + "destination.address": "208.73.210.29", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -2586,6 +2667,7 @@ "server.ip": "208.73.210.29", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 58969, @@ -2600,6 +2682,7 @@ "client.ip": "192.168.0.2", "client.port": 58941, "client.user.name": "crusher", + "destination.address": "89.108.64.156", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", "destination.geo.location.lat": 55.7386, @@ -2646,6 +2729,7 @@ "server.ip": "89.108.64.156", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 58941, @@ -2660,6 +2744,7 @@ "client.ip": "192.168.0.2", "client.port": 58942, "client.user.name": "crusher", + "destination.address": "89.108.64.156", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", "destination.geo.location.lat": 55.7386, @@ -2706,6 +2791,7 @@ "server.ip": "89.108.64.156", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 58942, @@ -2719,6 +2805,7 @@ "@timestamp": "2012-04-10T04:37:28.000Z", "client.ip": "204.232.231.46", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 58849, @@ -2764,6 +2851,7 @@ "server.port": 58849, "server.user.name": "crusher", "service.type": "palo_alto", + "source.address": "204.232.231.46", "source.geo.city_name": "Charlotte", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", @@ -2783,6 +2871,7 @@ "client.ip": "192.168.0.2", "client.port": 58856, "client.user.name": "crusher", + "destination.address": "216.8.179.25", "destination.geo.city_name": "Tecumseh", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "CA", @@ -2832,6 +2921,7 @@ "server.ip": "216.8.179.25", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 58856, @@ -2846,6 +2936,7 @@ "client.ip": "192.168.0.2", "client.port": 58847, "client.user.name": "crusher", + "destination.address": "69.43.161.154", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -2892,6 +2983,7 @@ "server.ip": "69.43.161.154", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 58847, @@ -2906,6 +2998,7 @@ "client.ip": "192.168.0.2", "client.port": 58841, "client.user.name": "crusher", + "destination.address": "208.91.196.252", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "VG", "destination.geo.location.lat": 18.5, @@ -2952,6 +3045,7 @@ "server.ip": "208.91.196.252", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 58841, @@ -2966,6 +3060,7 @@ "client.ip": "192.168.0.2", "client.port": 58795, "client.user.name": "crusher", + "destination.address": "208.73.210.29", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -3012,6 +3107,7 @@ "server.ip": "208.73.210.29", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 58795, @@ -3026,6 +3122,7 @@ "client.ip": "192.168.0.2", "client.port": 58753, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3075,6 +3172,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 58753, @@ -3089,6 +3187,7 @@ "client.ip": "192.168.0.2", "client.port": 58708, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3138,6 +3237,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 58708, @@ -3152,6 +3252,7 @@ "client.ip": "192.168.0.2", "client.port": 58707, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3201,6 +3302,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 58707, @@ -3215,6 +3317,7 @@ "client.ip": "192.168.0.2", "client.port": 58603, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3264,6 +3367,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 58603, @@ -3278,6 +3382,7 @@ "client.ip": "192.168.0.2", "client.port": 58603, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3327,6 +3432,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 58603, @@ -3340,6 +3446,7 @@ "@timestamp": "2012-04-10T04:19:59.000Z", "client.ip": "173.236.179.57", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 54431, @@ -3385,6 +3492,7 @@ "server.port": 54431, "server.user.name": "crusher", "service.type": "palo_alto", + "source.address": "173.236.179.57", "source.geo.city_name": "Brea", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", @@ -3404,6 +3512,7 @@ "client.ip": "192.168.0.2", "client.port": 58603, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3453,6 +3562,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 58603, @@ -3466,6 +3576,7 @@ "@timestamp": "2012-04-10T04:51:29.000Z", "client.ip": "91.209.163.202", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 61220, @@ -3511,6 +3622,7 @@ "server.port": 61220, "server.user.name": "crusher", "service.type": "palo_alto", + "source.address": "91.209.163.202", "source.geo.country_iso_code": "European Union", "source.ip": "91.209.163.202", "source.port": 80, @@ -3523,6 +3635,7 @@ "@timestamp": "2012-04-10T04:54:33.000Z", "client.ip": "122.226.169.183", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 61726, @@ -3568,6 +3681,7 @@ "server.port": 61726, "server.user.name": "crusher", "service.type": "palo_alto", + "source.address": "122.226.169.183", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", "source.geo.location.lat": 30.2936, @@ -3586,6 +3700,7 @@ "client.ip": "192.168.0.2", "client.port": 63007, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3635,6 +3750,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 63007, @@ -3648,6 +3764,7 @@ "@timestamp": "2012-04-10T04:45:17.000Z", "client.ip": "109.201.131.15", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 60212, @@ -3693,6 +3810,7 @@ "server.port": 60212, "server.user.name": "crusher", "service.type": "palo_alto", + "source.address": "109.201.131.15", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "NL", "source.geo.location.lat": 52.3824, @@ -3708,6 +3826,7 @@ "@timestamp": "2012-04-10T04:46:16.000Z", "client.ip": "91.209.163.202", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 60392, @@ -3753,6 +3872,7 @@ "server.port": 60392, "server.user.name": "crusher", "service.type": "palo_alto", + "source.address": "91.209.163.202", "source.geo.country_iso_code": "European Union", "source.ip": "91.209.163.202", "source.port": 80, @@ -3766,6 +3886,7 @@ "client.ip": "192.168.0.2", "client.port": 59709, "client.user.name": "crusher", + "destination.address": "213.180.199.61", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", "destination.geo.location.lat": 55.7386, @@ -3812,6 +3933,7 @@ "server.ip": "213.180.199.61", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59709, @@ -3826,6 +3948,7 @@ "client.ip": "192.168.0.2", "client.port": 59721, "client.user.name": "crusher", + "destination.address": "213.180.199.61", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", "destination.geo.location.lat": 55.7386, @@ -3872,6 +3995,7 @@ "server.ip": "213.180.199.61", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59721, @@ -3886,6 +4010,7 @@ "client.ip": "192.168.0.2", "client.port": 59752, "client.user.name": "crusher", + "destination.address": "213.180.199.61", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", "destination.geo.location.lat": 55.7386, @@ -3932,6 +4057,7 @@ "server.ip": "213.180.199.61", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59752, @@ -3945,6 +4071,7 @@ "@timestamp": "2012-04-10T04:19:59.000Z", "client.ip": "173.236.179.57", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 54431, @@ -3990,6 +4117,7 @@ "server.port": 54431, "server.user.name": "crusher", "service.type": "palo_alto", + "source.address": "173.236.179.57", "source.geo.city_name": "Brea", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", @@ -4009,6 +4137,7 @@ "client.ip": "192.168.0.2", "client.port": 63183, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4058,6 +4187,7 @@ "server.ip": "204.232.231.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 63183, @@ -4072,6 +4202,7 @@ "client.ip": "192.168.0.6", "client.port": 1047, "client.user.name": "jordy", + "destination.address": "207.46.140.46", "destination.geo.city_name": "Hong Kong", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "HK", @@ -4121,6 +4252,7 @@ "server.ip": "207.46.140.46", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.6", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.6", "source.port": 1047, @@ -4134,6 +4266,7 @@ "@timestamp": "2012-04-09T08:18:29.000Z", "client.ip": "65.54.161.34", "client.port": 80, + "destination.address": "192.168.0.6", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.6", "destination.port": 1039, @@ -4179,6 +4312,7 @@ "server.port": 1039, "server.user.name": "jordy", "service.type": "palo_alto", + "source.address": "65.54.161.34", "source.geo.city_name": "Redmond", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", @@ -4197,6 +4331,7 @@ "@timestamp": "2012-04-09T08:18:32.000Z", "client.ip": "65.55.5.231", "client.port": 80, + "destination.address": "192.168.0.6", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.6", "destination.port": 1064, @@ -4242,6 +4377,7 @@ "server.port": 1064, "server.user.name": "jordy", "service.type": "palo_alto", + "source.address": "65.55.5.231", "source.geo.city_name": "Redmond", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", @@ -4261,6 +4397,7 @@ "client.ip": "192.168.0.6", "client.port": 1048, "client.user.name": "jordy", + "destination.address": "65.54.71.11", "destination.geo.city_name": "Los Angeles", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4310,6 +4447,7 @@ "server.ip": "65.54.71.11", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.6", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.6", "source.port": 1048, @@ -4323,6 +4461,7 @@ "@timestamp": "2012-04-09T08:18:37.000Z", "client.ip": "74.125.239.17", "client.port": 80, + "destination.address": "192.168.0.6", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.6", "destination.port": 1071, @@ -4368,6 +4507,7 @@ "server.port": 1071, "server.user.name": "jordy", "service.type": "palo_alto", + "source.address": "74.125.239.17", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -4384,6 +4524,7 @@ "client.ip": "192.168.0.2", "client.port": 57502, "client.user.name": "picard", + "destination.address": "208.85.40.48", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -4430,6 +4571,7 @@ "server.ip": "208.85.40.48", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 57502, @@ -4443,6 +4585,7 @@ "@timestamp": "2012-04-09T08:58:18.000Z", "client.ip": "74.125.224.198", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 57876, @@ -4488,6 +4631,7 @@ "server.port": 57876, "server.user.name": "picard", "service.type": "palo_alto", + "source.address": "74.125.224.198", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -4503,6 +4647,7 @@ "@timestamp": "2012-04-09T08:22:27.000Z", "client.ip": "188.190.124.75", "client.port": 80, + "destination.address": "192.168.0.6", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.6", "destination.port": 1082, @@ -4548,6 +4693,7 @@ "server.port": 1082, "server.user.name": "jordy", "service.type": "palo_alto", + "source.address": "188.190.124.75", "source.geo.country_iso_code": "Ukraine", "source.ip": "188.190.124.75", "source.port": 80, @@ -4560,6 +4706,7 @@ "@timestamp": "2012-04-09T07:11:43.000Z", "client.ip": "74.125.224.200", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 50986, @@ -4605,6 +4752,7 @@ "server.port": 50986, "server.user.name": "picard", "service.type": "palo_alto", + "source.address": "74.125.224.200", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -4620,6 +4768,7 @@ "@timestamp": "2012-04-09T07:14:02.000Z", "client.ip": "74.125.239.3", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 51716, @@ -4665,6 +4814,7 @@ "server.port": 51716, "server.user.name": "picard", "service.type": "palo_alto", + "source.address": "74.125.239.3", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -4680,6 +4830,7 @@ "@timestamp": "2012-04-09T07:14:39.000Z", "client.ip": "74.125.239.3", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 52119, @@ -4725,6 +4876,7 @@ "server.port": 52119, "server.user.name": "picard", "service.type": "palo_alto", + "source.address": "74.125.239.3", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -4740,6 +4892,7 @@ "@timestamp": "2012-04-09T07:16:03.000Z", "client.ip": "74.125.224.200", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 52411, @@ -4785,6 +4938,7 @@ "server.port": 52411, "server.user.name": "picard", "service.type": "palo_alto", + "source.address": "74.125.224.200", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -4801,6 +4955,7 @@ "client.ip": "192.168.0.2", "client.port": 52366, "client.user.name": "picard", + "destination.address": "74.125.239.6", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -4847,6 +5002,7 @@ "server.ip": "74.125.239.6", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 52366, @@ -4860,6 +5016,7 @@ "@timestamp": "2012-04-09T07:25:04.000Z", "client.ip": "74.125.224.193", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 53026, @@ -4905,6 +5062,7 @@ "server.port": 53026, "server.user.name": "picard", "service.type": "palo_alto", + "source.address": "74.125.224.193", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -4920,6 +5078,7 @@ "@timestamp": "2012-04-09T07:36:04.000Z", "client.ip": "74.125.239.20", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 53809, @@ -4965,6 +5124,7 @@ "server.port": 53809, "server.user.name": "picard", "service.type": "palo_alto", + "source.address": "74.125.239.20", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -4980,6 +5140,7 @@ "@timestamp": "2012-04-09T08:08:08.000Z", "client.ip": "208.80.154.225", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 55912, @@ -5025,6 +5186,7 @@ "server.port": 55912, "server.user.name": "picard", "service.type": "palo_alto", + "source.address": "208.80.154.225", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -5040,6 +5202,7 @@ "@timestamp": "2012-04-09T08:08:44.000Z", "client.ip": "208.80.154.234", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 55916, @@ -5085,6 +5248,7 @@ "server.port": 55916, "server.user.name": "picard", "service.type": "palo_alto", + "source.address": "208.80.154.234", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -5100,6 +5264,7 @@ "@timestamp": "2012-04-09T08:16:57.000Z", "client.ip": "65.54.75.25", "client.port": 80, + "destination.address": "192.168.0.6", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.6", "destination.port": 1046, @@ -5145,6 +5310,7 @@ "server.port": 1046, "server.user.name": "jordy", "service.type": "palo_alto", + "source.address": "65.54.75.25", "source.geo.city_name": "Los Angeles", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", @@ -5163,6 +5329,7 @@ "@timestamp": "2012-04-09T04:06:41.000Z", "client.ip": "74.125.224.206", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 61734, @@ -5208,6 +5375,7 @@ "server.port": 61734, "server.user.name": "jordy", "service.type": "palo_alto", + "source.address": "74.125.224.206", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -5223,6 +5391,7 @@ "@timestamp": "2012-04-09T04:12:52.000Z", "client.ip": "74.125.224.195", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 62292, @@ -5268,6 +5437,7 @@ "server.port": 62292, "server.user.name": "jordy", "service.type": "palo_alto", + "source.address": "74.125.224.195", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -5283,6 +5453,7 @@ "@timestamp": "2012-04-09T06:07:49.000Z", "client.ip": "207.178.96.34", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 64669, @@ -5328,6 +5499,7 @@ "server.port": 64669, "server.user.name": "jordy", "service.type": "palo_alto", + "source.address": "207.178.96.34", "source.geo.city_name": "Wichita", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", @@ -5346,6 +5518,7 @@ "@timestamp": "2012-04-09T06:48:44.000Z", "client.ip": "74.125.224.195", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 65265, @@ -5391,6 +5564,7 @@ "server.port": 65265, "server.user.name": "picard", "service.type": "palo_alto", + "source.address": "74.125.224.195", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -5406,6 +5580,7 @@ "@timestamp": "2012-04-09T06:48:59.000Z", "client.ip": "74.125.239.20", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 64979, @@ -5451,6 +5626,7 @@ "server.port": 64979, "server.user.name": "picard", "service.type": "palo_alto", + "source.address": "74.125.239.20", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -5466,6 +5642,7 @@ "@timestamp": "2012-04-09T06:50:14.000Z", "client.ip": "66.152.109.24", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 49432, @@ -5511,6 +5688,7 @@ "server.port": 49432, "server.user.name": "picard", "service.type": "palo_alto", + "source.address": "66.152.109.24", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -5526,6 +5704,7 @@ "@timestamp": "2012-04-09T06:51:34.000Z", "client.ip": "74.125.224.200", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 49722, @@ -5571,6 +5750,7 @@ "server.port": 49722, "server.user.name": "picard", "service.type": "palo_alto", + "source.address": "74.125.224.200", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -5587,6 +5767,7 @@ "client.ip": "192.168.0.2", "client.port": 49681, "client.user.name": "picard", + "destination.address": "74.125.224.201", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -5633,6 +5814,7 @@ "server.ip": "74.125.224.201", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 49681, @@ -5646,6 +5828,7 @@ "@timestamp": "2012-04-09T06:54:35.000Z", "client.ip": "74.125.224.200", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 50108, @@ -5691,6 +5874,7 @@ "server.port": 50108, "server.user.name": "picard", "service.type": "palo_alto", + "source.address": "74.125.224.200", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -5706,6 +5890,7 @@ "@timestamp": "2012-04-09T06:54:55.000Z", "client.ip": "74.125.224.200", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 50387, @@ -5751,6 +5936,7 @@ "server.port": 50387, "server.user.name": "picard", "service.type": "palo_alto", + "source.address": "74.125.224.200", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -5767,6 +5953,7 @@ "client.ip": "192.168.0.2", "client.port": 59781, "client.user.name": "jordy", + "destination.address": "208.85.40.48", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -5813,6 +6000,7 @@ "server.ip": "208.85.40.48", "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", "source.port": 59781, @@ -5826,6 +6014,7 @@ "@timestamp": "2012-04-09T03:45:45.000Z", "client.ip": "74.125.224.201", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 60005, @@ -5871,6 +6060,7 @@ "server.port": 60005, "server.user.name": "jordy", "service.type": "palo_alto", + "source.address": "74.125.224.201", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -5886,6 +6076,7 @@ "@timestamp": "2012-04-09T03:49:17.000Z", "client.ip": "74.125.224.201", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 60443, @@ -5931,6 +6122,7 @@ "server.port": 60443, "server.user.name": "jordy", "service.type": "palo_alto", + "source.address": "74.125.224.201", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -5946,6 +6138,7 @@ "@timestamp": "2012-04-09T03:53:41.000Z", "client.ip": "74.125.224.200", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 60822, @@ -5991,6 +6184,7 @@ "server.port": 60822, "server.user.name": "jordy", "service.type": "palo_alto", + "source.address": "74.125.224.200", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -6006,6 +6200,7 @@ "@timestamp": "2012-04-09T03:55:23.000Z", "client.ip": "74.125.224.200", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 61105, @@ -6051,6 +6246,7 @@ "server.port": 61105, "server.user.name": "jordy", "service.type": "palo_alto", + "source.address": "74.125.224.200", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -6066,6 +6262,7 @@ "@timestamp": "2012-04-09T03:55:52.000Z", "client.ip": "74.125.224.198", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 60782, @@ -6111,6 +6308,7 @@ "server.port": 60782, "server.user.name": "jordy", "service.type": "palo_alto", + "source.address": "74.125.224.198", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -6126,6 +6324,7 @@ "@timestamp": "2012-04-09T04:03:55.000Z", "client.ip": "74.125.224.200", "client.port": 80, + "destination.address": "192.168.0.2", "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", "destination.port": 61470, @@ -6171,6 +6370,7 @@ "server.port": 61470, "server.user.name": "jordy", "service.type": "palo_alto", + "source.address": "74.125.224.200", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, diff --git a/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_traffic.log-expected.json b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_traffic.log-expected.json index bc3ec74e09c1..bdf2ad4d7baf 100644 --- a/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_traffic.log-expected.json +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_traffic.log-expected.json @@ -6,6 +6,7 @@ "client.packets": 0, "client.port": 59324, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -61,6 +62,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -77,6 +79,7 @@ "client.packets": 0, "client.port": 54448, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 76, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -129,6 +132,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -145,6 +149,7 @@ "client.packets": 0, "client.port": 53121, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 76, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -197,6 +202,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -213,6 +219,7 @@ "client.packets": 0, "client.port": 59323, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -268,6 +275,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -284,6 +292,7 @@ "client.packets": 0, "client.port": 59322, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -339,6 +348,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -355,6 +365,7 @@ "client.packets": 0, "client.port": 55766, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 74, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -407,6 +418,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -423,6 +435,7 @@ "client.packets": 0, "client.port": 55072, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 74, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -475,6 +488,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -491,6 +505,7 @@ "client.packets": 4, "client.port": 59207, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 549, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -546,6 +561,7 @@ "server.packets": 6, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 806, "source.ip": "192.168.0.2", "source.packets": 4, @@ -562,6 +578,7 @@ "client.packets": 4, "client.port": 59209, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 549, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -617,6 +634,7 @@ "server.packets": 6, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 806, "source.ip": "192.168.0.2", "source.packets": 4, @@ -633,6 +651,7 @@ "client.packets": 4, "client.port": 59208, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 549, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -688,6 +707,7 @@ "server.packets": 6, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 806, "source.ip": "192.168.0.2", "source.packets": 4, @@ -704,6 +724,7 @@ "client.packets": 0, "client.port": 59318, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -759,6 +780,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -775,6 +797,7 @@ "client.packets": 0, "client.port": 59317, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -830,6 +853,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -846,6 +870,7 @@ "client.packets": 0, "client.port": 59316, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -901,6 +926,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -917,6 +943,7 @@ "client.packets": 0, "client.port": 59315, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -972,6 +999,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -988,6 +1016,7 @@ "client.packets": 4, "client.port": 59206, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 549, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -1043,6 +1072,7 @@ "server.packets": 6, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 806, "source.ip": "192.168.0.2", "source.packets": 4, @@ -1059,6 +1089,7 @@ "client.packets": 4, "client.port": 59205, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 549, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -1114,6 +1145,7 @@ "server.packets": 6, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 806, "source.ip": "192.168.0.2", "source.packets": 4, @@ -1130,6 +1162,7 @@ "client.packets": 3, "client.port": 56858, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 1359, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -1185,6 +1218,7 @@ "server.packets": 18, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 551, "source.ip": "192.168.0.2", "source.packets": 3, @@ -1201,6 +1235,7 @@ "client.packets": 0, "client.port": 59314, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -1256,6 +1291,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -1272,6 +1308,7 @@ "client.packets": 0, "client.port": 59313, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -1327,6 +1364,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -1343,6 +1381,7 @@ "client.packets": 0, "client.port": 52139, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 69, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1395,6 +1434,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -1411,6 +1451,7 @@ "client.packets": 0, "client.port": 60592, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 69, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1463,6 +1504,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -1479,6 +1521,7 @@ "client.packets": 0, "client.port": 59309, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -1534,6 +1577,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -1550,6 +1594,7 @@ "client.packets": 1, "client.port": 57322, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 66, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1602,6 +1647,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 98, "source.ip": "192.168.0.2", "source.packets": 1, @@ -1618,6 +1664,7 @@ "client.packets": 4, "client.port": 59204, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 549, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -1673,6 +1720,7 @@ "server.packets": 6, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 806, "source.ip": "192.168.0.2", "source.packets": 4, @@ -1689,6 +1737,7 @@ "client.packets": 4, "client.port": 59203, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 549, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -1744,6 +1793,7 @@ "server.packets": 6, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 806, "source.ip": "192.168.0.2", "source.packets": 4, @@ -1760,6 +1810,7 @@ "client.packets": 0, "client.port": 59305, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -1815,6 +1866,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -1831,6 +1883,7 @@ "client.packets": 0, "client.port": 64005, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 69, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1883,6 +1936,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -1899,6 +1953,7 @@ "client.packets": 0, "client.port": 58768, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 69, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1951,6 +2006,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -1967,6 +2023,7 @@ "client.packets": 8, "client.port": 47752, "client.user.name": "crusher", + "destination.address": "98.149.55.63", "destination.bytes": 504, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2019,6 +2076,7 @@ "server.packets": 8, "server.port": 13069, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 504, "source.ip": "192.168.0.2", "source.packets": 8, @@ -2035,6 +2093,7 @@ "client.packets": 0, "client.port": 59304, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -2090,6 +2149,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -2106,6 +2166,7 @@ "client.packets": 0, "client.port": 54533, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 71, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2158,6 +2219,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -2174,6 +2236,7 @@ "client.packets": 10, "client.port": 59201, "client.user.name": "crusher", + "destination.address": "212.48.10.58", "destination.bytes": 837, "destination.geo.city_name": "Milan", "destination.geo.continent_name": "Europe", @@ -2229,6 +2292,7 @@ "server.packets": 10, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 9130, "source.ip": "192.168.0.2", "source.packets": 10, @@ -2245,6 +2309,7 @@ "client.packets": 0, "client.port": 59303, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -2300,6 +2365,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -2316,6 +2382,7 @@ "client.packets": 0, "client.port": 50876, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 76, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2368,6 +2435,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -2384,6 +2452,7 @@ "client.packets": 0, "client.port": 57657, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 76, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2436,6 +2505,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -2452,6 +2522,7 @@ "client.packets": 0, "client.port": 59302, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -2507,6 +2578,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -2523,6 +2595,7 @@ "client.packets": 0, "client.port": 59301, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -2578,6 +2651,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -2594,6 +2668,7 @@ "client.packets": 0, "client.port": 64844, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 80, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2646,6 +2721,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -2662,6 +2738,7 @@ "client.packets": 0, "client.port": 52257, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 80, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2714,6 +2791,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -2729,6 +2807,7 @@ "client.ip": "192.168.0.100", "client.packets": 1, "client.port": 38796, + "destination.address": "8.8.8.8", "destination.bytes": 95, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2780,6 +2859,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.100", "source.bytes": 111, "source.ip": "192.168.0.100", "source.packets": 1, @@ -2795,6 +2875,7 @@ "client.packets": 7, "client.port": 59200, "client.user.name": "crusher", + "destination.address": "62.211.68.12", "destination.bytes": 597, "destination.geo.city_name": "Latina", "destination.geo.continent_name": "Europe", @@ -2850,6 +2931,7 @@ "server.packets": 6, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 906, "source.ip": "192.168.0.2", "source.packets": 7, @@ -2865,6 +2947,7 @@ "client.ip": "192.168.0.100", "client.packets": 7, "client.port": 48412, + "destination.address": "50.19.102.116", "destination.bytes": 804, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", @@ -2919,6 +3002,7 @@ "server.packets": 10, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.0.100", "source.bytes": 5013, "source.ip": "192.168.0.100", "source.packets": 7, @@ -2934,6 +3018,7 @@ "client.packets": 1, "client.port": 47752, "client.user.name": "crusher", + "destination.address": "65.55.223.19", "destination.bytes": 187, "destination.geo.city_name": "Washington", "destination.geo.continent_name": "North America", @@ -2989,6 +3074,7 @@ "server.packets": 1, "server.port": 40026, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 99, "source.ip": "192.168.0.2", "source.packets": 1, @@ -3005,6 +3091,7 @@ "client.packets": 1, "client.port": 47752, "client.user.name": "crusher", + "destination.address": "65.55.223.24", "destination.bytes": 76, "destination.geo.city_name": "Washington", "destination.geo.continent_name": "North America", @@ -3060,6 +3147,7 @@ "server.packets": 1, "server.port": 40029, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 902, "source.ip": "192.168.0.2", "source.packets": 1, @@ -3075,6 +3163,7 @@ "client.ip": "192.168.0.100", "client.packets": 1, "client.port": 52189, + "destination.address": "8.8.8.8", "destination.bytes": 86, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3126,6 +3215,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.100", "source.bytes": 141, "source.ip": "192.168.0.100", "source.packets": 1, @@ -3141,6 +3231,7 @@ "client.packets": 0, "client.port": 59300, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -3196,6 +3287,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -3212,6 +3304,7 @@ "client.packets": 0, "client.port": 54414, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 73, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3264,6 +3357,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -3280,6 +3374,7 @@ "client.packets": 0, "client.port": 59299, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -3335,6 +3430,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -3351,6 +3447,7 @@ "client.packets": 0, "client.port": 60399, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 80, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3403,6 +3500,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -3419,6 +3517,7 @@ "client.packets": 2, "client.port": 59626, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3471,6 +3570,7 @@ "server.packets": 2, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 316, "source.ip": "192.168.0.2", "source.packets": 2, @@ -3487,6 +3587,7 @@ "client.packets": 1, "client.port": 51542, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 75, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3539,6 +3640,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 121, "source.ip": "192.168.0.2", "source.packets": 1, @@ -3555,6 +3657,7 @@ "client.packets": 1, "client.port": 54182, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 75, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3607,6 +3710,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 169, "source.ip": "192.168.0.2", "source.packets": 1, @@ -3623,6 +3727,7 @@ "client.packets": 7, "client.port": 59199, "client.user.name": "crusher", + "destination.address": "62.211.68.12", "destination.bytes": 594, "destination.geo.city_name": "Latina", "destination.geo.continent_name": "Europe", @@ -3678,6 +3783,7 @@ "server.packets": 6, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 954, "source.ip": "192.168.0.2", "source.packets": 7, @@ -3694,6 +3800,7 @@ "client.packets": 10, "client.port": 59198, "client.user.name": "crusher", + "destination.address": "212.48.10.58", "destination.bytes": 1005, "destination.geo.city_name": "Milan", "destination.geo.continent_name": "Europe", @@ -3749,6 +3856,7 @@ "server.packets": 12, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 9130, "source.ip": "192.168.0.2", "source.packets": 10, @@ -3765,6 +3873,7 @@ "client.packets": 3, "client.port": 56856, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 1363, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -3820,6 +3929,7 @@ "server.packets": 18, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 555, "source.ip": "192.168.0.2", "source.packets": 3, @@ -3836,6 +3946,7 @@ "client.packets": 0, "client.port": 52489, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 80, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3888,6 +3999,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -3904,6 +4016,7 @@ "client.packets": 0, "client.port": 59298, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -3959,6 +4072,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -3975,6 +4089,7 @@ "client.packets": 0, "client.port": 60185, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 76, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4027,6 +4142,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -4043,6 +4159,7 @@ "client.packets": 0, "client.port": 51817, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 76, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4095,6 +4212,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -4111,6 +4229,7 @@ "client.packets": 0, "client.port": 47752, "client.user.name": "crusher", + "destination.address": "65.55.223.31", "destination.bytes": 186, "destination.geo.city_name": "Washington", "destination.geo.continent_name": "North America", @@ -4166,6 +4285,7 @@ "server.packets": 1, "server.port": 40043, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -4182,6 +4302,7 @@ "client.packets": 0, "client.port": 59297, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -4237,6 +4358,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -4253,6 +4375,7 @@ "client.packets": 0, "client.port": 52537, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 82, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4305,6 +4428,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -4321,6 +4445,7 @@ "client.packets": 0, "client.port": 53155, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 82, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4373,6 +4498,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -4389,6 +4515,7 @@ "client.packets": 7, "client.port": 59197, "client.user.name": "crusher", + "destination.address": "62.211.68.12", "destination.bytes": 581, "destination.geo.city_name": "Latina", "destination.geo.continent_name": "Europe", @@ -4444,6 +4571,7 @@ "server.packets": 6, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 906, "source.ip": "192.168.0.2", "source.packets": 7, @@ -4460,6 +4588,7 @@ "client.packets": 1, "client.port": 56995, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 88, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4512,6 +4641,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 163, "source.ip": "192.168.0.2", "source.packets": 1, @@ -4528,6 +4658,7 @@ "client.packets": 0, "client.port": 59069, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 76, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4580,6 +4711,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -4596,6 +4728,7 @@ "client.packets": 0, "client.port": 55697, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 76, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4648,6 +4781,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -4664,6 +4798,7 @@ "client.packets": 0, "client.port": 59295, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -4719,6 +4854,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -4735,6 +4871,7 @@ "client.packets": 7, "client.port": 59196, "client.user.name": "crusher", + "destination.address": "62.211.68.12", "destination.bytes": 578, "destination.geo.city_name": "Latina", "destination.geo.continent_name": "Europe", @@ -4790,6 +4927,7 @@ "server.packets": 6, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 922, "source.ip": "192.168.0.2", "source.packets": 7, @@ -4806,6 +4944,7 @@ "client.packets": 0, "client.port": 59291, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -4861,6 +5000,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -4877,6 +5017,7 @@ "client.packets": 0, "client.port": 52858, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 77, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4929,6 +5070,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -4945,6 +5087,7 @@ "client.packets": 0, "client.port": 61383, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 77, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4997,6 +5140,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -5013,6 +5157,7 @@ "client.packets": 0, "client.port": 59290, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -5068,6 +5213,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -5084,6 +5230,7 @@ "client.packets": 22, "client.port": 59195, "client.user.name": "crusher", + "destination.address": "8.5.1.1", "destination.bytes": 1310, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5136,6 +5283,7 @@ "server.packets": 17, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 26786, "source.ip": "192.168.0.2", "source.packets": 22, @@ -5152,6 +5300,7 @@ "client.packets": 0, "client.port": 49812, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 83, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5204,6 +5353,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -5220,6 +5370,7 @@ "client.packets": 0, "client.port": 50185, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 83, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5272,6 +5423,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -5288,6 +5440,7 @@ "client.packets": 0, "client.port": 59286, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -5343,6 +5496,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -5359,6 +5513,7 @@ "client.packets": 1, "client.port": 52531, "client.user.name": "crusher", + "destination.address": "192.168.0.1", "destination.bytes": 75, "destination.ip": "192.168.0.1", "destination.packets": 1, @@ -5407,6 +5562,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 169, "source.ip": "192.168.0.2", "source.packets": 1, @@ -5423,6 +5579,7 @@ "client.packets": 9, "client.port": 59194, "client.user.name": "crusher", + "destination.address": "212.48.10.58", "destination.bytes": 1033, "destination.geo.city_name": "Milan", "destination.geo.continent_name": "Europe", @@ -5478,6 +5635,7 @@ "server.packets": 12, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 9064, "source.ip": "192.168.0.2", "source.packets": 9, @@ -5494,6 +5652,7 @@ "client.packets": 10, "client.port": 59192, "client.user.name": "crusher", + "destination.address": "212.48.10.58", "destination.bytes": 981, "destination.geo.city_name": "Milan", "destination.geo.continent_name": "Europe", @@ -5549,6 +5708,7 @@ "server.packets": 12, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 9124, "source.ip": "192.168.0.2", "source.packets": 10, @@ -5565,6 +5725,7 @@ "client.packets": 1, "client.port": 56463, "client.user.name": "crusher", + "destination.address": "192.168.0.1", "destination.bytes": 77, "destination.ip": "192.168.0.1", "destination.packets": 1, @@ -5613,6 +5774,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 137, "source.ip": "192.168.0.2", "source.packets": 1, @@ -5629,6 +5791,7 @@ "client.packets": 1, "client.port": 55849, "client.user.name": "crusher", + "destination.address": "192.168.0.1", "destination.bytes": 77, "destination.ip": "192.168.0.1", "destination.packets": 1, @@ -5677,6 +5840,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 93, "source.ip": "192.168.0.2", "source.packets": 1, @@ -5693,6 +5857,7 @@ "client.packets": 0, "client.port": 59282, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -5748,6 +5913,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -5764,6 +5930,7 @@ "client.packets": 0, "client.port": 57846, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 71, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5816,6 +5983,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -5832,6 +6000,7 @@ "client.packets": 0, "client.port": 51008, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 71, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5884,6 +6053,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -5900,6 +6070,7 @@ "client.packets": 0, "client.port": 59281, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -5955,6 +6126,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -5971,6 +6143,7 @@ "client.packets": 0, "client.port": 55252, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 80, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -6023,6 +6196,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -6039,6 +6213,7 @@ "client.packets": 0, "client.port": 56995, "client.user.name": "crusher", + "destination.address": "192.168.0.1", "destination.bytes": 176, "destination.ip": "192.168.0.1", "destination.packets": 2, @@ -6087,6 +6262,7 @@ "server.packets": 2, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -6103,6 +6279,7 @@ "client.packets": 0, "client.port": 60989, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 80, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -6155,6 +6332,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -6171,6 +6349,7 @@ "client.packets": 0, "client.port": 59280, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -6226,6 +6405,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -6242,6 +6422,7 @@ "client.packets": 0, "client.port": 53766, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 81, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -6294,6 +6475,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -6310,6 +6492,7 @@ "client.packets": 0, "client.port": 56032, "client.user.name": "crusher", + "destination.address": "205.171.2.25", "destination.bytes": 81, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -6362,6 +6545,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -6378,6 +6562,7 @@ "client.packets": 7, "client.port": 59193, "client.user.name": "crusher", + "destination.address": "62.211.68.12", "destination.bytes": 581, "destination.geo.city_name": "Latina", "destination.geo.continent_name": "Europe", @@ -6433,6 +6618,7 @@ "server.packets": 6, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 906, "source.ip": "192.168.0.2", "source.packets": 7, @@ -6449,6 +6635,7 @@ "client.packets": 0, "client.port": 59279, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -6504,6 +6691,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -6520,6 +6708,7 @@ "client.packets": 0, "client.port": 59278, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -6575,6 +6764,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -6591,6 +6781,7 @@ "client.packets": 0, "client.port": 59277, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -6646,6 +6837,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -6662,6 +6854,7 @@ "client.packets": 0, "client.port": 60026, "client.user.name": "crusher", + "destination.address": "192.168.0.1", "destination.bytes": 166, "destination.ip": "192.168.0.1", "destination.packets": 2, @@ -6710,6 +6903,7 @@ "server.packets": 2, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, @@ -6726,6 +6920,7 @@ "client.packets": 1, "client.port": 59276, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 351, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -6781,6 +6976,7 @@ "server.packets": 3, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 78, "source.ip": "192.168.0.2", "source.packets": 1, @@ -6797,6 +6993,7 @@ "client.packets": 1, "client.port": 59275, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 351, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -6852,6 +7049,7 @@ "server.packets": 3, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 78, "source.ip": "192.168.0.2", "source.packets": 1, @@ -6868,6 +7066,7 @@ "client.packets": 0, "client.port": 59274, "client.user.name": "crusher", + "destination.address": "204.232.231.46", "destination.bytes": 78, "destination.geo.city_name": "Charlotte", "destination.geo.continent_name": "North America", @@ -6923,6 +7122,7 @@ "server.packets": 1, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.0.2", "source.bytes": 0, "source.ip": "192.168.0.2", "source.packets": 0, diff --git a/x-pack/filebeat/module/palo_alto/pan_os/test/threat.log-expected.json b/x-pack/filebeat/module/palo_alto/pan_os/test/threat.log-expected.json index 42ed5e737454..0b4a7a429350 100644 --- a/x-pack/filebeat/module/palo_alto/pan_os/test/threat.log-expected.json +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/threat.log-expected.json @@ -3,6 +3,7 @@ "@timestamp": "2018-11-30T16:44:36.000Z", "client.ip": "192.168.15.224", "client.port": 52984, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -55,6 +56,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 52984, @@ -67,6 +69,7 @@ "@timestamp": "2018-11-30T16:44:36.000Z", "client.ip": "192.168.15.224", "client.port": 52983, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -119,6 +122,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 52983, @@ -131,6 +135,7 @@ "@timestamp": "2018-11-30T16:44:36.000Z", "client.ip": "192.168.15.224", "client.port": 52986, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -183,6 +188,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 52986, @@ -195,6 +201,7 @@ "@timestamp": "2018-11-30T16:44:36.000Z", "client.ip": "192.168.15.224", "client.port": 52985, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -247,6 +254,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 52985, @@ -259,6 +267,7 @@ "@timestamp": "2018-11-30T16:44:36.000Z", "client.ip": "192.168.15.224", "client.port": 52987, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -311,6 +320,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 52987, @@ -323,6 +333,7 @@ "@timestamp": "2018-11-30T16:44:36.000Z", "client.ip": "192.168.15.224", "client.port": 52988, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -375,6 +386,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 52988, @@ -387,6 +399,7 @@ "@timestamp": "2018-11-30T16:44:36.000Z", "client.ip": "192.168.15.224", "client.port": 52990, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -439,6 +452,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 52990, @@ -451,6 +465,7 @@ "@timestamp": "2018-11-30T16:44:36.000Z", "client.ip": "192.168.15.224", "client.port": 52989, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -503,6 +518,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 52989, @@ -515,6 +531,7 @@ "@timestamp": "2018-11-30T16:44:36.000Z", "client.ip": "192.168.15.224", "client.port": 52992, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -567,6 +584,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 52992, @@ -579,6 +597,7 @@ "@timestamp": "2018-11-30T16:44:36.000Z", "client.ip": "192.168.15.224", "client.port": 52991, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -631,6 +650,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 52991, @@ -643,6 +663,7 @@ "@timestamp": "2018-11-30T16:44:36.000Z", "client.ip": "192.168.15.224", "client.port": 52994, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -695,6 +716,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 52994, @@ -707,6 +729,7 @@ "@timestamp": "2018-11-30T16:44:36.000Z", "client.ip": "192.168.15.224", "client.port": 52993, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -759,6 +782,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 52993, @@ -771,6 +795,7 @@ "@timestamp": "2018-11-30T16:44:36.000Z", "client.ip": "192.168.15.224", "client.port": 52995, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -823,6 +848,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 52995, @@ -835,6 +861,7 @@ "@timestamp": "2018-11-30T16:44:36.000Z", "client.ip": "192.168.15.224", "client.port": 52996, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -887,6 +914,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 52996, @@ -899,6 +927,7 @@ "@timestamp": "2018-11-30T16:44:36.000Z", "client.ip": "192.168.15.224", "client.port": 52997, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -951,6 +980,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 52997, @@ -963,6 +993,7 @@ "@timestamp": "2018-11-30T16:44:37.000Z", "client.ip": "192.168.15.224", "client.port": 52998, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1015,6 +1046,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 52998, @@ -1027,6 +1059,7 @@ "@timestamp": "2018-11-30T16:44:37.000Z", "client.ip": "192.168.15.224", "client.port": 52999, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1079,6 +1112,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 52999, @@ -1091,6 +1125,7 @@ "@timestamp": "2018-11-30T16:44:37.000Z", "client.ip": "192.168.15.224", "client.port": 53001, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1143,6 +1178,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53001, @@ -1155,6 +1191,7 @@ "@timestamp": "2018-11-30T16:44:37.000Z", "client.ip": "192.168.15.224", "client.port": 53002, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1207,6 +1244,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53002, @@ -1219,6 +1257,7 @@ "@timestamp": "2018-11-30T16:44:38.000Z", "client.ip": "192.168.15.224", "client.port": 53003, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1271,6 +1310,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53003, @@ -1283,6 +1323,7 @@ "@timestamp": "2018-11-30T16:44:38.000Z", "client.ip": "192.168.15.224", "client.port": 53004, + "destination.address": "23.72.137.131", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1335,6 +1376,7 @@ "server.ip": "23.72.137.131", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53004, @@ -1347,6 +1389,7 @@ "@timestamp": "2018-11-30T16:44:38.000Z", "client.ip": "192.168.15.224", "client.port": 53000, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1399,6 +1442,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53000, @@ -1411,6 +1455,7 @@ "@timestamp": "2018-11-30T16:44:46.000Z", "client.ip": "192.168.15.224", "client.port": 53006, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1463,6 +1508,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53006, @@ -1475,6 +1521,7 @@ "@timestamp": "2018-11-30T16:44:46.000Z", "client.ip": "192.168.15.224", "client.port": 53007, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1527,6 +1574,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53007, @@ -1539,6 +1587,7 @@ "@timestamp": "2018-11-30T16:44:46.000Z", "client.ip": "192.168.15.224", "client.port": 53008, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1591,6 +1640,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53008, @@ -1603,6 +1653,7 @@ "@timestamp": "2018-11-30T16:44:46.000Z", "client.ip": "192.168.15.224", "client.port": 53010, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1655,6 +1706,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53010, @@ -1667,6 +1719,7 @@ "@timestamp": "2018-11-30T16:44:46.000Z", "client.ip": "192.168.15.224", "client.port": 53011, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1719,6 +1772,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53011, @@ -1731,6 +1785,7 @@ "@timestamp": "2018-11-30T16:44:46.000Z", "client.ip": "192.168.15.224", "client.port": 53012, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1783,6 +1838,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53012, @@ -1795,6 +1851,7 @@ "@timestamp": "2018-11-30T16:44:46.000Z", "client.ip": "192.168.15.224", "client.port": 53013, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1847,6 +1904,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53013, @@ -1859,6 +1917,7 @@ "@timestamp": "2018-11-30T16:44:46.000Z", "client.ip": "192.168.15.224", "client.port": 53014, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1911,6 +1970,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53014, @@ -1923,6 +1983,7 @@ "@timestamp": "2018-11-30T16:44:46.000Z", "client.ip": "192.168.15.224", "client.port": 53022, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1975,6 +2036,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53022, @@ -1987,6 +2049,7 @@ "@timestamp": "2018-11-30T16:44:46.000Z", "client.ip": "192.168.15.224", "client.port": 53023, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -2039,6 +2102,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53023, @@ -2051,6 +2115,7 @@ "@timestamp": "2018-11-30T16:44:46.000Z", "client.ip": "192.168.15.224", "client.port": 53024, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -2103,6 +2168,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53024, @@ -2115,6 +2181,7 @@ "@timestamp": "2018-11-30T16:44:46.000Z", "client.ip": "192.168.15.224", "client.port": 53025, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -2167,6 +2234,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53025, @@ -2179,6 +2247,7 @@ "@timestamp": "2018-11-30T16:44:46.000Z", "client.ip": "192.168.15.224", "client.port": 53026, + "destination.address": "152.195.55.192", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -2231,6 +2300,7 @@ "server.ip": "152.195.55.192", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53026, @@ -2243,6 +2313,7 @@ "@timestamp": "2018-11-30T16:44:53.000Z", "client.ip": "192.168.15.224", "client.port": 53041, + "destination.address": "151.101.2.2", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -2295,6 +2366,7 @@ "server.ip": "151.101.2.2", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53041, @@ -2307,6 +2379,7 @@ "@timestamp": "2018-11-30T16:44:54.000Z", "client.ip": "192.168.15.224", "client.port": 53040, + "destination.address": "54.192.7.152", "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2362,6 +2435,7 @@ "server.ip": "54.192.7.152", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53040, @@ -2374,6 +2448,7 @@ "@timestamp": "2018-11-30T16:44:58.000Z", "client.ip": "192.168.15.224", "client.port": 53093, + "destination.address": "52.4.120.175", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2429,6 +2504,7 @@ "server.ip": "52.4.120.175", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53093, @@ -2441,6 +2517,7 @@ "@timestamp": "2018-11-30T16:44:58.000Z", "client.ip": "192.168.15.224", "client.port": 53094, + "destination.address": "52.4.120.175", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2496,6 +2573,7 @@ "server.ip": "52.4.120.175", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53094, @@ -2508,6 +2586,7 @@ "@timestamp": "2018-11-30T16:44:58.000Z", "client.ip": "192.168.15.224", "client.port": 53095, + "destination.address": "52.4.120.175", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2563,6 +2642,7 @@ "server.ip": "52.4.120.175", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53095, @@ -2575,6 +2655,7 @@ "@timestamp": "2018-11-30T16:44:58.000Z", "client.ip": "192.168.15.224", "client.port": 53096, + "destination.address": "52.4.120.175", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2630,6 +2711,7 @@ "server.ip": "52.4.120.175", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53096, @@ -2642,6 +2724,7 @@ "@timestamp": "2018-11-30T16:44:59.000Z", "client.ip": "192.168.15.224", "client.port": 53097, + "destination.address": "52.4.120.175", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2697,6 +2780,7 @@ "server.ip": "52.4.120.175", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53097, @@ -2709,6 +2793,7 @@ "@timestamp": "2018-11-30T16:44:59.000Z", "client.ip": "192.168.15.224", "client.port": 53099, + "destination.address": "52.4.120.175", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2764,6 +2849,7 @@ "server.ip": "52.4.120.175", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53099, @@ -2776,6 +2862,7 @@ "@timestamp": "2018-11-30T16:44:59.000Z", "client.ip": "192.168.15.224", "client.port": 53100, + "destination.address": "52.4.120.175", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2831,6 +2918,7 @@ "server.ip": "52.4.120.175", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53100, @@ -2843,6 +2931,7 @@ "@timestamp": "2018-11-30T16:45:00.000Z", "client.ip": "192.168.15.224", "client.port": 53101, + "destination.address": "52.4.120.175", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2898,6 +2987,7 @@ "server.ip": "52.4.120.175", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53101, @@ -2910,6 +3000,7 @@ "@timestamp": "2018-11-30T16:45:00.000Z", "client.ip": "192.168.15.224", "client.port": 53104, + "destination.address": "52.4.120.175", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2965,6 +3056,7 @@ "server.ip": "52.4.120.175", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53104, @@ -2977,6 +3069,7 @@ "@timestamp": "2018-11-30T16:45:00.000Z", "client.ip": "192.168.15.224", "client.port": 53107, + "destination.address": "52.4.120.175", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3032,6 +3125,7 @@ "server.ip": "52.4.120.175", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53107, @@ -3044,6 +3138,7 @@ "@timestamp": "2018-11-30T16:45:00.000Z", "client.ip": "192.168.15.224", "client.port": 53108, + "destination.address": "52.4.120.175", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3099,6 +3194,7 @@ "server.ip": "52.4.120.175", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53108, @@ -3111,6 +3207,7 @@ "@timestamp": "2018-11-30T16:45:00.000Z", "client.ip": "192.168.15.224", "client.port": 53109, + "destination.address": "52.4.120.175", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3166,6 +3263,7 @@ "server.ip": "52.4.120.175", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53109, @@ -3178,6 +3276,7 @@ "@timestamp": "2018-11-30T16:45:13.000Z", "client.ip": "192.168.15.224", "client.port": 53118, + "destination.address": "216.58.194.98", "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3233,6 +3332,7 @@ "server.ip": "216.58.194.98", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53118, @@ -3245,6 +3345,7 @@ "@timestamp": "2018-11-30T16:45:15.000Z", "client.ip": "192.168.15.224", "client.port": 53126, + "destination.address": "23.72.145.245", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -3297,6 +3398,7 @@ "server.ip": "23.72.145.245", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53126, @@ -3309,6 +3411,7 @@ "@timestamp": "2018-11-30T16:45:15.000Z", "client.ip": "192.168.15.224", "client.port": 53127, + "destination.address": "23.72.145.245", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -3361,6 +3464,7 @@ "server.ip": "23.72.145.245", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53127, @@ -3373,6 +3477,7 @@ "@timestamp": "2018-11-30T16:45:15.000Z", "client.ip": "192.168.15.224", "client.port": 53128, + "destination.address": "23.72.145.245", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -3425,6 +3530,7 @@ "server.ip": "23.72.145.245", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53128, @@ -3437,6 +3543,7 @@ "@timestamp": "2018-11-30T16:45:15.000Z", "client.ip": "192.168.15.224", "client.port": 53129, + "destination.address": "23.72.145.245", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -3489,6 +3596,7 @@ "server.ip": "23.72.145.245", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53129, @@ -3501,6 +3609,7 @@ "@timestamp": "2018-11-30T16:45:16.000Z", "client.ip": "192.168.15.224", "client.port": 53130, + "destination.address": "23.72.145.245", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -3553,6 +3662,7 @@ "server.ip": "23.72.145.245", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53130, @@ -3565,6 +3675,7 @@ "@timestamp": "2018-11-30T16:45:16.000Z", "client.ip": "192.168.15.224", "client.port": 53131, + "destination.address": "23.72.145.245", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -3617,6 +3728,7 @@ "server.ip": "23.72.145.245", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53131, @@ -3629,6 +3741,7 @@ "@timestamp": "2018-11-30T16:45:16.000Z", "client.ip": "192.168.15.224", "client.port": 53132, + "destination.address": "23.72.145.245", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -3681,6 +3794,7 @@ "server.ip": "23.72.145.245", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53132, @@ -3693,6 +3807,7 @@ "@timestamp": "2018-11-30T16:45:16.000Z", "client.ip": "192.168.15.224", "client.port": 53133, + "destination.address": "23.72.145.245", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -3745,6 +3860,7 @@ "server.ip": "23.72.145.245", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53133, @@ -3757,6 +3873,7 @@ "@timestamp": "2018-11-30T16:45:16.000Z", "client.ip": "192.168.15.224", "client.port": 53134, + "destination.address": "23.72.145.245", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -3809,6 +3926,7 @@ "server.ip": "23.72.145.245", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53134, @@ -3821,6 +3939,7 @@ "@timestamp": "2018-11-30T16:45:16.000Z", "client.ip": "192.168.15.224", "client.port": 53135, + "destination.address": "23.72.145.245", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -3873,6 +3992,7 @@ "server.ip": "23.72.145.245", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53135, @@ -3885,6 +4005,7 @@ "@timestamp": "2018-11-30T16:45:26.000Z", "client.ip": "192.168.15.224", "client.port": 53152, + "destination.address": "54.209.101.70", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3940,6 +4061,7 @@ "server.ip": "54.209.101.70", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53152, @@ -3952,6 +4074,7 @@ "@timestamp": "2018-11-30T16:45:26.000Z", "client.ip": "192.168.15.224", "client.port": 53155, + "destination.address": "54.209.101.70", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4007,6 +4130,7 @@ "server.ip": "54.209.101.70", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53155, @@ -4019,6 +4143,7 @@ "@timestamp": "2018-11-30T16:45:26.000Z", "client.ip": "192.168.15.224", "client.port": 53158, + "destination.address": "54.209.101.70", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4074,6 +4199,7 @@ "server.ip": "54.209.101.70", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53158, @@ -4086,6 +4212,7 @@ "@timestamp": "2018-11-30T16:45:26.000Z", "client.ip": "192.168.15.224", "client.port": 53160, + "destination.address": "54.209.101.70", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4141,6 +4268,7 @@ "server.ip": "54.209.101.70", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53160, @@ -4153,6 +4281,7 @@ "@timestamp": "2018-11-30T16:45:26.000Z", "client.ip": "192.168.15.224", "client.port": 53161, + "destination.address": "54.209.101.70", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4208,6 +4337,7 @@ "server.ip": "54.209.101.70", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53161, @@ -4220,6 +4350,7 @@ "@timestamp": "2018-11-30T16:45:27.000Z", "client.ip": "192.168.15.224", "client.port": 53162, + "destination.address": "54.209.101.70", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4275,6 +4406,7 @@ "server.ip": "54.209.101.70", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53162, @@ -4287,6 +4419,7 @@ "@timestamp": "2018-11-30T16:45:27.000Z", "client.ip": "192.168.15.224", "client.port": 53163, + "destination.address": "54.209.101.70", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4342,6 +4475,7 @@ "server.ip": "54.209.101.70", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53163, @@ -4354,6 +4488,7 @@ "@timestamp": "2018-11-30T16:45:27.000Z", "client.ip": "192.168.15.224", "client.port": 53164, + "destination.address": "54.209.101.70", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4409,6 +4544,7 @@ "server.ip": "54.209.101.70", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53164, @@ -4421,6 +4557,7 @@ "@timestamp": "2018-11-30T16:45:27.000Z", "client.ip": "192.168.15.224", "client.port": 53165, + "destination.address": "54.209.101.70", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4476,6 +4613,7 @@ "server.ip": "54.209.101.70", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53165, @@ -4488,6 +4626,7 @@ "@timestamp": "2018-11-30T16:45:27.000Z", "client.ip": "192.168.15.224", "client.port": 53166, + "destination.address": "54.209.101.70", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4543,6 +4682,7 @@ "server.ip": "54.209.101.70", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53166, @@ -4555,6 +4695,7 @@ "@timestamp": "2018-11-30T16:45:27.000Z", "client.ip": "192.168.15.224", "client.port": 53167, + "destination.address": "54.209.101.70", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4610,6 +4751,7 @@ "server.ip": "54.209.101.70", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53167, @@ -4622,6 +4764,7 @@ "@timestamp": "2018-11-30T16:45:27.000Z", "client.ip": "192.168.15.224", "client.port": 53150, + "destination.address": "54.209.101.70", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4677,6 +4820,7 @@ "server.ip": "54.209.101.70", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53150, @@ -4689,6 +4833,7 @@ "@timestamp": "2018-11-30T16:45:28.000Z", "client.ip": "192.168.15.224", "client.port": 53185, + "destination.address": "54.209.101.70", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4744,6 +4889,7 @@ "server.ip": "54.209.101.70", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53185, @@ -4756,6 +4902,7 @@ "@timestamp": "2018-11-30T16:45:28.000Z", "client.ip": "192.168.15.224", "client.port": 53187, + "destination.address": "54.209.101.70", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4811,6 +4958,7 @@ "server.ip": "54.209.101.70", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53187, @@ -4823,6 +4971,7 @@ "@timestamp": "2018-11-30T16:45:28.000Z", "client.ip": "192.168.15.224", "client.port": 53188, + "destination.address": "54.209.101.70", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4878,6 +5027,7 @@ "server.ip": "54.209.101.70", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53188, @@ -4890,6 +5040,7 @@ "@timestamp": "2018-11-30T16:45:29.000Z", "client.ip": "192.168.15.224", "client.port": 53178, + "destination.address": "54.209.101.70", "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4945,6 +5096,7 @@ "server.ip": "54.209.101.70", "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", "source.ip": "192.168.15.224", "source.port": 53178, diff --git a/x-pack/filebeat/module/palo_alto/pan_os/test/traffic.log-expected.json b/x-pack/filebeat/module/palo_alto/pan_os/test/traffic.log-expected.json index aebb63fb703c..755e84659bfe 100644 --- a/x-pack/filebeat/module/palo_alto/pan_os/test/traffic.log-expected.json +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/traffic.log-expected.json @@ -5,6 +5,7 @@ "client.ip": "192.168.15.207", "client.packets": 20, "client.port": 55113, + "destination.address": "184.51.253.152", "destination.bytes": 1758, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -62,6 +63,7 @@ "server.packets": 16, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.207", "source.bytes": 5976, "source.ip": "192.168.15.207", "source.packets": 20, @@ -76,6 +78,7 @@ "client.ip": "192.168.15.224", "client.packets": 6, "client.port": 0, + "destination.address": "8.8.8.8", "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -133,6 +136,7 @@ "server.packets": 6, "server.port": 0, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 588, "source.ip": "192.168.15.224", "source.packets": 6, @@ -147,6 +151,7 @@ "client.ip": "192.168.15.207", "client.packets": 5, "client.port": 55114, + "destination.address": "17.253.3.202", "destination.bytes": 539, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -204,6 +209,7 @@ "server.packets": 6, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.15.207", "source.bytes": 1035, "source.ip": "192.168.15.207", "source.packets": 5, @@ -218,6 +224,7 @@ "client.ip": "192.168.15.224", "client.packets": 6, "client.port": 0, + "destination.address": "8.8.8.8", "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -275,6 +282,7 @@ "server.packets": 6, "server.port": 0, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 588, "source.ip": "192.168.15.224", "source.packets": 6, @@ -289,6 +297,7 @@ "client.ip": "192.168.15.196", "client.packets": 3, "client.port": 46774, + "destination.address": "216.58.194.99", "destination.bytes": 2014, "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", @@ -349,6 +358,7 @@ "server.packets": 5, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.196", "source.bytes": 1613, "source.ip": "192.168.15.196", "source.packets": 3, @@ -363,6 +373,7 @@ "client.ip": "192.168.15.224", "client.packets": 51, "client.port": 52408, + "destination.address": "209.234.224.22", "destination.bytes": 20642, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -420,6 +431,7 @@ "server.packets": 62, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 21111, "source.ip": "192.168.15.224", "source.packets": 51, @@ -434,6 +446,7 @@ "client.ip": "192.168.15.224", "client.packets": 6, "client.port": 0, + "destination.address": "8.8.8.8", "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -491,6 +504,7 @@ "server.packets": 6, "server.port": 0, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 588, "source.ip": "192.168.15.224", "source.packets": 6, @@ -505,6 +519,7 @@ "client.ip": "192.168.15.224", "client.packets": 9, "client.port": 59190, + "destination.address": "172.217.2.238", "destination.bytes": 3365, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -562,6 +577,7 @@ "server.packets": 7, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 3732, "source.ip": "192.168.15.224", "source.packets": 9, @@ -576,6 +592,7 @@ "client.ip": "192.168.15.207", "client.packets": 1, "client.port": 49728, + "destination.address": "8.8.8.8", "destination.bytes": 80, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -633,6 +650,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.207", "source.bytes": 221, "source.ip": "192.168.15.207", "source.packets": 1, @@ -647,6 +665,7 @@ "client.ip": "192.168.15.207", "client.packets": 1, "client.port": 50500, + "destination.address": "8.8.8.8", "destination.bytes": 77, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -704,6 +723,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.207", "source.bytes": 221, "source.ip": "192.168.15.207", "source.packets": 1, @@ -718,6 +738,7 @@ "client.ip": "192.168.15.207", "client.packets": 16, "client.port": 55112, + "destination.address": "17.249.60.78", "destination.bytes": 4509, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -775,6 +796,7 @@ "server.packets": 16, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.207", "source.bytes": 5469, "source.ip": "192.168.15.207", "source.packets": 16, @@ -789,6 +811,7 @@ "client.ip": "192.168.15.207", "client.packets": 1, "client.port": 57632, + "destination.address": "8.8.8.8", "destination.bytes": 73, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -846,6 +869,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.207", "source.bytes": 224, "source.ip": "192.168.15.207", "source.packets": 1, @@ -860,6 +884,7 @@ "client.ip": "192.168.15.207", "client.packets": 1, "client.port": 50271, + "destination.address": "8.8.8.8", "destination.bytes": 69, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -917,6 +942,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.207", "source.bytes": 117, "source.ip": "192.168.15.207", "source.packets": 1, @@ -931,6 +957,7 @@ "client.ip": "192.168.15.207", "client.packets": 1, "client.port": 54061, + "destination.address": "8.8.8.8", "destination.bytes": 85, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -988,6 +1015,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.207", "source.bytes": 307, "source.ip": "192.168.15.207", "source.packets": 1, @@ -1002,6 +1030,7 @@ "client.ip": "192.168.15.207", "client.packets": 1, "client.port": 52701, + "destination.address": "8.8.8.8", "destination.bytes": 75, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1059,6 +1088,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.207", "source.bytes": 365, "source.ip": "192.168.15.207", "source.packets": 1, @@ -1073,6 +1103,7 @@ "client.ip": "192.168.15.224", "client.packets": 6, "client.port": 0, + "destination.address": "8.8.8.8", "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1130,6 +1161,7 @@ "server.packets": 6, "server.port": 0, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 588, "source.ip": "192.168.15.224", "source.packets": 6, @@ -1144,6 +1176,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 62503, + "destination.address": "8.8.8.8", "destination.bytes": 97, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1201,6 +1234,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 161, "source.ip": "192.168.15.224", "source.packets": 1, @@ -1215,6 +1249,7 @@ "client.ip": "192.168.15.224", "client.packets": 13, "client.port": 52442, + "destination.address": "98.138.49.44", "destination.bytes": 2086, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1272,6 +1307,7 @@ "server.packets": 14, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 7805, "source.ip": "192.168.15.224", "source.packets": 13, @@ -1286,6 +1322,7 @@ "client.ip": "192.168.15.224", "client.packets": 11, "client.port": 52441, + "destination.address": "72.30.3.43", "destination.bytes": 2354, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1343,6 +1380,7 @@ "server.packets": 13, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 6106, "source.ip": "192.168.15.224", "source.packets": 11, @@ -1357,6 +1395,7 @@ "client.ip": "192.168.15.196", "client.packets": 2, "client.port": 0, + "destination.address": "8.8.8.8", "destination.bytes": 196, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1414,6 +1453,7 @@ "server.packets": 2, "server.port": 0, "service.type": "palo_alto", + "source.address": "192.168.15.196", "source.bytes": 196, "source.ip": "192.168.15.196", "source.packets": 2, @@ -1428,6 +1468,7 @@ "client.ip": "192.168.15.224", "client.packets": 17, "client.port": 52355, + "destination.address": "172.217.9.142", "destination.bytes": 2545, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1485,6 +1526,7 @@ "server.packets": 19, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 3245, "source.ip": "192.168.15.224", "source.packets": 17, @@ -1499,6 +1541,7 @@ "client.ip": "192.168.15.207", "client.packets": 1, "client.port": 50196, + "destination.address": "8.8.8.8", "destination.bytes": 82, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1556,6 +1599,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.207", "source.bytes": 179, "source.ip": "192.168.15.207", "source.packets": 1, @@ -1570,6 +1614,7 @@ "client.ip": "192.168.15.224", "client.packets": 12, "client.port": 52454, + "destination.address": "54.84.80.198", "destination.bytes": 1758, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", @@ -1630,6 +1675,7 @@ "server.packets": 13, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 4537, "source.ip": "192.168.15.224", "source.packets": 12, @@ -1644,6 +1690,7 @@ "client.ip": "192.168.15.224", "client.packets": 0, "client.port": 52445, + "destination.address": "199.167.55.52", "destination.bytes": 624, "destination.geo.city_name": "Santa Clara", "destination.geo.continent_name": "North America", @@ -1704,6 +1751,7 @@ "server.packets": 8, "server.port": 4282, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 0, "source.ip": "192.168.15.224", "source.packets": 0, @@ -1718,6 +1766,7 @@ "client.ip": "192.168.15.224", "client.packets": 6, "client.port": 0, + "destination.address": "8.8.8.8", "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1775,6 +1824,7 @@ "server.packets": 6, "server.port": 0, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 588, "source.ip": "192.168.15.224", "source.packets": 6, @@ -1789,6 +1839,7 @@ "client.ip": "192.168.15.210", "client.packets": 1, "client.port": 35485, + "destination.address": "8.8.8.8", "destination.bytes": 85, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1845,6 +1896,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.210", "source.bytes": 130, "source.ip": "192.168.15.210", "source.packets": 1, @@ -1859,6 +1911,7 @@ "client.ip": "192.168.15.224", "client.packets": 6, "client.port": 62730, + "destination.address": "172.217.9.142", "destination.bytes": 2876, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1915,6 +1968,7 @@ "server.packets": 6, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 1991, "source.ip": "192.168.15.224", "source.packets": 6, @@ -1929,6 +1983,7 @@ "client.ip": "192.168.15.224", "client.packets": 5, "client.port": 52506, + "destination.address": "151.101.2.2", "destination.bytes": 1100, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1986,6 +2041,7 @@ "server.packets": 8, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 523, "source.ip": "192.168.15.224", "source.packets": 5, @@ -2000,6 +2056,7 @@ "client.ip": "192.168.15.224", "client.packets": 4, "client.port": 60596, + "destination.address": "216.58.194.66", "destination.bytes": 1977, "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", @@ -2060,6 +2117,7 @@ "server.packets": 5, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 2428, "source.ip": "192.168.15.224", "source.packets": 4, @@ -2074,6 +2132,7 @@ "client.ip": "192.168.15.224", "client.packets": 6, "client.port": 0, + "destination.address": "8.8.8.8", "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2131,6 +2190,7 @@ "server.packets": 6, "server.port": 0, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 588, "source.ip": "192.168.15.224", "source.packets": 6, @@ -2145,6 +2205,7 @@ "client.ip": "192.168.15.210", "client.packets": 2, "client.port": 0, + "destination.address": "8.8.8.8", "destination.bytes": 196, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2202,6 +2263,7 @@ "server.packets": 2, "server.port": 0, "service.type": "palo_alto", + "source.address": "192.168.15.210", "source.bytes": 196, "source.ip": "192.168.15.210", "source.packets": 2, @@ -2216,6 +2278,7 @@ "client.ip": "192.168.15.224", "client.packets": 10, "client.port": 52514, + "destination.address": "184.51.253.193", "destination.bytes": 2228, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2273,6 +2336,7 @@ "server.packets": 12, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 5003, "source.ip": "192.168.15.224", "source.packets": 10, @@ -2287,6 +2351,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 55155, + "destination.address": "8.8.8.8", "destination.bytes": 96, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2344,6 +2409,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 171, "source.ip": "192.168.15.224", "source.packets": 1, @@ -2358,6 +2424,7 @@ "client.ip": "192.168.15.224", "client.packets": 0, "client.port": 52445, + "destination.address": "199.167.55.52", "destination.bytes": 78, "destination.geo.city_name": "Santa Clara", "destination.geo.continent_name": "North America", @@ -2418,6 +2485,7 @@ "server.packets": 1, "server.port": 4282, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 0, "source.ip": "192.168.15.224", "source.packets": 0, @@ -2432,6 +2500,7 @@ "client.ip": "192.168.15.224", "client.packets": 9, "client.port": 52516, + "destination.address": "199.167.52.219", "destination.bytes": 1086, "destination.geo.city_name": "Santa Clara", "destination.geo.continent_name": "North America", @@ -2492,6 +2561,7 @@ "server.packets": 11, "server.port": 17472, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 2316, "source.ip": "192.168.15.224", "source.packets": 9, @@ -2506,6 +2576,7 @@ "client.ip": "192.168.15.224", "client.packets": 19, "client.port": 52511, + "destination.address": "52.71.117.196", "destination.bytes": 2628, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", @@ -2566,6 +2637,7 @@ "server.packets": 19, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 13966, "source.ip": "192.168.15.224", "source.packets": 19, @@ -2580,6 +2652,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 3018, + "destination.address": "8.8.8.8", "destination.bytes": 79, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2637,6 +2710,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 244, "source.ip": "192.168.15.224", "source.packets": 1, @@ -2651,6 +2725,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 16569, + "destination.address": "8.8.8.8", "destination.bytes": 95, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2708,6 +2783,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 205, "source.ip": "192.168.15.224", "source.packets": 1, @@ -2722,6 +2798,7 @@ "client.ip": "192.168.15.224", "client.packets": 20, "client.port": 52479, + "destination.address": "35.186.194.41", "destination.bytes": 4296, "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", @@ -2782,6 +2859,7 @@ "server.packets": 24, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 2302, "source.ip": "192.168.15.224", "source.packets": 20, @@ -2796,6 +2874,7 @@ "client.ip": "192.168.15.224", "client.packets": 41, "client.port": 52478, + "destination.address": "35.201.124.9", "destination.bytes": 58831, "destination.geo.continent_name": "Asia", "destination.geo.location.lat": 35.0, @@ -2852,6 +2931,7 @@ "server.packets": 63, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 6757, "source.ip": "192.168.15.224", "source.packets": 41, @@ -2866,6 +2946,7 @@ "client.ip": "192.168.15.224", "client.packets": 15, "client.port": 52502, + "destination.address": "100.24.131.237", "destination.bytes": 4069, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", @@ -2926,6 +3007,7 @@ "server.packets": 17, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 9007, "source.ip": "192.168.15.224", "source.packets": 15, @@ -2940,6 +3022,7 @@ "client.ip": "192.168.15.224", "client.packets": 7, "client.port": 52458, + "destination.address": "184.51.252.247", "destination.bytes": 1100, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2997,6 +3080,7 @@ "server.packets": 8, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 661, "source.ip": "192.168.15.224", "source.packets": 7, @@ -3011,6 +3095,7 @@ "client.ip": "192.168.15.224", "client.packets": 16, "client.port": 52484, + "destination.address": "35.190.88.148", "destination.bytes": 3596, "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", @@ -3071,6 +3156,7 @@ "server.packets": 15, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 11136, "source.ip": "192.168.15.224", "source.packets": 16, @@ -3085,6 +3171,7 @@ "client.ip": "192.168.15.224", "client.packets": 16, "client.port": 52482, + "destination.address": "35.186.243.83", "destination.bytes": 3596, "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", @@ -3145,6 +3232,7 @@ "server.packets": 15, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 11136, "source.ip": "192.168.15.224", "source.packets": 16, @@ -3159,6 +3247,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 33769, + "destination.address": "8.8.8.8", "destination.bytes": 84, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3216,6 +3305,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 182, "source.ip": "192.168.15.224", "source.packets": 1, @@ -3230,6 +3320,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 14106, + "destination.address": "8.8.8.8", "destination.bytes": 74, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3287,6 +3378,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 90, "source.ip": "192.168.15.224", "source.packets": 1, @@ -3301,6 +3393,7 @@ "client.ip": "192.168.15.224", "client.packets": 13, "client.port": 52503, + "destination.address": "100.24.165.74", "destination.bytes": 2731, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", @@ -3361,6 +3454,7 @@ "server.packets": 17, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 6669, "source.ip": "192.168.15.224", "source.packets": 13, @@ -3375,6 +3469,7 @@ "client.ip": "192.168.15.224", "client.packets": 7, "client.port": 52459, + "destination.address": "184.51.252.247", "destination.bytes": 1100, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3432,6 +3527,7 @@ "server.packets": 8, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 661, "source.ip": "192.168.15.224", "source.packets": 7, @@ -3446,6 +3542,7 @@ "client.ip": "192.168.15.224", "client.packets": 16, "client.port": 52483, + "destination.address": "35.201.94.140", "destination.bytes": 3596, "destination.geo.continent_name": "Asia", "destination.geo.location.lat": 35.0, @@ -3502,6 +3599,7 @@ "server.packets": 15, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 11136, "source.ip": "192.168.15.224", "source.packets": 16, @@ -3516,6 +3614,7 @@ "client.ip": "192.168.15.224", "client.packets": 6, "client.port": 0, + "destination.address": "8.8.8.8", "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3571,6 +3670,7 @@ "server.packets": 6, "server.port": 0, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 588, "source.ip": "192.168.15.224", "source.packets": 6, @@ -3585,6 +3685,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 38663, + "destination.address": "8.8.8.8", "destination.bytes": 84, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3642,6 +3743,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 144, "source.ip": "192.168.15.224", "source.packets": 1, @@ -3656,6 +3758,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 50443, + "destination.address": "8.8.8.8", "destination.bytes": 131, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3713,6 +3816,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 206, "source.ip": "192.168.15.224", "source.packets": 1, @@ -3727,6 +3831,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 54215, + "destination.address": "8.8.8.8", "destination.bytes": 131, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3784,6 +3889,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 206, "source.ip": "192.168.15.224", "source.packets": 1, @@ -3798,6 +3904,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 35827, + "destination.address": "8.8.8.8", "destination.bytes": 83, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3855,6 +3962,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 169, "source.ip": "192.168.15.224", "source.packets": 1, @@ -3869,6 +3977,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 60609, + "destination.address": "8.8.8.8", "destination.bytes": 100, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3926,6 +4035,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 132, "source.ip": "192.168.15.224", "source.packets": 1, @@ -3940,6 +4050,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 3248, + "destination.address": "8.8.8.8", "destination.bytes": 79, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3997,6 +4108,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 127, "source.ip": "192.168.15.224", "source.packets": 1, @@ -4011,6 +4123,7 @@ "client.ip": "192.168.15.196", "client.packets": 1, "client.port": 49284, + "destination.address": "8.8.8.8", "destination.bytes": 89, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4068,6 +4181,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.196", "source.bytes": 105, "source.ip": "192.168.15.196", "source.packets": 1, @@ -4082,6 +4196,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 57732, + "destination.address": "8.8.8.8", "destination.bytes": 97, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4139,6 +4254,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 172, "source.ip": "192.168.15.224", "source.packets": 1, @@ -4153,6 +4269,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 49195, + "destination.address": "8.8.8.8", "destination.bytes": 78, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4210,6 +4327,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 134, "source.ip": "192.168.15.224", "source.packets": 1, @@ -4224,6 +4342,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 17266, + "destination.address": "8.8.8.8", "destination.bytes": 73, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4281,6 +4400,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 179, "source.ip": "192.168.15.224", "source.packets": 1, @@ -4295,6 +4415,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 48631, + "destination.address": "8.8.8.8", "destination.bytes": 90, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4352,6 +4473,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 218, "source.ip": "192.168.15.224", "source.packets": 1, @@ -4366,6 +4488,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 58540, + "destination.address": "8.8.8.8", "destination.bytes": 77, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4423,6 +4546,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 172, "source.ip": "192.168.15.224", "source.packets": 1, @@ -4437,6 +4561,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 42678, + "destination.address": "8.8.8.8", "destination.bytes": 74, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4494,6 +4619,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 305, "source.ip": "192.168.15.224", "source.packets": 1, @@ -4508,6 +4634,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 16576, + "destination.address": "66.28.0.45", "destination.bytes": 76, "destination.geo.city_name": "Upper Marlboro", "destination.geo.continent_name": "North America", @@ -4568,6 +4695,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 527, "source.ip": "192.168.15.224", "source.packets": 1, @@ -4582,6 +4710,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 39830, + "destination.address": "8.8.8.8", "destination.bytes": 89, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4639,6 +4768,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 153, "source.ip": "192.168.15.224", "source.packets": 1, @@ -4653,6 +4783,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 6185, + "destination.address": "8.8.8.8", "destination.bytes": 71, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4710,6 +4841,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 169, "source.ip": "192.168.15.224", "source.packets": 1, @@ -4724,6 +4856,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 8781, + "destination.address": "8.8.8.8", "destination.bytes": 80, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4781,6 +4914,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 128, "source.ip": "192.168.15.224", "source.packets": 1, @@ -4795,6 +4929,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 16788, + "destination.address": "8.8.8.8", "destination.bytes": 72, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4852,6 +4987,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 181, "source.ip": "192.168.15.224", "source.packets": 1, @@ -4866,6 +5002,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 45307, + "destination.address": "8.8.8.8", "destination.bytes": 76, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4923,6 +5060,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 121, "source.ip": "192.168.15.224", "source.packets": 1, @@ -4937,6 +5075,7 @@ "client.ip": "192.168.15.224", "client.packets": 5, "client.port": 52520, + "destination.address": "23.52.174.25", "destination.bytes": 681, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4994,6 +5133,7 @@ "server.packets": 6, "server.port": 80, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 1246, "source.ip": "192.168.15.224", "source.packets": 5, @@ -5008,6 +5148,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 8503, + "destination.address": "8.8.8.8", "destination.bytes": 79, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5065,6 +5206,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 315, "source.ip": "192.168.15.224", "source.packets": 1, @@ -5079,6 +5221,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 6910, + "destination.address": "8.8.8.8", "destination.bytes": 82, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5136,6 +5279,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 130, "source.ip": "192.168.15.224", "source.packets": 1, @@ -5150,6 +5294,7 @@ "client.ip": "192.168.15.224", "client.packets": 4, "client.port": 52475, + "destination.address": "54.230.5.228", "destination.bytes": 354, "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", @@ -5210,6 +5355,7 @@ "server.packets": 5, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 288, "source.ip": "192.168.15.224", "source.packets": 4, @@ -5224,6 +5370,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 14342, + "destination.address": "8.8.8.8", "destination.bytes": 76, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5281,6 +5428,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 149, "source.ip": "192.168.15.224", "source.packets": 1, @@ -5295,6 +5443,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 48197, + "destination.address": "8.8.8.8", "destination.bytes": 71, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5352,6 +5501,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 202, "source.ip": "192.168.15.224", "source.packets": 1, @@ -5366,6 +5516,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 32296, + "destination.address": "8.8.8.8", "destination.bytes": 75, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5423,6 +5574,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 195, "source.ip": "192.168.15.224", "source.packets": 1, @@ -5437,6 +5589,7 @@ "client.ip": "192.168.15.195", "client.packets": 1, "client.port": 33870, + "destination.address": "208.83.246.20", "destination.bytes": 90, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5494,6 +5647,7 @@ "server.packets": 1, "server.port": 123, "service.type": "palo_alto", + "source.address": "192.168.15.195", "source.bytes": 90, "source.ip": "192.168.15.195", "source.packets": 1, @@ -5508,6 +5662,7 @@ "client.ip": "192.168.15.196", "client.packets": 2, "client.port": 54659, + "destination.address": "8.8.8.8", "destination.bytes": 148, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5565,6 +5720,7 @@ "server.packets": 2, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.196", "source.bytes": 192, "source.ip": "192.168.15.196", "source.packets": 2, @@ -5579,6 +5735,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 57446, + "destination.address": "8.8.8.8", "destination.bytes": 83, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5636,6 +5793,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 208, "source.ip": "192.168.15.224", "source.packets": 1, @@ -5650,6 +5808,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 22655, + "destination.address": "8.8.8.8", "destination.bytes": 84, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5707,6 +5866,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 100, "source.ip": "192.168.15.224", "source.packets": 1, @@ -5721,6 +5881,7 @@ "client.ip": "192.168.15.224", "client.packets": 11, "client.port": 52509, + "destination.address": "35.185.88.112", "destination.bytes": 2053, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5780,6 +5941,7 @@ "server.packets": 13, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 7237, "source.ip": "192.168.15.224", "source.packets": 11, @@ -5794,6 +5956,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 27192, + "destination.address": "8.8.8.8", "destination.bytes": 93, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5851,6 +6014,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 109, "source.ip": "192.168.15.224", "source.packets": 1, @@ -5865,6 +6029,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 30221, + "destination.address": "8.8.8.8", "destination.bytes": 84, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5922,6 +6087,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 116, "source.ip": "192.168.15.224", "source.packets": 1, @@ -5936,6 +6102,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 30570, + "destination.address": "8.8.8.8", "destination.bytes": 64, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5993,6 +6160,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 96, "source.ip": "192.168.15.224", "source.packets": 1, @@ -6007,6 +6175,7 @@ "client.ip": "192.168.15.224", "client.packets": 7, "client.port": 52497, + "destination.address": "50.19.85.24", "destination.bytes": 1100, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", @@ -6067,6 +6236,7 @@ "server.packets": 8, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 654, "source.ip": "192.168.15.224", "source.packets": 7, @@ -6081,6 +6251,7 @@ "client.ip": "192.168.15.224", "client.packets": 7, "client.port": 52498, + "destination.address": "50.19.85.24", "destination.bytes": 1100, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", @@ -6141,6 +6312,7 @@ "server.packets": 8, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 654, "source.ip": "192.168.15.224", "source.packets": 7, @@ -6155,6 +6327,7 @@ "client.ip": "192.168.15.224", "client.packets": 7, "client.port": 52496, + "destination.address": "50.19.85.24", "destination.bytes": 1100, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", @@ -6215,6 +6388,7 @@ "server.packets": 8, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 654, "source.ip": "192.168.15.224", "source.packets": 7, @@ -6229,6 +6403,7 @@ "client.ip": "192.168.15.224", "client.packets": 10, "client.port": 52510, + "destination.address": "104.254.150.9", "destination.bytes": 2691, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -6286,6 +6461,7 @@ "server.packets": 12, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 7820, "source.ip": "192.168.15.224", "source.packets": 10, @@ -6300,6 +6476,7 @@ "client.ip": "192.168.15.224", "client.packets": 7, "client.port": 52495, + "destination.address": "50.19.85.24", "destination.bytes": 1100, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", @@ -6360,6 +6537,7 @@ "server.packets": 8, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 654, "source.ip": "192.168.15.224", "source.packets": 7, @@ -6374,6 +6552,7 @@ "client.ip": "192.168.15.224", "client.packets": 3, "client.port": 52486, + "destination.address": "52.0.218.108", "destination.bytes": 276, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", @@ -6434,6 +6613,7 @@ "server.packets": 4, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 214, "source.ip": "192.168.15.224", "source.packets": 3, @@ -6448,6 +6628,7 @@ "client.ip": "192.168.15.224", "client.packets": 3, "client.port": 52489, + "destination.address": "52.6.117.19", "destination.bytes": 276, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", @@ -6508,6 +6689,7 @@ "server.packets": 4, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 214, "source.ip": "192.168.15.224", "source.packets": 3, @@ -6522,6 +6704,7 @@ "client.ip": "192.168.15.224", "client.packets": 3, "client.port": 52490, + "destination.address": "34.238.96.22", "destination.bytes": 276, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", @@ -6582,6 +6765,7 @@ "server.packets": 4, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 214, "source.ip": "192.168.15.224", "source.packets": 3, @@ -6596,6 +6780,7 @@ "client.ip": "192.168.15.224", "client.packets": 4, "client.port": 52493, + "destination.address": "130.211.47.17", "destination.bytes": 276, "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", @@ -6656,6 +6841,7 @@ "server.packets": 4, "server.port": 443, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 280, "source.ip": "192.168.15.224", "source.packets": 4, @@ -6670,6 +6856,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 59320, + "destination.address": "8.8.8.8", "destination.bytes": 97, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -6727,6 +6914,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 172, "source.ip": "192.168.15.224", "source.packets": 1, @@ -6741,6 +6929,7 @@ "client.ip": "192.168.15.224", "client.packets": 6, "client.port": 0, + "destination.address": "8.8.8.8", "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -6798,6 +6987,7 @@ "server.packets": 6, "server.port": 0, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 588, "source.ip": "192.168.15.224", "source.packets": 6, @@ -6812,6 +7002,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 13076, + "destination.address": "8.8.8.8", "destination.bytes": 78, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -6869,6 +7060,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 94, "source.ip": "192.168.15.224", "source.packets": 1, @@ -6883,6 +7075,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 5511, + "destination.address": "8.8.8.8", "destination.bytes": 72, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -6940,6 +7133,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 170, "source.ip": "192.168.15.224", "source.packets": 1, @@ -6954,6 +7148,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 9799, + "destination.address": "8.8.8.8", "destination.bytes": 78, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -7011,6 +7206,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 94, "source.ip": "192.168.15.224", "source.packets": 1, @@ -7025,6 +7221,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 39169, + "destination.address": "8.8.8.8", "destination.bytes": 78, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -7082,6 +7279,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 94, "source.ip": "192.168.15.224", "source.packets": 1, @@ -7096,6 +7294,7 @@ "client.ip": "192.168.15.224", "client.packets": 1, "client.port": 42476, + "destination.address": "8.8.8.8", "destination.bytes": 72, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -7153,6 +7352,7 @@ "server.packets": 1, "server.port": 53, "service.type": "palo_alto", + "source.address": "192.168.15.224", "source.bytes": 166, "source.ip": "192.168.15.224", "source.packets": 1, From 0ac29a54b0b851dff6c9e9a103208c8e44c73a05 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Thu, 9 May 2019 11:01:55 +0200 Subject: [PATCH 06/10] Nit: Hide template actions behind comments --- .../module/palo_alto/pan_os/ingest/pipeline.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/x-pack/filebeat/module/palo_alto/pan_os/ingest/pipeline.yml b/x-pack/filebeat/module/palo_alto/pan_os/ingest/pipeline.yml index afb1ba8f2ea6..a94df2cd113c 100644 --- a/x-pack/filebeat/module/palo_alto/pan_os/ingest/pipeline.yml +++ b/x-pack/filebeat/module/palo_alto/pan_os/ingest/pipeline.yml @@ -10,9 +10,9 @@ processors: - date: field: "_temp_.generated_time" ignore_failure: true - {< if .convert_timezone >} + #{< if .convert_timezone >} timezone: "{{ event.timezone }}" - {< end >} + #{< end >} formats: - "yyyy/MM/dd HH:mm:ss" @@ -21,9 +21,9 @@ processors: field: "event.created" target_field: "event.created" ignore_failure: true - {< if .convert_timezone >} + #{< if .convert_timezone >} timezone: "{{ event.timezone }}" - {< end >} + #{< end >} formats: - "yyyy/MM/dd HH:mm:ss" @@ -32,9 +32,9 @@ processors: field: "event.start" target_field: "event.start" ignore_failure: true - {< if .convert_timezone >} + #{< if .convert_timezone >} timezone: "{{ event.timezone }}" - {< end >} + #{< end >} formats: - "yyyy/MM/dd HH:mm:ss" From ef2170ddd62147d7162a910fb0bcaecb5a4b11ff Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Thu, 9 May 2019 11:02:22 +0200 Subject: [PATCH 07/10] Make event.end use same TZ offset as event.start --- x-pack/filebeat/module/palo_alto/pan_os/ingest/pipeline.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/x-pack/filebeat/module/palo_alto/pan_os/ingest/pipeline.yml b/x-pack/filebeat/module/palo_alto/pan_os/ingest/pipeline.yml index a94df2cd113c..18da07007dae 100644 --- a/x-pack/filebeat/module/palo_alto/pan_os/ingest/pipeline.yml +++ b/x-pack/filebeat/module/palo_alto/pan_os/ingest/pipeline.yml @@ -105,8 +105,7 @@ processors: ctx['event']['duration'] = nanos; def start = ctx.event?.start; if (start != null) { - ctx.event['end'] = ZonedDateTime.ofInstant( - Instant.parse(start).plusNanos(nanos), ZoneOffset.UTC); + ctx.event['end'] = ZonedDateTime.parse(start).plusNanos(nanos); } # Set network.direction using src/dst zone (traffic logs). From 89ea376a9a8b5a9e64d19e5b933b9d7ba7036e28 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Thu, 9 May 2019 16:11:18 +0200 Subject: [PATCH 08/10] Missing make update --- filebeat/docs/fields.asciidoc | 41 ++++++++++++++++++++--------------- 1 file changed, 24 insertions(+), 17 deletions(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index e79845cfd8d2..aa071c723952 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -11839,7 +11839,14 @@ Fields from the palo_alto logs. -*`palo_alto.ruleset`*:: +[float] +== pan_os fields + +Fields for the Palo Alto Networks PAN-OS logs. + + + +*`palo_alto.pan_os.ruleset`*:: + -- type: keyword @@ -11856,7 +11863,7 @@ Fields to extend the top-level source object. -*`palo_alto.source.zone`*:: +*`palo_alto.pan_os.source.zone`*:: + -- type: keyword @@ -11866,7 +11873,7 @@ Source zone for this session. -- -*`palo_alto.source.interface`*:: +*`palo_alto.pan_os.source.interface`*:: + -- type: keyword @@ -11883,7 +11890,7 @@ Post-NAT source address, if source NAT is performed. -*`palo_alto.source.nat.ip`*:: +*`palo_alto.pan_os.source.nat.ip`*:: + -- type: ip @@ -11893,7 +11900,7 @@ Post-NAT source IP. -- -*`palo_alto.source.nat.port`*:: +*`palo_alto.pan_os.source.nat.port`*:: + -- type: long @@ -11910,7 +11917,7 @@ Fields to extend the top-level destination object. -*`palo_alto.destination.zone`*:: +*`palo_alto.pan_os.destination.zone`*:: + -- type: keyword @@ -11920,7 +11927,7 @@ Destination zone for this session. -- -*`palo_alto.destination.interface`*:: +*`palo_alto.pan_os.destination.interface`*:: + -- type: keyword @@ -11937,7 +11944,7 @@ Post-NAT destination address, if destination NAT is performed. -*`palo_alto.destination.nat.ip`*:: +*`palo_alto.pan_os.destination.nat.ip`*:: + -- type: ip @@ -11947,7 +11954,7 @@ Post-NAT destination IP. -- -*`palo_alto.destination.nat.port`*:: +*`palo_alto.pan_os.destination.nat.port`*:: + -- type: long @@ -11964,7 +11971,7 @@ Fields to extend the top-level network object. -*`palo_alto.network.pcap_id`*:: +*`palo_alto.pan_os.network.pcap_id`*:: + -- type: keyword @@ -11975,7 +11982,7 @@ Packet capture ID for a threat. -- -*`palo_alto.network.nat.community_id`*:: +*`palo_alto.pan_os.network.nat.community_id`*:: + -- type: keyword @@ -11992,7 +11999,7 @@ Fields to extend the top-level file object. -*`palo_alto.file.hash`*:: +*`palo_alto.pan_os.file.hash`*:: + -- type: keyword @@ -12009,7 +12016,7 @@ Fields to extend the top-level url object. -*`palo_alto.url.category`*:: +*`palo_alto.pan_os.url.category`*:: + -- type: keyword @@ -12019,7 +12026,7 @@ For threat URLs, it's the URL category. For WildFire, the verdict on the file an -- -*`palo_alto.flow_id`*:: +*`palo_alto.pan_os.flow_id`*:: + -- type: keyword @@ -12029,7 +12036,7 @@ Internal numeric identifier for each session. -- -*`palo_alto.sequence_number`*:: +*`palo_alto.pan_os.sequence_number`*:: + -- type: long @@ -12039,7 +12046,7 @@ Log entry identifier that is incremented sequentially. Unique for each log type. -- -*`palo_alto.threat_file_or_url`*:: +*`palo_alto.pan_os.threat_file_or_url`*:: + -- type: keyword @@ -12049,7 +12056,7 @@ URL or file name for a threat. -- -*`palo_alto.threat_id`*:: +*`palo_alto.pan_os.threat_id`*:: + -- type: keyword From 21741bcf8e5ab02e4391cc26b0702e963b5287b0 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Fri, 10 May 2019 23:06:56 +0200 Subject: [PATCH 09/10] Comment out dashboards TODO in docs --- .../module/palo_alto/_meta/docs.asciidoc | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/x-pack/filebeat/module/palo_alto/_meta/docs.asciidoc b/x-pack/filebeat/module/palo_alto/_meta/docs.asciidoc index d436be7f14d6..cbcc0098872d 100644 --- a/x-pack/filebeat/module/palo_alto/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/palo_alto/_meta/docs.asciidoc @@ -116,14 +116,14 @@ in ECS that are added under the `palo_alto` prefix: | Device Name | observer.hostname | |============== -[float] -=== Example dashboard - -This module comes with a sample dashboard: - -(TODO) -[role="screenshot"] -image::./images/kibana-cisco-asa.png[] +// [float] +// === Example dashboard +// +// This module comes with a sample dashboard: +// +// (TODO) +// [role="screenshot"] +// image::./images/kibana-cisco-asa.png[] include::../include/configuring-intro.asciidoc[] From d68f6e97d0edf51e0c504e8a84b312cfb737a740 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Sat, 11 May 2019 02:26:07 +0200 Subject: [PATCH 10/10] Missing docs file --- filebeat/docs/modules/palo_alto.asciidoc | 188 +++++++++++++++++++++++ 1 file changed, 188 insertions(+) create mode 100644 filebeat/docs/modules/palo_alto.asciidoc diff --git a/filebeat/docs/modules/palo_alto.asciidoc b/filebeat/docs/modules/palo_alto.asciidoc new file mode 100644 index 000000000000..9c0a1fc9c03c --- /dev/null +++ b/filebeat/docs/modules/palo_alto.asciidoc @@ -0,0 +1,188 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-palo_alto]] +[role="xpack"] + +:modulename: palo_alto +:has-dashboards: true + +== Palo Alto Networks module + +This is a module for Palo Alto Networks PAN-OS firewall monitoring logs received +over Syslog or read from a file. It currently supports messages of Traffic and +Threat types. + +[float] +=== Compatibility + +This module has been tested with logs generated by devices running PAN-OS +versions 7.1 to 9.0 but limited compatibility is expected for earlier versions. + +The {plugins}/ingest-geoip.html[ingest-geoip] +Elasticsearch plugin is required to run this module. + +include::../include/running-modules.asciidoc[] + +[float] +=== ECS field mappings + +These are the PAN-OS to ECS field mappings as well as those fields still not +in ECS that are added under the `palo_alto` prefix: + +.Traffic log mappings +[options="header"] +|============== +| PAN-OS Field | ECS Field | Non-standard field +| Receive Time | event.created | +| Serial Number | observer.serial_number | +| Type | event.category | +| Subtype | event.action | +| Generated Time | `@timestamp` | +| Source IP | client.ip source.ip | +| Destination IP | server.ip destination.ip | +| NAT Source IP | | palo_alto.source.nat.ip +| NAT Destination IP | | palo_alto.destination.nat.ip +| Rule Name | | palo_alto.ruleset +| Source User | client.user.name source.user.name | +| Destination User | server.user.name destination.user.name | +| Application | network.application | +| Source Zone | | palo_alto.source.zone +| Destination Zone | | palo_alto.destination.zone +| Ingress Interface | | palo_alto.source.interface +| Egress Interface | | palo_alto.destination.interface +| Session ID | | palo_alto.flow_id +| Source Port | client.port source.port | +| Destination Port | destination.port server.port | +| NAT Source Port | | palo_alto.source.nat.port +| NAT Destination Port | | palo_alto.destination.nat.port +| Flags | labels | +| Protocol | network.transport | +| Action | event.outcome | +| Bytes | network.bytes | +| Bytes Sent | client.bytes destination.bytes | +| Bytes Received | server.bytes source.bytes | +| Packets | network.packets | +| Start Time | event.start | +| Elapsed Time | event.duration | +| Category | | palo_alto.url.category +| Sequence Number | | palo_alto.sequence_number +| Packets Sent | server.packets destination.packets | +| Packets Received | client.packets source.packets | +| Device Name | observer.hostname | +|============== + +.Threat logs mappings +[options="header"] +|============== +| PAN-OS Field | ECS Field | Non-standard field +| Receive Time | event.created | +| Serial Number | observer.serial_number | +| Type | event.category | +| Subtype | event.action | +| Generated Time | `@timestamp` | +| Source IP | client.ip source.ip | +| Destination IP | server.ip destination.ip | +| NAT Source IP | | palo_alto.source.nat.ip +| NAT Destination IP | | palo_alto.destination.nat.ip +| Rule Name | | palo_alto.ruleset +| Source User | client.user.name source.user.name | +| Destination User | server.user.name destination.user.name | +| Application | network.application | +| Source Zone | | palo_alto.source.zone +| Destination Zone | | palo_alto.destination.zone +| Ingress Interface | | palo_alto.source.interface +| Egress Interface | | palo_alto.destination.interface +| Session ID | | palo_alto.flow_id +| Source Port | client.port source.port | +| Destination Port | destination.port server.port | +| NAT Source Port | | palo_alto.source.nat.port +| NAT Destination Port | | palo_alto.destination.nat.port +| Flags | labels | +| Protocol | network.transport | +| Action | event.outcome | +| Miscellaneous | url.original | palo_alto.threat_file_or_url +| Threat ID | | palo_alto.threat_id +| Category | | palo_alto.url.category +| Severity | log.level | +| Direction | network.direction | +| Source Location | source.geo.country_iso_code | +| Destination Location | destination.geo.country_iso_code | +| PCAP_id | | palo_alto.network.pcap_id +| Filedigest | | palo_alto.file.hash +| User Agent | user_agent.original | +| File Type | file.type | +| X-Forwarded-For | network.forwarded_ip | +| Referer | http.request.referer | +| Sender | source.user.email | +| Subject | | palo_alto.subject +| Recipient | destination.user.email | +| Device Name | observer.hostname | +|============== + +// [float] +// === Example dashboard +// +// This module comes with a sample dashboard: +// +// (TODO) +// [role="screenshot"] +// image::./images/kibana-cisco-asa.png[] + +include::../include/configuring-intro.asciidoc[] + +The module is by default configured to run via syslog on port 9001. However +it can also be configured to read logs from a file. See the following example. + +["source","yaml",subs="attributes"] +----- +- module: palo_alto + pan_os: + enabled: true + var.paths: ["/var/log/pan-os.log"] + var.input: "file" +----- + +:fileset_ex: pan_os + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `pan_os` fileset settings + +Example config: + +[source,yaml] +---- + pan_os: + var.syslog_host: 0.0.0.0 + var.syslog_port: 514 +---- + +include::../include/var-paths.asciidoc[] + +*`var.syslog_host`*:: + +The interface to listen to UDP based syslog traffic. Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The UDP port to listen for syslog traffic. Defaults to `9001` + +NOTE: Ports below 1024 require {beatname_uc} to run as root. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. +