PAN-OS Query Logs For Indicators

Queries the following PAN-OS log types: traffic, threat, URL, data-filtering and wildfire. The playbook accepts inputs such as IP addresses, hash, and URL.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • GenericPolling

Integrations

This playbook does not use any integrations.

Scripts

This playbook does not use any scripts.

Commands

  • panorama-check-logs-status
  • panorama-query-logs
  • panorama-get-logs

Playbook Inputs


NameDescriptionRequired
urlThe URL. For example, "safebrowsing.googleapis.com".Optional
filedigestThe file hash (for WildFire logs only).Optional
ipThe source or destination address.Optional

Playbook Outputs


PathDescriptionType
Panorama.MonitorThe monitor logs object.string
Panorama.Monitor.Logs.ActionThe action taken for the session. Can be "alert", "allow", "deny", "drop", "drop-all-packets", "reset-client", "reset-server", "reset-both", or "block-url".string
Panorama.Monitor.Logs.ApplicationThe application associated with the session.string
Panorama.Monitor.Logs.CategoryFor URL subtype, it is the URL category; For WildFire subtype, it is the verdict on the file and is either ‘malicious’, ‘phishing’, ‘grayware’, or ‘benign’; For other subtypes, the value is ‘any’.string
Panorama.Monitor.Logs.DeviceNameThe hostname of the firewall on which the session was logged.string
Panorama.Monitor.Logs.DestinationAddressThe original session destination IP address.string
Panorama.Monitor.Logs.DestinationUserThe username of the user to which the session was destined.string
Panorama.Monitor.Logs.DestinationCountryThe destination country or internal region for private addresses. The Maximum length is 32 bytes.string
Panorama.Monitor.Logs.DestinationPortThe destination port utilized by the session.string
Panorama.Monitor.Logs.FileDigestOnly for WildFire subtype; all other types do not use this field. The filedigest string shows the binary hash of the file sent to be analyzed by the WildFire service.string
Panorama.Monitor.Logs.FileNameThe file name or file type when the subtype is file. The file name when the subtype is virus. The file name when the subtype is wildfire-virus. The file name when the subtype is wildfire.string
Panorama.Monitor.Logs.FileTypeOnly for the WildFire subtype; all other types do not use this field. Specifies the type of file that the firewall forwarded for WildFire analysis.string
Panorama.Monitor.Logs.FromZoneThe zone the session was sourced from.string
Panorama.Monitor.Logs.URLOrFilenameThe actual URI when the subtype is URL. The file name or file type when the subtype is file. The file name when the subtype is virus. The file name when the subtype is wildfire-virus. The file name when the subtype is wildfire. The URL or file name when the subtype is vulnerability if applicable.string
Panorama.Monitor.Logs.NATDestinationIPWhether the destination NAT performed, the post-NAT destination IP address.string
Panorama.Monitor.Logs.NATDestinationPortThe post-NAT destination port.string
Panorama.Monitor.Logs.NATSourceIPWhether the source NAT performed, the post-NAT source IP address.string
Panorama.Monitor.Logs.NATSourcePortThe Post-NAT source port.string
Panorama.Monitor.Logs.PCAPidThe packet capture (pcap) ID is a 64 bit unsigned integral denoting an ID to correlate threat pcap files with extended pcaps taken as a part of that flow. All threat logs will contain either a pcap_id of 0 (no associated pcap), or an ID referencing the extended pcap file.string
Panorama.Monitor.Logs.IPProtocolThe IP address protocol associated with the session.string
Panorama.Monitor.Logs.RecipientOnly for the WildFire subtype; all other types do not use this field. Specifies the name of the receiver of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall.string
Panorama.Monitor.Logs.RuleThe name of the rule that the session matched.string
Panorama.Monitor.Logs.RuleIDThe ID of the rule that the session matched.string
Panorama.Monitor.Logs.ReceiveTimeThe time the log was received at the management plane.string
Panorama.Monitor.Logs.SenderOnly for the WildFire subtype; all other types do not use this field. Specifies the name of the sender of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall.string
Panorama.Monitor.Logs.SessionIDThe internal numerical identifier applied to each session.string
Panorama.Monitor.Logs.DeviceSNThe serial number of the firewall on which the session was logged.string
Panorama.Monitor.Logs.SeverityThe severity associated with the threat. Can be "informational", "low", "medium", "high", or "critical".string
Panorama.Monitor.Logs.SourceAddressThe original session source IP address.string
Panorama.Monitor.Logs.SourceCountryThe source country or internal region for private addresses. The Maximum length is 32 bytes.string
Panorama.Monitor.Logs.SourceUserThe username of the user who initiated the session.string
Panorama.Monitor.Logs.SourcePortThe source port utilized by the session.string
Panorama.Monitor.Logs.NameThe Palo Alto Networks identifier for the threat. It is a description string followed by a 64-bit numerical identifier.string
Panorama.Monitor.Logs.IDThe Palo Alto Networks ID for the threat.string
Panorama.Monitor.Logs.ToZoneThe zone to which the session was destined.string
Panorama.Monitor.Logs.TimeGeneratedThe time that the log was generated on the dataplane.string
Panorama.Monitor.Logs.URLCategoryListThe list of the URL filtering categories that the firewall used to enforce policy.string
Panorama.Monitor.JobIDThe job ID of the logs query.unknown
Panorama.Monitor.StatusThe status of the logs query.string
Panorama.Monitor.MessageThe message of the logs query.string

Playbook Image


PAN-OS_Query_Logs_For_Indicators