diff --git a/.github/workflows/config/labeler.yml b/.github/workflows/config/labeler.yml index 9b60470efe3dd..7240171455159 100644 --- a/.github/workflows/config/labeler.yml +++ b/.github/workflows/config/labeler.yml @@ -335,6 +335,8 @@ integration/otel: - otel/**/* integration/pan_firewall: - pan_firewall/**/* +integration/palo_alto_panorama: +- palo_alto_panorama/**/* integration/pdh_check: - pdh_check/**/* integration/pgbouncer: diff --git a/palo_alto_panorama/CHANGELOG.md b/palo_alto_panorama/CHANGELOG.md new file mode 100644 index 0000000000000..0cc1c6e38854b --- /dev/null +++ b/palo_alto_panorama/CHANGELOG.md @@ -0,0 +1,3 @@ +# CHANGELOG - palo_alto_panorama + + diff --git a/palo_alto_panorama/README.md b/palo_alto_panorama/README.md new file mode 100644 index 0000000000000..a0188d487308f --- /dev/null +++ b/palo_alto_panorama/README.md @@ -0,0 +1,173 @@ +## Overview + +[Palo Alto Panorama][1] is a security management software application developed by Palo Alto Networks. It's designed to provide centralized management, logging, and reporting for Palo Alto Network firewalls. + +This integration ingests Traffic, Threat, Authentication, HIP Match, User ID, Tunnel Inspection, Config, System, Correleated Events, URL Filtering, Data Filtering, GlobalProtect, and Decryption log types with the integration log pipeline to enrich the logs and normalizes data to Datadog standard attributes. + +This integration offers dashboard visualizations with detailed insights into inbound and outbound traffic flows, threats details, insights into user authentications, events generated by globalprotect, mapping between users and IP address, and more. + +## Setup + +### Installation + +To install the Palo Alto Panorama integration, run the following Agent installation command and the steps below. For more information, see the [Integration Management documentation][2]. + +**Note**: This step is not necessary for Agent version >= 7.52.0. + +Linux command: + ```shell + sudo -u dd-agent -- datadog-agent integration install datadog-palo_alto_panorama==1.0.0 + ``` + +### Configuration + +#### Log collection + +**Palo Alto Panorama:** + +1. Collecting logs is disabled by default in the Datadog Agent. Enable it in the `datadog.yaml` file: + + ```yaml + logs_enabled: true + ``` + +2. Add this configuration block to your `palo_alto_panorama.d/conf.yaml` file to start collecting your Palo Alto Panorama logs. + + See the [sample palo_alto_panorama.d/conf.yaml][3] for available configuration options. + + ```yaml + logs: + - type: tcp/udp + port: + service: palo-alto-panorama + source: palo-alto-panorama + ``` + +3. [Restart the Agent][4]. + +4. Configure Panorama to send data to Datadog: + 1. Login into the Panorama System + 2. Follow the [Syslog log forwarding][5] configuration steps. + 1. For Step 1.4, use `TCP/UDP` for `Transport` type and `BSD` format for the `syslog messages`. + 2. For Step 1.5, use the provided custom logs format below: + - **Traffic** + ```sh + serial=$serial|type=$type|subtype=$subtype|time_generated=$cef-formatted-time_generated|src=$src|dst=$dst|natsrc=$natsrc|natdst=$natdst|rule=$rule|suser=$srcuser|duser=$dstuser|app=$app|vsys=$vsys|from=$from|to=$to|inboundif=$inbound_if|outboundif=$outbound_if|logset=$logset|sessionid=$sessionid|repeatcnt=$repeatcnt|sport=$sport|dport=$dport|natsport=$natsport|natdport=$natdport|flags=$flags|proto=$proto|act=$action|bytes=$bytes|bytes_sent=$bytes_sent|bytes_received=$bytes_received|pkt=$packets|start=$start|elapsed=$elapsed|cat=$category|seq=$seqno|actflag=$actionflags|sloc=$srcloc|dloc=$dstloc|pktsent=$pkts_sent|pktrcvd=$pkts_received|sessionendreason=$session_end_reason|vsysname=$vsys_name|dvc=$device_name|actsrc=$action_source|suuid=$src_uuid|duuid=$dst_uuid|tunnelid=$tunnelid|monitortag=$monitortag|parentid=$parent_session_id|parentst=$parent_start_time|tunnel=$tunnel|associd=$assoc_id|chunk=$chunks|chunksent=$chunks_sent|chunkrcvd=$chunks_received|ruleuuid=$rule_uuid|http2conn=$http2_connection|appflap=$link_change_count|policyid=$policy_id|dynusrgrp=$dynusergroup_name|xffip=$xff_ip|scat=$src_category|sprofile=$src_profile|smodel=$src_model|sven=$src_vendor|sosfam=$src_osfamily|sosver=$src_osversion|shost=$src_host|smac=$src_mac|dcat=$dst_category|dprofile=$dst_profile|dmodel=$dst_model|dven=$dst_vendor|dosfam=$dst_osfamily|dosver=$dst_osversion|dhost=$dst_host|dmac=$dst_mac|contid=$container_id|podnamespace=$pod_namespace|podname=$pod_name|sedl=$src_edl|dedl=$dst_edl|hostid=$hostid|srnum=$serialnumber|sessionown=$session_owner|subcatapp=$subcategory_of_app|appcat=$category_of_app|apptech=$technology_of_app|apprisk=$risk_of_app|appchar=$characteristic_of_app|appcont=$container_of_app|tunneledapp=$tunneled_app|appsaas=$is_saas_of_app|appstate=$sanctioned_state_of_app|offloaded=$offloaded|flowtype=$flow_type|cluster=$cluster_name|link=$link_switches|sdag=$src_dag|ddag=$dst_dag + ``` + - **Threat** + ```sh + serial=$serial|type=$type|subtype=$subtype|time_generated=$cef-formatted-time_generated|src=$src|dst=$dst|natsrc=$natsrc|natdst=$natdst|rule=$rule|suser=$srcuser|duser=$dstuser|app=$app|vsys=$vsys|from=$from|to=$to|inboundif=$inbound_if|outboundif=$outbound_if|logset=$logset|sessionid=$sessionid|repeatcnt=$repeatcnt|sport=$sport|dport=$dport|natsport=$natsport|natdport=$natdport|flags=$flags|proto=$proto|act=$action|misc=$misc|threatid=$threatid|cat=$category|severity=$severity|dir=$direction|seqno=$seqno|actflags=$actionflags|sloc=$srcloc|dloc=$dstloc|contenttype=$contenttype|pcapip=$pcap_id|filedigest=$filedigest|cloud=$cloud|urlidx=$url_idx|useragent=$user_agent|filetype=$filetype|xff=$xff|ref=$referer|sender=$sender|sub=$subject|recipient=$recipient|reportid=$reportid|vsysname=$vsys_name|dvc=$device_name|suuid=$src_uuid|duuid=$dst_uuid|http_method=$http_method|tunnelid=$tunnel_id|monitortag=$monitortag|tunnel=$tunnel|thrcategory=$thr_category|contentver=$contentver|ppid=$ppid|httpheaders=$http_headers|urlcategory=$url_category_list|ruleuuid=$rule_uuid|http2conn=$http2_connection|dynusrgrp=$dynusergroup_name|xffip=$xff_ip|scat=$src_category|sprofile=$src_profile|smodel=$src_model|sven=$src_vendor|sosfam=$src_osfamily|sosver=$src_osversion|shost=$src_host|smac=$src_mac|dcat=$dst_category|dprofile=$dst_profile|dmodel=$dst_model|dven=$dst_vendor|dosfam=$dst_osfamily|dosver=$dst_osversion|dhost=$dst_host|dmac=$dst_mac|contid=$container_id|podnamespace=$pod_namespace|podname=$pod_name|hostid=$hostid|srnum=$serialnumber|reason=$reason|justification=$justification|subcatApp=$subcategory_of_app|appcat=$category_of_app|apptech=$technology_of_app|apprisk=$risk_of_app|appchar=$characteristic_of_app|appcont=$container_of_app|tunneledapp=$tunneled_app|appsaas=$is_saas_of_app|appstate=$sanctioned_state_of_app|cloudreportid=$cloud_reportid|cluster=$cluster_name|flowtype=$flow_type + ``` + - **Authentication** + ```sh + receive_time=$receive_time|serial=$serial|type=$type|subtype=$subtype|time_generated=$cef-formatted-time_generated|vsys=$vsys|ip=$ip|user=$user|normalize_user=$normalize_user|object=$object|authpolicy=$authpolicy|repeatcnt=$repeatcnt|authid=$authid|vendor=$vendor|logset=$logset|serverprofile=$serverprofile|desc=$desc|clienttype=$clienttype|event=$event|factorno=$factorno|seqno=$seqno|actionflags=$actionflags|dg_hier_level_1=$dg_hier_level_1|dg_hier_level_2=$dg_hier_level_2|dg_hier_level_3=$dg_hier_level_3|dg_hier_level_4=$dg_hier_level_4|vsys_name=$vsys_name|device_name=$device_name|vsys_id=$vsys_id|authproto=$authproto|rule_uuid=$rule_uuid|high_res_timestamp=$high_res_timestamp|src_category=$src_category|src_profile=$src_profile|src_model=$src_model|src_vendor=$src_vendor|src_osfamily=$src_osfamily|src_osversion=$src_osversion|src_host=$src_host|src_mac=$src_mac|region=$region|user_agent=$user_agent|sessionid=$sessionid|cluster_name=$cluster_name + ``` + - **HIP Match** + ```sh + receive_time=$receive_time|serial=$serial|type=$type|subtype=$subtype|time_generated=$cef-formatted-time_generated|srcuser=$srcuser|vsys=$vsys|machinename=$machinename|os=$os|src=$src|matchname=$matchname|repeatcnt=$repeatcnt|matchtype=$matchtype|seqno=$seqno|actionflags=$actionflags|dg_hier_level_1=$dg_hier_level_1|dg_hier_level_2=$dg_hier_level_2|dg_hier_level_3=$dg_hier_level_3|dg_hier_level_4=$dg_hier_level_4|vsys_name=$vsys_name|device_name=$device_name|vsys_id=$vsys_id|srcipv6=$srcipv6|hostid=$hostid|serialnumber=$serialnumber|mac=$mac|high_res_timestamp=$high_res_timestamp|cluster_name=$cluster_name + ``` + - **User ID** + ```sh + receive_time=$receive_time|serial=$serial|type=$type|subtype=$subtype|time_generated=$cef-formatted-time_generated|vsys=$vsys|ip=$ip|user=$user|datasourcename=$datasourcename|eventid=$eventid|repeatcnt=$repeatcnt|timeout=$timeout|beginport=$beginport|endport=$endport|datasource=$datasource|datasourcetype=$datasourcetype|seqno=$seqno|actionflags=$actionflags|dg_hier_level_1=$dg_hier_level_1|dg_hier_level_2=$dg_hier_level_2|dg_hier_level_3=$dg_hier_level_3|dg_hier_level_4=$dg_hier_level_4|vsys_name=$vsys_name|device_name=$device_name|vsys_id=$vsys_id|factortype=$factortype|factorcompletiontime=$factorcompletiontime|factorno=$factorno|ugflags=$ugflags|userbysource=$userbysource|tag_name=$tag_name|high_res_timestamp=$high_res_timestamp|origindatasource=$origindatasource|cluster_name=$cluster_name + ``` + - **Tunnel Inspection** + ```sh + receive_time=$receive_time|serial=$serial|type=$type|subtype=$subtype|time_generated=$cef-formatted-time_generated|src=$src|dst=$dst|natsrc=$natsrc|natdst=$natdst|rule=$rule|srcuser=$srcuser|dstuser=$dstuser|app=$app|vsys=$vsys|from=$from|to=$to|inbound_if=$inbound_if|outbound_if=$outbound_if|logset=$logset|sessionid=$sessionid|repeatcnt=$repeatcnt|sport=$sport|dport=$dport|natsport=$natsport|natdport=$natdport|flags=$flags|proto=$proto|act=$action|severity=$severity|seqno=$seqno|actionflags=$actionflags|srcloc=$srcloc|dstloc=$dstloc|dg_hier_level_1=$dg_hier_level_1|dg_hier_level_2=$dg_hier_level_2|dg_hier_level_3=$dg_hier_level_3|dg_hier_level_4=$dg_hier_level_4|vsys_name=$vsys_name|device_name=$device_name|tunnelid=$tunnelid|monitortag=$monitortag|parent_session_id=$parent_session_id|parent_start_time=$parent_start_time|tunnel=$tunnel|bytes=$bytes|bytes_sent=$bytes_sent|bytes_received=$bytes_received|pkt=$packets|pkts_sent=$pkts_sent|pkts_received=$pkts_received|max_encap=$max_encap|unknown_proto=$unknown_proto|strict_check=$strict_check|tunnel_fragment=$tunnel_fragment|sessions_created=$sessions_created|sessions_closed=$sessions_closed|session_end_reason=$session_end_reason|action_source=$action_source|start=$start|elapsed=$elapsed|tunnel_insp_rule=$tunnel_insp_rule|remote_user_ip=$remote_user_ip|remote_user_id=$remote_user_id|rule_uuid=$rule_uuid|pcap_id=$pcap_id|dynusergroup_name=$dynusergroup_name|src_edl=$src_edl|dst_edl=$dst_edl|high_res_timestamp=$high_res_timestamp|nssai_sd=$nssai_sd|nssai_sst=$nssai_sst|pdu_session_id=$pdu_session_id|subcategory_of_app=$subcategory_of_app|category_of_app=$category_of_app|technology_of_app=$technology_of_app|risk_of_app=$risk_of_app|characteristic_of_app=$characteristic_of_app|container_of_app=$container_of_app|is_saas_of_app=$is_saas_of_app|sanctioned_state_of_app=$sanctioned_state_of_app|cluster_name=$cluster_name + ``` + - **Config** + ```sh + receive_time=$receive_time|serial=$serial|type=$type|subtype=$subtype|time_generated=$cef-formatted-time_generated|host=$host|vsys=$vsys|cmd=$cmd|admin=$admin|client=$client|result=$result|path=$path|seqno=$seqno|actionflags=$actionflags|dg_hier_level_1=$dg_hier_level_1|dg_hier_level_2=$dg_hier_level_2|dg_hier_level_3=$dg_hier_level_3|dg_hier_level_4=$dg_hier_level_4|vsys_name=$vsys_name|device_name=$device_name|dg_id=$dg_id|comment=$comment|high_res_timestamp=$high_res_timestamp|before-change-detail=$before-change-detail|after-change-detail=$after-change-detail + ``` + - **System** + ```sh + receive_time=$receive_time|serial=$serial|type=$type|subtype=$subtype|time_generated=$cef-formatted-time_generated|vsys=$vsys|eventid=$eventid|object=$object|module=$module|severity=$severity|opaque=$opaque|seqno=$seqno|actionflags=$actionflags|dg_hier_level_1=$dg_hier_level_1|dg_hier_level_2=$dg_hier_level_2|dg_hier_level_3=$dg_hier_level_3|dg_hier_level_4=$dg_hier_level_4|vsys_name=$vsys_name|device_name=$device_name|high_res_timestamp=$high_res_timestamp + ``` + - **Correleated Events** + ```sh + receive_time=$receive_time|serial=$serial|type=$type|subtype=$subtype|time_generated=$cef-formatted-time_generated|src=$src|srcuser=$srcuser|vsys=$vsys|category=$category|severity=$severity|dg_hier_level_1=$dg_hier_level_1|dg_hier_level_2=$dg_hier_level_2|dg_hier_level_3=$dg_hier_level_3|dg_hier_level_4=$dg_hier_level_4|vsys_name=$vsys_name|device_name=$device_name|vsys_id=$vsys_id|objectname=$objectname|object_id=$object_id|evidence=$evidence + ``` + - **GlobalProtect** + ```sh + receive_time=$receive_time|serial=$serial|type=$type|subtype=$subtype|time_generated=$cef-formatted-time_generated|vsys=$vsys|eventid=$eventid|stage=$stage|auth_method=$auth_method|tunnel_type=$tunnel_type|srcuser=$srcuser|srcregion=$srcregion|machinename=$machinename|public_ip=$public_ip|public_ipv6=$public_ipv6|private_ip=$private_ip|private_ipv6=$private_ipv6|hostid=$hostid|serialnumber=$serialnumber|client_ver=$client_ver|client_os=$client_os|client_os_ver=$client_os_ver|repeatcnt=$repeatcnt|reason=$reason|error=$error|opaque=$opaque|status=$status|location=$location|login_duration=$login_duration|connect_method=$connect_method|error_code=$error_code|portal=$portal|seqno=$seqno|actionflags=$actionflags|selection_type=$selection_type|response_time=$response_time|priority=$priority|attempted_gateways=$attempted_gateways|gateway=$gateway|dg_hier_level_1=$dg_hier_level_1|dg_hier_level_2=$dg_hier_level_2|dg_hier_level_3=$dg_hier_level_3|dg_hier_level_4=$dg_hier_level_4|vsys_name=$vsys_name|device_name=$device_name|vsys_id=$vsys_id|cluster_name=$cluster_name + ``` + - **Decryption** + ```sh + serial=$serial|type=$type|subtype=$subtype|configver=$config_ver|time_generated=$cef-formatted-time_generated|src=$src|dst=$dst|natsrc=$natsrc|natdst=$natdst|rule=$rule|suser=$srcuser|duser=$dstuser|app=$app|vsys=$vsys|from=$from|to=$to|inboundif=$inbound_if|outboundif=$outbound_if|logset=$logset|time_received=$time_received|sessionid=$sessionid|repeatcnt=$repeatcnt|sport=$sport|dport=$dport|natsport=$natsport|natdport=$natdport|flags=$flags|proto=$proto|act=$action|tunnel=$tunnel|suuid=$src_uuid|duuid=$dst_uuid|ruleuuid=$rule_uuid|hsstagec2f=$hs_stage_c2f|hsstagef2s=$hs_stage_f2s|tlsver=$tls_version|tlskeyxchg=$tls_keyxchg|tlsenc=$tls_enc|tlsauth=$tls_auth|policyname=$policy_name|eccurve=$ec_curve|errindex=$err_index|rootstatus=$root_status|chainstatus=$chain_status|proxytype=$proxy_type|certserial=$cert_serial|fingerprint=$fingerprint|notbefore=$notbefore|notafter=$notafter|certver=$cert_ver|certsize=$cert_size|cnlen=$cn_len|issuerlen=$issuer_len|rootcnlen=$rootcn_len|snilen=$sni_len|certflags=$cert_flags|cn=$cn|issuercn=$issuer_cn|rootcn=$root_cn|sni=$sni|err=$error|contid=$container_id|podnamespace=$pod_namespace|podname=$pod_name|sedl=$src_edl|dedl=$dst_edl|scat=$src_category|sprofile=$src_profile|smodel=$src_model|sven=$src_vendor|src_osfamily=$src_osfamily|sosver=$src_osversion|shost=$src_host|smac=$src_mac|dcat=$dst_category|dprofile=$dst_profile|dmodel=$dst_model|dven=$dst_vendor|dosfam=$dst_osfamily|dosver=$dst_osversion|dhost=$dst_host|dmac=$dst_mac|seqno=$seqno|actflag=$actionflags|vsysname=$vsys_name|dvc=$device_name|vsysid=$vsys_id|appsubcat=$subcategory_of_app|appcat=$category_of_app|apptech=$technology_of_app|apprisk=$risk_of_app|appchar=$characteristic_of_app|appcont=$container_of_app|appsaas=$is_saas_of_app|appstate=$sanctioned_state_of_app|cluster=$cluster_name|sdag=$src_dag|ddag=$dst_dag + ``` + + +### Validation + +[Run the Agent's status subcommand][6] and look for `palo_alto_panorama` under the Checks section. + +## Data Collected + +### Logs + +The Palo Alto Panorama integration collects Traffic, Threat, Authentication, HIP Match, User ID, Tunnel Inspection, Config, System, Correlated Events, URL Filtering, Data Filtering, GlobalProtect, and Decryption logs. + +### Metrics + +The Palo Alto Panorama integration does not include any metrics. + +### Events + +The Palo Alto Panorama integration does not include any events. + +### Service Checks + +The Palo Alto Panorama integration does not include any service checks. + +## Troubleshooting + +**Permission denied while port binding:** + +If you see a **Permission denied** error while port binding in the Agent logs, see the following instructions: + + 1. Binding to a port number under 1024 requires elevated permissions. Grant access to the port using the `setcap` command: + + - Grant access to the port using the `setcap` command: + + ```shell + sudo setcap CAP_NET_BIND_SERVICE=+ep /opt/datadog-agent/bin/agent/agent + ``` + + - Verify the setup is correct by running the `getcap` command: + + ```shell + sudo getcap /opt/datadog-agent/bin/agent/agent + ``` + + With the expected output: + + ```shell + /opt/datadog-agent/bin/agent/agent = cap_net_bind_service+ep + ``` + + **Note**: Re-run this `setcap` command every time you upgrade the Agent. + + 2. [Restart the Agent][4]. + +**Data is not being collected:** + +Make sure that traffic is bypassed from the configured port if the firewall is enabled. + +**Port already in use:** + +If you see the **Port Already in Use** error, see the following instructions. The example below is for PORT-NO = 514: + +On systems using Syslog, if the Agent listens for Zeek logs on port 514, the following error can appear in the Agent logs: `Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use`. + +This error occurs because by default, Syslog listens on port 514. To resolve this error, take **one** of the following steps: +- Disable Syslog +- Configure the Agent to listen on a different, available port + +For further assistance, contact [Datadog support][7]. + +[1]: https://www.paloaltonetworks.com/network-security/panorama +[2]: https://docs.datadoghq.com/agent/guide/integration-management/?tab=linux#install +[3]: https://github.com/DataDog/integrations-core/blob/master/palo_alto_panorama/datadog_checks/palo_alto_panorama/data/conf.yaml.example +[4]: https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent +[5]: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/configure-syslog-monitoring +[6]: https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information +[7]: https://docs.datadoghq.com/help/ diff --git a/palo_alto_panorama/assets/configuration/spec.yaml b/palo_alto_panorama/assets/configuration/spec.yaml new file mode 100644 index 0000000000000..66b3f034e744a --- /dev/null +++ b/palo_alto_panorama/assets/configuration/spec.yaml @@ -0,0 +1,10 @@ +name: palo-alto-panorama +files: +- name: palo_alto_panorama.yaml + options: + - template: logs + example: + - type: udp/tcp + port: + service: palo-alto-panorama + source: palo-alto-panorama diff --git a/palo_alto_panorama/assets/dashboards/palo_alto_panorama_authentication.json b/palo_alto_panorama/assets/dashboards/palo_alto_panorama_authentication.json new file mode 100644 index 0000000000000..38d6646adebd3 --- /dev/null +++ b/palo_alto_panorama/assets/dashboards/palo_alto_panorama_authentication.json @@ -0,0 +1,832 @@ +{ + "title": "Palo Alto Panorama: Authentication", + "description": "", + "widgets": [ + { + "id": 3092474590624262, + "definition": { + "type": "image", + "url": "https://upload.wikimedia.org/wikipedia/commons/thumb/d/de/PaloAltoNetworks_2020_Logo.svg/220px-PaloAltoNetworks_2020_Logo.svg.png", + "url_dark_theme": "https://upload.wikimedia.org/wikipedia/commons/thumb/d/de/PaloAltoNetworks_2020_Logo.svg/220px-PaloAltoNetworks_2020_Logo.svg.png", + "sizing": "scale-down", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 4688297178923336, + "definition": { + "type": "note", + "content": "## Overview\n- This dashboard gives insights about Authentication logs.\n- Authentication logs display information about authentication events that occur when end users try to access network resources for which access is controlled by Authentication Policy rules.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 3, + "y": 0, + "width": 4, + "height": 2 + } + }, + { + "id": 8599185040282124, + "definition": { + "type": "note", + "content": "## Widgets\n1. Total Authentication Events\n2. Authentication Events Overtime\n3. Top Client Types\n4. Top Users\n5. Authentication Event Distribution\n6. Authentication Results\n7. Top Authentication Protocols\n8. Top Virtual Systems\n9. Top Invoked Auth Policies\n10. Top Sources\n11. Sources Geo Locations\n12. Log Details", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 7, + "y": 0, + "width": 5, + "height": 2 + } + }, + { + "id": 345407825527640, + "definition": { + "title": "Total Authentication Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:AUTHENTICATION $Device_Serial_Number $Subtype $Authentication_Policy $Authentication_Protocol" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 2, + "width": 3, + "height": 3 + } + }, + { + "id": 6804421863386286, + "definition": { + "title": "Authentication Events Overtime", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "TRAFFIC", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@subtype", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:AUTHENTICATION $Device_Serial_Number $Subtype $Authentication_Policy $Authentication_Protocol" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 2, + "width": 9, + "height": 3 + } + }, + { + "id": 4555792593992804, + "definition": { + "title": "Top Client Types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@clienttype", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:AUTHENTICATION $Device_Serial_Number $Subtype $Authentication_Policy $Authentication_Protocol" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 3, + "height": 3 + } + }, + { + "id": 1125426737335600, + "definition": { + "title": "Top Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@normalize_user", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:AUTHENTICATION $Device_Serial_Number $Subtype $Authentication_Policy $Authentication_Protocol" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 5, + "width": 3, + "height": 3 + } + }, + { + "id": 2339075263211366, + "definition": { + "title": "Authentication Event Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@subtype", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:AUTHENTICATION $Device_Serial_Number $Subtype $Authentication_Policy $Authentication_Protocol" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 3 + } + }, + { + "id": 528357851839282, + "definition": { + "title": "Authentication Results", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@palo.alto.panorama.event", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:AUTHENTICATION $Device_Serial_Number $Subtype $Authentication_Policy $Authentication_Protocol" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 3, + "height": 3 + } + }, + { + "id": 1561976797598968, + "definition": { + "title": "Top Authentication Protocols", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@authproto", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:AUTHENTICATION $Device_Serial_Number $Subtype $Authentication_Policy $Authentication_Protocol" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 8, + "width": 3, + "height": 3 + } + }, + { + "id": 8291612460816156, + "definition": { + "title": "Top Virtual Systems", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@palo.alto.panorama.vsys", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:AUTHENTICATION $Device_Serial_Number $Subtype $Authentication_Policy $Authentication_Protocol" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 6, + "y": 8, + "width": 3, + "height": 3 + } + }, + { + "id": 5074642991254010, + "definition": { + "title": "Top Invoked Auth Policies", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@authpolicy", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:AUTHENTICATION $Device_Serial_Number $Subtype $Authentication_Policy $Authentication_Protocol" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 8, + "width": 3, + "height": 3 + } + }, + { + "id": 4842646254107800, + "definition": { + "title": "Top Sources", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:AUTHENTICATION $Device_Serial_Number $Subtype $Authentication_Policy $Authentication_Protocol" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 3, + "height": 3 + } + }, + { + "id": 6205045309047866, + "definition": { + "title": "Sources Geo Locations", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:AUTHENTICATION $Device_Serial_Number $Subtype $Authentication_Policy $Authentication_Protocol" + }, + "storage": "hot" + } + ] + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 3, + "y": 11, + "width": 9, + "height": 3 + } + }, + { + "id": 5804081654824820, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:palo-alto-panorama @type:AUTHENTICATION $Device_Serial_Number $Subtype $Authentication_Policy $Authentication_Protocol", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "time_generated", + "width": "auto" + }, + { + "field": "subtype", + "width": "auto" + }, + { + "field": "network.client.ip", + "width": "auto" + }, + { + "field": "normalize_user", + "width": "auto" + }, + { + "field": "authpolicy", + "width": "auto" + }, + { + "field": "clienttype", + "width": "auto" + }, + { + "field": "serverprofile", + "width": "auto" + }, + { + "field": "palo.alto.panorama.event", + "width": "auto" + }, + { + "field": "object", + "width": "auto" + }, + { + "field": "authproto", + "width": "auto" + }, + { + "field": "region", + "width": "auto" + }, + { + "field": "palo.alto.panorama.vsys", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 14, + "width": 12, + "height": 4 + } + } + ], + "template_variables": [ + { + "name": "Device_Serial_Number", + "prefix": "@serial", + "available_values": [], + "default": "*" + }, + { + "name": "Subtype", + "prefix": "@subtype", + "available_values": [], + "default": "*" + }, + { + "name": "Authentication_Policy", + "prefix": "@authpolicy", + "available_values": [], + "default": "*" + }, + { + "name": "Authentication_Protocol", + "prefix": "@authproto", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/palo_alto_panorama/assets/dashboards/palo_alto_panorama_config.json b/palo_alto_panorama/assets/dashboards/palo_alto_panorama_config.json new file mode 100644 index 0000000000000..59233c7a12f8d --- /dev/null +++ b/palo_alto_panorama/assets/dashboards/palo_alto_panorama_config.json @@ -0,0 +1,571 @@ +{ + "title": "Palo Alto Panorama: Config", + "description": "", + "widgets": [ + { + "id": 3092474590624262, + "definition": { + "type": "image", + "url": "https://upload.wikimedia.org/wikipedia/commons/thumb/d/de/PaloAltoNetworks_2020_Logo.svg/220px-PaloAltoNetworks_2020_Logo.svg.png", + "url_dark_theme": "https://upload.wikimedia.org/wikipedia/commons/thumb/d/de/PaloAltoNetworks_2020_Logo.svg/220px-PaloAltoNetworks_2020_Logo.svg.png", + "sizing": "scale-down", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 4688297178923336, + "definition": { + "type": "note", + "content": "## Overview\n- This dashboard gives insights about config logs.\n- Config logs displays the administrator username, the type of client (Web, CLI, or Panorama), the type of command executed, the command status (succeeded or failed), etc.\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 3, + "y": 0, + "width": 4, + "height": 2 + } + }, + { + "id": 8599185040282124, + "definition": { + "type": "note", + "content": "## Widgets\n1. Total Config Events\n2. Config Events Overtime\n3. Top Administrators\n4. Clients Distribution\n5. Configuration Results\n6. Top Firewall Hosts\n7. Top Commands Performed\n8. Log Details", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 7, + "y": 0, + "width": 5, + "height": 2 + } + }, + { + "id": 345407825527640, + "definition": { + "title": "Total Config Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:CONFIG $Config_Result $Client $User_Name $Device_Serial_Number" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 2, + "width": 3, + "height": 3 + } + }, + { + "id": 6804421863386286, + "definition": { + "title": "Config Events Overtime", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Config", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@type", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:CONFIG $Config_Result $Client $User_Name $Device_Serial_Number" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 2, + "width": 9, + "height": 3 + } + }, + { + "id": 5074642991254010, + "definition": { + "title": "Top Administrators", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:CONFIG $Config_Result $Client $User_Name $Device_Serial_Number" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 3, + "height": 4 + } + }, + { + "id": 8681469698339168, + "definition": { + "title": "Clients Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@client", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:CONFIG $Config_Result $Client $User_Name $Device_Serial_Number" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 3, + "y": 5, + "width": 9, + "height": 4 + } + }, + { + "id": 1561976797598968, + "definition": { + "title": "Configuration Results", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@result", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:CONFIG $Config_Result $Client $User_Name $Device_Serial_Number" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 9, + "width": 4, + "height": 4 + } + }, + { + "id": 995832136782352, + "definition": { + "title": "Top Firewall Hosts", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@device_name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:CONFIG $Config_Result $Client $User_Name $Device_Serial_Number" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 9, + "width": 4, + "height": 4 + } + }, + { + "id": 6205045309047866, + "definition": { + "title": "Top Commands Performed", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@cmd", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:CONFIG $Config_Result $Client $User_Name $Device_Serial_Number" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 9, + "width": 4, + "height": 4 + } + }, + { + "id": 2669721022694840, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:palo-alto-panorama @type:CONFIG $Config_Result $Client $User_Name $Device_Serial_Number", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "type", + "width": "auto" + }, + { + "field": "usr.name", + "width": "auto" + }, + { + "field": "result", + "width": "auto" + }, + { + "field": "client", + "width": "auto" + }, + { + "field": "cmd", + "width": "auto" + }, + { + "field": "before-change-detail", + "width": "auto" + }, + { + "field": "after-change-detail", + "width": "auto" + }, + { + "field": "comment", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 13, + "width": 12, + "height": 3 + } + } + ], + "template_variables": [ + { + "name": "Device_Serial_Number", + "prefix": "@serial", + "available_values": [], + "default": "*" + }, + { + "name": "Config_Result", + "prefix": "@result", + "available_values": [], + "default": "*" + }, + { + "name": "Client", + "prefix": "@client", + "available_values": [], + "default": "*" + }, + { + "name": "User_Name", + "prefix": "@usr.name", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/palo_alto_panorama/assets/dashboards/palo_alto_panorama_correlated_events.json b/palo_alto_panorama/assets/dashboards/palo_alto_panorama_correlated_events.json new file mode 100644 index 0000000000000..da2e967462ab6 --- /dev/null +++ b/palo_alto_panorama/assets/dashboards/palo_alto_panorama_correlated_events.json @@ -0,0 +1,691 @@ +{ + "title": "Palo Alto Panorama: Correlated Events", + "description": "", + "widgets": [ + { + "id": 3092474590624262, + "definition": { + "type": "image", + "url": "https://upload.wikimedia.org/wikipedia/commons/thumb/d/de/PaloAltoNetworks_2020_Logo.svg/220px-PaloAltoNetworks_2020_Logo.svg.png", + "url_dark_theme": "https://upload.wikimedia.org/wikipedia/commons/thumb/d/de/PaloAltoNetworks_2020_Logo.svg/220px-PaloAltoNetworks_2020_Logo.svg.png", + "sizing": "scale-down", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 4688297178923336, + "definition": { + "type": "note", + "content": "## Overview\n- This dashboard gives insights about correlation logs.\n- A correlated event is generated when the patterns and thresholds defined in a Correlation Object match the traffic patterns on your network.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 3, + "y": 0, + "width": 4, + "height": 2 + } + }, + { + "id": 8599185040282124, + "definition": { + "type": "note", + "content": "## Widgets\n1. Total Correlation Events\n2. Correlation Events Overtime\n3. Category Distribution\n4. Top Correlation Objects\n5. Top Source Users\n6. Events by Severity\n7. Top User Source Address\n8. Geo Distribution by Source Address\n9. Distribution by Virtual System\n10. Log Details", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 7, + "y": 0, + "width": 5, + "height": 2 + } + }, + { + "id": 345407825527640, + "definition": { + "title": "Total Correlation Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:CORRELATION $Device_Serial_Number $Subtype $Severity $App_Category" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 2, + "width": 3, + "height": 3 + } + }, + { + "id": 6804421863386286, + "definition": { + "title": "Correlation Events Overtime", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Correlation", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@subtype", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:CORRELATION $Device_Serial_Number $Subtype $Severity $App_Category" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 2, + "width": 9, + "height": 3 + } + }, + { + "id": 5074642991254010, + "definition": { + "title": "Category Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@category", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:CORRELATION $Device_Serial_Number $Subtype $Severity $App_Category" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 3, + "height": 4 + } + }, + { + "id": 995212445643612, + "definition": { + "title": "Top Correlation Objects", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@objectname", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:CORRELATION $Device_Serial_Number $Subtype $Severity $App_Category" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 5, + "width": 3, + "height": 4 + } + }, + { + "id": 1561976797598968, + "definition": { + "title": "Top Source Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:CORRELATION $Device_Serial_Number $Subtype $Severity $App_Category" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 5, + "width": 3, + "height": 4 + } + }, + { + "id": 6205045309047866, + "definition": { + "title": "Events by Severity", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@severity", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:CORRELATION $Device_Serial_Number $Subtype $Severity $App_Category" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 5, + "width": 3, + "height": 4 + } + }, + { + "id": 6109036092484676, + "definition": { + "title": "Top User Source Address", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:CORRELATION $Device_Serial_Number $Subtype $Severity $App_Category" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 9, + "width": 3, + "height": 4 + } + }, + { + "id": 8877434434762428, + "definition": { + "title": "Geo Distribution by Source Address", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:CORRELATION $Device_Serial_Number $Subtype $Severity $App_Category" + }, + "storage": "hot" + } + ] + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 3, + "y": 9, + "width": 5, + "height": 4 + } + }, + { + "id": 8681469698339168, + "definition": { + "title": "Distribution by Virtual System", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@palo.alto.panorama.vsys", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:CORRELATION $Device_Serial_Number $Subtype $Severity $App_Category" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 8, + "y": 9, + "width": 4, + "height": 4 + } + }, + { + "id": 2669721022694840, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:palo-alto-panorama @type:CORRELATION $Device_Serial_Number $Subtype $Severity $App_Category", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "subtype", + "width": "auto" + }, + { + "field": "objectname", + "width": "auto" + }, + { + "field": "category", + "width": "auto" + }, + { + "field": "usr.name", + "width": "auto" + }, + { + "field": "severity", + "width": "auto" + }, + { + "field": "network.client.ip", + "width": "auto" + }, + { + "field": "palo.alto.panorama.vsys", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 13, + "width": 12, + "height": 4 + } + } + ], + "template_variables": [ + { + "name": "Device_Serial_Number", + "prefix": "@serial", + "available_values": [], + "default": "*" + }, + { + "name": "Subtype", + "prefix": "@subtype", + "available_values": [], + "default": "*" + }, + { + "name": "Severity", + "prefix": "@severity", + "available_values": [], + "default": "*" + }, + { + "name": "App_Category", + "prefix": "@category", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/palo_alto_panorama/assets/dashboards/palo_alto_panorama_decryption.json b/palo_alto_panorama/assets/dashboards/palo_alto_panorama_decryption.json new file mode 100644 index 0000000000000..9f8709df211be --- /dev/null +++ b/palo_alto_panorama/assets/dashboards/palo_alto_panorama_decryption.json @@ -0,0 +1,2100 @@ +{ + "title": "Palo Alto Panorama: Decryption", + "description": "", + "widgets": [ + { + "id": 3092474590624262, + "definition": { + "type": "image", + "url": "https://upload.wikimedia.org/wikipedia/commons/thumb/d/de/PaloAltoNetworks_2020_Logo.svg/220px-PaloAltoNetworks_2020_Logo.svg.png", + "url_dark_theme": "https://upload.wikimedia.org/wikipedia/commons/thumb/d/de/PaloAltoNetworks_2020_Logo.svg/220px-PaloAltoNetworks_2020_Logo.svg.png", + "sizing": "scale-down", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 4688297178923336, + "definition": { + "type": "note", + "content": "## Overview\n- This dashboard gives insights about decryption logs.\n- Decryption logs include a vast amount of information to help you troubleshoot, monitor decryption, and resolve issues.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 3, + "y": 0, + "width": 4, + "height": 2 + } + }, + { + "id": 8599185040282124, + "definition": { + "type": "note", + "content": "## Widgets\n1. Total Decryption Events\n2. Decryption Events Overtime\n3. Source Zone Distribution\n4. Destination Zone Distribution\n5. Top Sources\n6. Top Destinations\n7. Top Source Users\n8. Top Destination Users\n9. Top Inbound Interfaces\n10. Top Outbound Interfaces\n11. Top Source Ports\n12. Top Destination Ports\n13. Top Rules\n14. Top Flags\n15. Source Geolocations\n16. Destination Geolocations\n17. Top Applications\n18. Application Technologies\n19. Application Categories\n20. Application Subcategories\n21. SAAS Applications\n22. Sanctioned Applications\n23. Distribution by Application Risk\n24. Top Application Characteristics\n25. Action Distribution\n26. Top Decryption Proxy Types\n27. Top IP Protocols\n28. Top Decryption Policies\n29. Top Chain Statuses\n30. Decryption Source Device Details\n31. Decryption Destination Device Details\n32. Application Configuration Details\n33. Log Details", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 7, + "y": 0, + "width": 5, + "height": 2 + } + }, + { + "id": 345407825527640, + "definition": { + "title": "Total Decryption Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 2, + "width": 3, + "height": 3 + } + }, + { + "id": 6804421863386286, + "definition": { + "title": "Decryption Events Overtime", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Decryption", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@type", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 2, + "width": 9, + "height": 3 + } + }, + { + "id": 8681469698339168, + "definition": { + "title": "Source Zone Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@srczone", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 3, + "height": 3 + } + }, + { + "id": 1561976797598968, + "definition": { + "title": "Destination Zone Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@dstzone", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 3, + "y": 5, + "width": 3, + "height": 3 + } + }, + { + "id": 4842646254107800, + "definition": { + "title": "Top Sources", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@src", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 5, + "width": 3, + "height": 3 + } + }, + { + "id": 5074642991254010, + "definition": { + "title": "Top Destinations", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@dst", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 5, + "width": 3, + "height": 3 + } + }, + { + "id": 4555792593992804, + "definition": { + "title": "Top Source Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@suser", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 3, + "height": 3 + } + }, + { + "id": 1125426737335600, + "definition": { + "title": "Top Destination Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@duser", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 8, + "width": 3, + "height": 3 + } + }, + { + "id": 528357851839282, + "definition": { + "title": "Top Inbound Interfaces", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@inboundif", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 8, + "width": 3, + "height": 3 + } + }, + { + "id": 5772405259988610, + "definition": { + "title": "Top Outbound Interfaces", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@outboundif", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 8, + "width": 3, + "height": 3 + } + }, + { + "id": 1724800236216840, + "definition": { + "title": "Top Source Ports", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@sport", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 3, + "height": 3 + } + }, + { + "id": 821969300317820, + "definition": { + "title": "Top Destination Ports", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@dport", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 11, + "width": 3, + "height": 3 + } + }, + { + "id": 7727127522985056, + "definition": { + "title": "Top Rules", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 11, + "width": 3, + "height": 3 + } + }, + { + "id": 8291612460816156, + "definition": { + "title": "Top Flags", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@flags", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 11, + "width": 3, + "height": 3 + } + }, + { + "id": 995832136782352, + "definition": { + "title": "Source Geolocations", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ] + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 14, + "width": 6, + "height": 4 + } + }, + { + "id": 5058233593718580, + "definition": { + "title": "Destination Geolocations", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.destination.geoip.country.iso_code", + "limit": 250, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ] + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 6, + "y": 14, + "width": 6, + "height": 4 + } + }, + { + "id": 4437195308848290, + "definition": { + "title": "Top Applications", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@app", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 18, + "width": 3, + "height": 3 + } + }, + { + "id": 811987060048300, + "definition": { + "title": "Application Technologies", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@apptech", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 3, + "y": 18, + "width": 3, + "height": 3 + } + }, + { + "id": 3409924901657536, + "definition": { + "title": "Application Categories", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@appcat", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 6, + "y": 18, + "width": 3, + "height": 3 + } + }, + { + "id": 5323983346608892, + "definition": { + "title": "Application Subcategories", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@palo.alto.panorama.appsubcat", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 9, + "y": 18, + "width": 3, + "height": 3 + } + }, + { + "id": 8917312076954382, + "definition": { + "title": "SAAS Applications", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION @appsaas:1 $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 0, + "y": 21, + "width": 2, + "height": 3 + } + }, + { + "id": 2735359610298796, + "definition": { + "title": "Sanctioned Applications", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION @appstate:1 $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 2, + "y": 21, + "width": 2, + "height": 3 + } + }, + { + "id": 7934944904112802, + "definition": { + "title": "Distribution by Application Risk", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@app", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@palo.alto.panorama.apprisk", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "Count", + "formula": "query1", + "limit": { + "count": 100, + "order": "desc" + } + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 4, + "y": 21, + "width": 4, + "height": 3 + } + }, + { + "id": 6848555598177540, + "definition": { + "title": "Top Application Characteristics", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@palo.alto.panorama.appchar", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 21, + "width": 4, + "height": 3 + } + }, + { + "id": 3714172153944202, + "definition": { + "title": "Action Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@palo.alto.panorama.action", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 24, + "width": 7, + "height": 3 + } + }, + { + "id": 3555660408902602, + "definition": { + "title": "Top Decryption Proxy Types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@proxytype", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 7, + "y": 24, + "width": 5, + "height": 3 + } + }, + { + "id": 8978150461199356, + "definition": { + "title": "Top IP Protocols", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@proto", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 27, + "width": 4, + "height": 3 + } + }, + { + "id": 3576145784161344, + "definition": { + "title": "Top Decryption Policies", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@policyname", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 27, + "width": 4, + "height": 3 + } + }, + { + "id": 2635216600876768, + "definition": { + "title": "Top Chain Statuses", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@chainstatus", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 27, + "width": 4, + "height": 3 + } + }, + { + "id": 5030558600070052, + "definition": { + "title": "Decryption Source Device Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "shost", + "width": "auto" + }, + { + "field": "palo.alto.panorama.scat", + "width": "auto" + }, + { + "field": "palo.alto.panorama.sprofile", + "width": "auto" + }, + { + "field": "palo.alto.panorama.smodel", + "width": "auto" + }, + { + "field": "palo.alto.panorama.sven", + "width": "auto" + }, + { + "field": "palo.alto.panorama.sosver", + "width": "auto" + }, + { + "field": "http.useragent_details.os.family", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 30, + "width": 12, + "height": 4 + } + }, + { + "id": 4881491752108534, + "definition": { + "title": "Decryption Destination Device Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "dhost", + "width": "auto" + }, + { + "field": "palo.alto.panorama.dcat", + "width": "auto" + }, + { + "field": "palo.alto.panorama.dprofile", + "width": "auto" + }, + { + "field": "palo.alto.panorama.dmodel", + "width": "auto" + }, + { + "field": "palo.alto.panorama.dven", + "width": "auto" + }, + { + "field": "palo.alto.panorama.dosver", + "width": "auto" + }, + { + "field": "palo.alto.panorama.dmac", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 34, + "width": 12, + "height": 4 + } + }, + { + "id": 4145781519632716, + "definition": { + "title": "Application Configuration Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "app", + "width": "auto" + }, + { + "field": "appcat", + "width": "auto" + }, + { + "field": "palo.alto.panorama.apprisk", + "width": "auto" + }, + { + "field": "appsaas", + "width": "auto" + }, + { + "field": "appstate", + "width": "auto" + }, + { + "field": "palo.alto.panorama.appsubcat", + "width": "auto" + }, + { + "field": "apptech", + "width": "auto" + }, + { + "field": "palo.alto.panorama.appcont", + "width": "auto" + }, + { + "field": "palo.alto.panorama.appchar", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 38, + "width": 12, + "height": 4 + } + }, + { + "id": 2669721022694840, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:palo-alto-panorama @type:DECRYPTION $Device_Serial_Number $Action $Decryption_Policy", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "time_generated", + "width": "auto" + }, + { + "field": "palo.alto.panorama.action", + "width": "auto" + }, + { + "field": "srczone", + "width": "auto" + }, + { + "field": "dstzone", + "width": "auto" + }, + { + "field": "src", + "width": "auto" + }, + { + "field": "dst", + "width": "auto" + }, + { + "field": "suser", + "width": "auto" + }, + { + "field": "duser", + "width": "auto" + }, + { + "field": "rule", + "width": "auto" + }, + { + "field": "app", + "width": "auto" + }, + { + "field": "appcat", + "width": "auto" + }, + { + "field": "palo.alto.panorama.apprisk", + "width": "auto" + }, + { + "field": "proto", + "width": "auto" + }, + { + "field": "proxytype", + "width": "auto" + }, + { + "field": "shost", + "width": "auto" + }, + { + "field": "palo.alto.panorama.sprofile", + "width": "auto" + }, + { + "field": "dhost", + "width": "auto" + }, + { + "field": "palo.alto.panorama.dprofile", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 42, + "width": 12, + "height": 4 + } + } + ], + "template_variables": [ + { + "name": "Device_Serial_Number", + "prefix": "@serial", + "available_values": [], + "default": "*" + }, + { + "name": "Action", + "prefix": "@palo.alto.panorama.action", + "available_values": [], + "default": "*" + }, + { + "name": "Decryption_Policy", + "prefix": "@policyname", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/palo_alto_panorama/assets/dashboards/palo_alto_panorama_globalprotect.json b/palo_alto_panorama/assets/dashboards/palo_alto_panorama_globalprotect.json new file mode 100644 index 0000000000000..436ae2d28bb5d --- /dev/null +++ b/palo_alto_panorama/assets/dashboards/palo_alto_panorama_globalprotect.json @@ -0,0 +1,1207 @@ +{ + "title": "Palo Alto Panorama: GlobalProtect", + "description": "", + "widgets": [ + { + "id": 3092474590624262, + "definition": { + "type": "image", + "url": "https://upload.wikimedia.org/wikipedia/commons/thumb/d/de/PaloAltoNetworks_2020_Logo.svg/220px-PaloAltoNetworks_2020_Logo.svg.png", + "url_dark_theme": "https://upload.wikimedia.org/wikipedia/commons/thumb/d/de/PaloAltoNetworks_2020_Logo.svg/220px-PaloAltoNetworks_2020_Logo.svg.png", + "sizing": "scale-down", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 4688297178923336, + "definition": { + "type": "note", + "content": "## Overview\n- This dashboard gives insights about GlobalProtect logs.\n- GlobalProtect displays the logs related to GlobalProtect system, GlobalProtect portal, and gateway logs.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 3, + "y": 0, + "width": 4, + "height": 2 + } + }, + { + "id": 8599185040282124, + "definition": { + "type": "note", + "content": "## Widgets\n1. Total GlobalProtect Events\n2. GlobalProtect Events Overtime\n3. Connection Stages\n4. Authentication Methods\n5. Connection Statuses\n6. Top Client OSs\n7. Top Source Users\n8. Top Source Regions\n9. Geo Distribution by User Public IP\n10. Top Used Gateway Priorities\n11. Connection Methods\n12. GlobalProtect Client Versions\n13. Top Gateways Used\n14. Top Tunnel Types\n15. Top User Public IPs\n16. Top Errors\n17. Gateway Selection Method\n18. Log Details", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 7, + "y": 0, + "width": 5, + "height": 2 + } + }, + { + "id": 345407825527640, + "definition": { + "title": "Total GlobalProtect Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:GLOBALPROTECT $Device_Serial_Number $Subtype $Gateway $Status" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 2, + "width": 3, + "height": 3 + } + }, + { + "id": 6804421863386286, + "definition": { + "title": "GlobalProtect Events Overtime", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "GlobalProtect", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@subtype", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:GLOBALPROTECT $Device_Serial_Number $Subtype $Gateway $Status" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 2, + "width": 9, + "height": 3 + } + }, + { + "id": 6205045309047866, + "definition": { + "title": "Connection Stages", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@stage", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:GLOBALPROTECT $Device_Serial_Number $Subtype $Gateway $Status" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 3, + "height": 3 + } + }, + { + "id": 1561976797598968, + "definition": { + "title": "Authentication Methods", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@auth_method", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:GLOBALPROTECT $Device_Serial_Number $Subtype $Gateway $Status" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 3, + "y": 5, + "width": 3, + "height": 3 + } + }, + { + "id": 4555792593992804, + "definition": { + "title": "Connection Statuses", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@status", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:GLOBALPROTECT $Device_Serial_Number $Subtype $Gateway $Status" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 6, + "y": 5, + "width": 3, + "height": 3 + } + }, + { + "id": 5772405259988610, + "definition": { + "title": "Top Client OSs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@http.useragent_details.os.family", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:GLOBALPROTECT $Device_Serial_Number $Subtype $Gateway $Status" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 5, + "width": 3, + "height": 3 + } + }, + { + "id": 5074642991254010, + "definition": { + "title": "Top Source Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:GLOBALPROTECT $Device_Serial_Number $Subtype $Gateway $Status" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 3, + "height": 4 + } + }, + { + "id": 8681469698339168, + "definition": { + "title": "Top Source Regions", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@srcregion", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:GLOBALPROTECT $Device_Serial_Number $Subtype $Gateway $Status" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 8, + "width": 3, + "height": 4 + } + }, + { + "id": 995832136782352, + "definition": { + "title": "Geo Distribution by User Public IP", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:GLOBALPROTECT $Device_Serial_Number $Subtype $Gateway $Status" + }, + "storage": "hot" + } + ] + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 6, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 1724800236216840, + "definition": { + "title": "Top Used Gateway Priorities", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@priority", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:GLOBALPROTECT $Device_Serial_Number $Subtype $Gateway $Status" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 12, + "width": 3, + "height": 3 + } + }, + { + "id": 821969300317820, + "definition": { + "title": "Connection Methods", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@connect_method", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:GLOBALPROTECT $Device_Serial_Number $Subtype $Gateway $Status" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 3, + "y": 12, + "width": 3, + "height": 3 + } + }, + { + "id": 528357851839282, + "definition": { + "title": "GlobalProtect Client Versions", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@client_ver", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:GLOBALPROTECT $Device_Serial_Number $Subtype $Gateway $Status" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 6, + "y": 12, + "width": 3, + "height": 3 + } + }, + { + "id": 3409924901657536, + "definition": { + "title": "Top Gateways Used", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@gateway", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:GLOBALPROTECT $Device_Serial_Number $Subtype $Gateway $Status" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 12, + "width": 3, + "height": 3 + } + }, + { + "id": 4842646254107800, + "definition": { + "title": "Top Tunnel Types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@tunnel_type", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:GLOBALPROTECT $Device_Serial_Number $Subtype $Gateway $Status" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 15, + "width": 3, + "height": 3 + } + }, + { + "id": 1125426737335600, + "definition": { + "title": "Top User Public IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:GLOBALPROTECT $Device_Serial_Number $Subtype $Gateway $Status" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 15, + "width": 3, + "height": 3 + } + }, + { + "id": 7727127522985056, + "definition": { + "title": "Top Errors", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@error", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:GLOBALPROTECT $Device_Serial_Number $Subtype $Gateway $Status" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 15, + "width": 3, + "height": 3 + } + }, + { + "id": 8291612460816156, + "definition": { + "title": "Gateway Selection Method", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@selection_type", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:GLOBALPROTECT $Device_Serial_Number $Subtype $Gateway $Status" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 9, + "y": 15, + "width": 3, + "height": 3 + } + }, + { + "id": 2669721022694840, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:palo-alto-panorama @type:GLOBALPROTECT $Device_Serial_Number $Subtype $Gateway $Status", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "time_generated", + "width": "auto" + }, + { + "field": "subtype", + "width": "auto" + }, + { + "field": "stage", + "width": "auto" + }, + { + "field": "auth_method", + "width": "auto" + }, + { + "field": "status", + "width": "auto" + }, + { + "field": "http.useragent_details.os.family", + "width": "auto" + }, + { + "field": "usr.name", + "width": "auto" + }, + { + "field": "priority", + "width": "auto" + }, + { + "field": "connect_method", + "width": "auto" + }, + { + "field": "client_ver", + "width": "auto" + }, + { + "field": "gateway", + "width": "auto" + }, + { + "field": "tunnel_type", + "width": "auto" + }, + { + "field": "network.client.ip", + "width": "auto" + }, + { + "field": "error", + "width": "auto" + }, + { + "field": "selection_type", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 18, + "width": 12, + "height": 4 + } + } + ], + "template_variables": [ + { + "name": "Device_Serial_Number", + "prefix": "@serial", + "available_values": [], + "default": "*" + }, + { + "name": "Subtype", + "prefix": "@subtype", + "available_values": [], + "default": "*" + }, + { + "name": "Gateway", + "prefix": "@gateway", + "available_values": [], + "default": "*" + }, + { + "name": "Status", + "prefix": "@status", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/palo_alto_panorama/assets/dashboards/palo_alto_panorama_hip_match.json b/palo_alto_panorama/assets/dashboards/palo_alto_panorama_hip_match.json new file mode 100644 index 0000000000000..ac994f006420a --- /dev/null +++ b/palo_alto_panorama/assets/dashboards/palo_alto_panorama_hip_match.json @@ -0,0 +1,691 @@ +{ + "title": "Palo Alto Panorama: HIP Match", + "description": "", + "widgets": [ + { + "id": 3092474590624262, + "definition": { + "type": "image", + "url": "https://upload.wikimedia.org/wikipedia/commons/thumb/d/de/PaloAltoNetworks_2020_Logo.svg/220px-PaloAltoNetworks_2020_Logo.svg.png", + "url_dark_theme": "https://upload.wikimedia.org/wikipedia/commons/thumb/d/de/PaloAltoNetworks_2020_Logo.svg/220px-PaloAltoNetworks_2020_Logo.svg.png", + "sizing": "scale-down", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 4688297178923336, + "definition": { + "type": "note", + "content": "## Overview\n- This dashboard gives insights about HIP Match logs.\n- These capture information about the security status of the endpoints accessing a network", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 3, + "y": 0, + "width": 4, + "height": 2 + } + }, + { + "id": 8599185040282124, + "definition": { + "type": "note", + "content": "## Widgets\n1. Total HIP Match Events\n2. HIP Match Events Overtime\n3. Top Source Users\n4. Top User Machines\n5. Top Source Addresses\n6. Top Source Addresses (IPV6)\n7. Distribution by Virtual System\n8. Top Client OSs\n9. Source User Geo Distribution\n10. Log Details", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 7, + "y": 0, + "width": 5, + "height": 2 + } + }, + { + "id": 345407825527640, + "definition": { + "title": "Total HIP Match Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:HIP-MATCH $Device_Serial_Number $Match_Name" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 2, + "width": 3, + "height": 3 + } + }, + { + "id": 6804421863386286, + "definition": { + "title": "HIP Match Events Overtime", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "HIP Match", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@type", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:HIP-MATCH $Device_Serial_Number $Match_Name" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 2, + "width": 9, + "height": 3 + } + }, + { + "id": 5074642991254010, + "definition": { + "title": "Top Source Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:HIP-MATCH $Device_Serial_Number $Match_Name" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 3, + "height": 4 + } + }, + { + "id": 1561976797598968, + "definition": { + "title": "Top User Machines", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@machinename", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:HIP-MATCH $Device_Serial_Number $Match_Name" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 3, + "y": 5, + "width": 3, + "height": 4 + } + }, + { + "id": 8681469698339168, + "definition": { + "title": "Top Source Addresses", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:HIP-MATCH $Device_Serial_Number $Match_Name" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 5, + "width": 3, + "height": 4 + } + }, + { + "id": 4555792593992804, + "definition": { + "title": "Top Source Addresses (IPV6)", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@srcipv6", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:HIP-MATCH $Device_Serial_Number $Match_Name" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 5, + "width": 3, + "height": 4 + } + }, + { + "id": 6205045309047866, + "definition": { + "title": "Distribution by Virtual System", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@palo.alto.panorama.vsys", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:HIP-MATCH $Device_Serial_Number $Match_Name" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 9, + "width": 3, + "height": 4 + } + }, + { + "id": 5772405259988610, + "definition": { + "title": "Top Client OSs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@http.useragent_details.os.family", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:HIP-MATCH $Device_Serial_Number $Match_Name" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 9, + "width": 3, + "height": 4 + } + }, + { + "id": 995832136782352, + "definition": { + "title": "Source User Geo Distribution", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:HIP-MATCH $Device_Serial_Number $Match_Name" + }, + "storage": "hot" + } + ] + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 6, + "y": 9, + "width": 6, + "height": 4 + } + }, + { + "id": 2669721022694840, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:palo-alto-panorama @type:HIP-MATCH $Device_Serial_Number $Match_Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "time_generated", + "width": "auto" + }, + { + "field": "usr.name", + "width": "auto" + }, + { + "field": "machinename", + "width": "auto" + }, + { + "field": "network.client.ip", + "width": "auto" + }, + { + "field": "srcipv6", + "width": "auto" + }, + { + "field": "palo.alto.panorama.vsys", + "width": "auto" + }, + { + "field": "device_name", + "width": "auto" + }, + { + "field": "matchname", + "width": "auto" + }, + { + "field": "matchtype", + "width": "auto" + }, + { + "field": "http.useragent_details.os.family", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 13, + "width": 12, + "height": 4 + } + } + ], + "template_variables": [ + { + "name": "Device_Serial_Number", + "prefix": "@serial", + "available_values": [], + "default": "*" + }, + { + "name": "Match_Name", + "prefix": "@matchname", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/palo_alto_panorama/assets/dashboards/palo_alto_panorama_system.json b/palo_alto_panorama/assets/dashboards/palo_alto_panorama_system.json new file mode 100644 index 0000000000000..e7cb41f0ded1c --- /dev/null +++ b/palo_alto_panorama/assets/dashboards/palo_alto_panorama_system.json @@ -0,0 +1,504 @@ +{ + "title": "Palo Alto Panorama: System", + "description": "", + "widgets": [ + { + "id": 3092474590624262, + "definition": { + "type": "image", + "url": "https://upload.wikimedia.org/wikipedia/commons/thumb/d/de/PaloAltoNetworks_2020_Logo.svg/220px-PaloAltoNetworks_2020_Logo.svg.png", + "url_dark_theme": "https://upload.wikimedia.org/wikipedia/commons/thumb/d/de/PaloAltoNetworks_2020_Logo.svg/220px-PaloAltoNetworks_2020_Logo.svg.png", + "sizing": "scale-down", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 4688297178923336, + "definition": { + "type": "note", + "content": "## Overview\n- This dashboard gives insights about system related logs.\n- System logs display entries for each system event on the firewall. ", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 3, + "y": 0, + "width": 4, + "height": 2 + } + }, + { + "id": 8599185040282124, + "definition": { + "type": "note", + "content": "## Widgets\n1. Total System Events\n2. System Events Overtime\n3. Subtype Distribution\n4. Distribution by Virtual System\n5. Top Modules\n6. Events by Severity\n7. Log Details", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 7, + "y": 0, + "width": 5, + "height": 2 + } + }, + { + "id": 345407825527640, + "definition": { + "title": "Total System Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:SYSTEM $Device_Serial_Number $Subtype $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 2, + "width": 3, + "height": 3 + } + }, + { + "id": 6804421863386286, + "definition": { + "title": "System Events Overtime", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "System", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@subtype", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:SYSTEM $Device_Serial_Number $Subtype $Severity" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 2, + "width": 9, + "height": 3 + } + }, + { + "id": 5074642991254010, + "definition": { + "title": "Subtype Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@subtype", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:SYSTEM $Device_Serial_Number $Subtype $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 12, + "height": 4 + } + }, + { + "id": 8681469698339168, + "definition": { + "title": "Distribution by Virtual System", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@palo.alto.panorama.vsys", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:SYSTEM $Device_Serial_Number $Subtype $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 9, + "width": 4, + "height": 4 + } + }, + { + "id": 1561976797598968, + "definition": { + "title": "Top Modules", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@module", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:SYSTEM $Device_Serial_Number $Subtype $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 9, + "width": 4, + "height": 4 + } + }, + { + "id": 6205045309047866, + "definition": { + "title": "Events by Severity", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@severity", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:SYSTEM $Device_Serial_Number $Subtype $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 9, + "width": 4, + "height": 4 + } + }, + { + "id": 2669721022694840, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:palo-alto-panorama @type:SYSTEM $Device_Serial_Number $Subtype $Severity", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "time_generated", + "width": "auto" + }, + { + "field": "subtype", + "width": "auto" + }, + { + "field": "module", + "width": "auto" + }, + { + "field": "severity", + "width": "auto" + }, + { + "field": "palo.alto.panorama.vsys", + "width": "auto" + }, + { + "field": "device_name", + "width": "auto" + }, + { + "field": "eventid", + "width": "auto" + }, + { + "field": "opaque", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 13, + "width": 12, + "height": 4 + } + } + ], + "template_variables": [ + { + "name": "Device_Serial_Number", + "prefix": "@serial", + "available_values": [], + "default": "*" + }, + { + "name": "Subtype", + "prefix": "@subtype", + "available_values": [], + "default": "*" + }, + { + "name": "Severity", + "prefix": "@severity", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/palo_alto_panorama/assets/dashboards/palo_alto_panorama_threat.json b/palo_alto_panorama/assets/dashboards/palo_alto_panorama_threat.json new file mode 100644 index 0000000000000..2b31ad5d113a9 --- /dev/null +++ b/palo_alto_panorama/assets/dashboards/palo_alto_panorama_threat.json @@ -0,0 +1,1879 @@ +{ + "title": "Palo Alto Panorama: Threat", + "description": "", + "widgets": [ + { + "id": 3092474590624262, + "definition": { + "type": "image", + "url": "https://upload.wikimedia.org/wikipedia/commons/thumb/d/de/PaloAltoNetworks_2020_Logo.svg/220px-PaloAltoNetworks_2020_Logo.svg.png", + "url_dark_theme": "https://upload.wikimedia.org/wikipedia/commons/thumb/d/de/PaloAltoNetworks_2020_Logo.svg/220px-PaloAltoNetworks_2020_Logo.svg.png", + "sizing": "scale-down", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 4688297178923336, + "definition": { + "type": "note", + "content": "## Overview\n- This dashboard gives insights about threat related logs.\n- Threat logs display entries when traffic matches one of the Security Profiles attached to a security rule on the firewall.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 3, + "y": 0, + "width": 4, + "height": 2 + } + }, + { + "id": 8599185040282124, + "definition": { + "type": "note", + "content": "## Widgets\n1. Total Threat Events\n2. Threat Events Overtime\n3. Action Distribution\n4. Severity Distribution\n5. Attacks Direction\n6. Threat Categories Distribution\n7. Top Source Users\n8. Top Destination Users\n9. Top Sources\n10. Top Destinations\n11. Top Senders\n12. Top Recipients\n13. Source Zone Distribution\n14. Destination Zone Distribution\n15. Top URL/Files\n16. Top File Types\n17. Tunnel Type Distribution \n18. Top Flags\n19. Protocol Distribution\n20. Top App Categories\n21. Top Threat IDs\n22. Top Rules\n23. Top HTTP methods\n24. Top Subtype Categories\n25. Top URL Categories\n26. App Details with Risk\n27. Proxy Types\n28. Log Details", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 7, + "y": 0, + "width": 5, + "height": 2 + } + }, + { + "id": 345407825527640, + "definition": { + "title": "Total Threat Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 2, + "width": 3, + "height": 3 + } + }, + { + "id": 6804421863386286, + "definition": { + "title": "Threat Events Overtime", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "TRAFFIC", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@subtype", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 2, + "width": 9, + "height": 3 + } + }, + { + "id": 6205045309047866, + "definition": { + "title": "Action Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@palo.alto.panorama.action", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 3, + "height": 3 + } + }, + { + "id": 2339075263211366, + "definition": { + "title": "Severity Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@severity", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 3, + "y": 5, + "width": 3, + "height": 3 + } + }, + { + "id": 1878016805033400, + "definition": { + "title": "Attacks Direction", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@dir", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 5, + "width": 3, + "height": 3 + } + }, + { + "id": 4623822485828052, + "definition": { + "title": "Threat Categories Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@thrcategory", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 9, + "y": 5, + "width": 3, + "height": 3 + } + }, + { + "id": 4555792593992804, + "definition": { + "title": "Top Source Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@suser", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 3, + "height": 3 + } + }, + { + "id": 1125426737335600, + "definition": { + "title": "Top Destination Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@duser", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 8, + "width": 3, + "height": 3 + } + }, + { + "id": 4842646254107800, + "definition": { + "title": "Top Sources", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@src", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 8, + "width": 3, + "height": 3 + } + }, + { + "id": 5074642991254010, + "definition": { + "title": "Top Destinations", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@dst", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 8, + "width": 3, + "height": 3 + } + }, + { + "id": 1724800236216840, + "definition": { + "title": "Top Senders", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@sender", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 3, + "height": 3 + } + }, + { + "id": 7400182896416460, + "definition": { + "title": "Top Recipients", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@recipient", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 11, + "width": 3, + "height": 3 + } + }, + { + "id": 8681469698339168, + "definition": { + "title": "Source Zone Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@srczone", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 11, + "width": 3, + "height": 3 + } + }, + { + "id": 1561976797598968, + "definition": { + "title": "Destination Zone Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@dstzone", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 9, + "y": 11, + "width": 3, + "height": 3 + } + }, + { + "id": 3127493630425506, + "definition": { + "title": "Top URL/Files", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@misc", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 14, + "width": 3, + "height": 3 + } + }, + { + "id": 528357851839282, + "definition": { + "title": "Top File Types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@filetype", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 14, + "width": 3, + "height": 3 + } + }, + { + "id": 2607404900043900, + "definition": { + "title": "Tunnel Type Distribution ", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@tunnel", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 14, + "width": 3, + "height": 3 + } + }, + { + "id": 8291612460816156, + "definition": { + "title": "Top Flags", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@flags", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 14, + "width": 3, + "height": 3 + } + }, + { + "id": 5772405259988610, + "definition": { + "title": "Protocol Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@proto", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 17, + "width": 3, + "height": 3 + } + }, + { + "id": 5548477814612748, + "definition": { + "title": "Top App Categories", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@appcat", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 17, + "width": 3, + "height": 3 + } + }, + { + "id": 8593934912781418, + "definition": { + "title": "Top Threat IDs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@threatid", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 17, + "width": 3, + "height": 3 + } + }, + { + "id": 7727127522985056, + "definition": { + "title": "Top Rules", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 17, + "width": 3, + "height": 3 + } + }, + { + "id": 1454243730487964, + "definition": { + "title": "Top HTTP methods", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@http.method", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 20, + "width": 6, + "height": 3 + } + }, + { + "id": 2537904190555568, + "definition": { + "title": "Top Subtype Categories", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@cat", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 20, + "width": 3, + "height": 3 + } + }, + { + "id": 7260671878336116, + "definition": { + "title": "Top URL Categories", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@urlcategory", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 20, + "width": 3, + "height": 3 + } + }, + { + "id": 5436272002600982, + "definition": { + "title": "App Details with Risk", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "max", + "metric": "@palo.alto.panorama.apprisk" + }, + "group_by": [ + { + "facet": "@app", + "limit": 5, + "sort": { + "order": "desc", + "aggregation": "max", + "metric": "@palo.alto.panorama.apprisk" + } + }, + { + "facet": "@appcat", + "limit": 5, + "sort": { + "order": "desc", + "aggregation": "max", + "metric": "@palo.alto.panorama.apprisk" + } + }, + { + "facet": "@apptech", + "limit": 5, + "sort": { + "order": "desc", + "aggregation": "max", + "metric": "@palo.alto.panorama.apprisk" + } + }, + { + "facet": "@appsaas", + "limit": 5, + "sort": { + "order": "desc", + "aggregation": "max", + "metric": "@palo.alto.panorama.apprisk" + } + }, + { + "facet": "@appstate", + "limit": 5, + "sort": { + "order": "desc", + "aggregation": "max", + "metric": "@palo.alto.panorama.apprisk" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "App Risk", + "formula": "query1", + "limit": { + "count": 3125, + "order": "desc" + } + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 23, + "width": 9, + "height": 3 + } + }, + { + "id": 7541289981861842, + "definition": { + "title": "Proxy Types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@flowtype", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 23, + "width": 3, + "height": 3 + } + }, + { + "id": 5804081654824820, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:palo-alto-panorama @type:THREAT $Device_Serial_Number $Subtype $Action $Severity", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "time_generated", + "width": "auto" + }, + { + "field": "subtype", + "width": "auto" + }, + { + "field": "palo.alto.panorama.action", + "width": "auto" + }, + { + "field": "severity", + "width": "auto" + }, + { + "field": "thrcategory", + "width": "auto" + }, + { + "field": "src", + "width": "auto" + }, + { + "field": "dst", + "width": "auto" + }, + { + "field": "suser", + "width": "auto" + }, + { + "field": "duser", + "width": "auto" + }, + { + "field": "srczone", + "width": "auto" + }, + { + "field": "dstzone", + "width": "auto" + }, + { + "field": "flags", + "width": "auto" + }, + { + "field": "tunnel", + "width": "auto" + }, + { + "field": "rule", + "width": "auto" + }, + { + "field": "sender", + "width": "auto" + }, + { + "field": "recipient", + "width": "auto" + }, + { + "field": "proto", + "width": "auto" + }, + { + "field": "misc", + "width": "auto" + }, + { + "field": "dir", + "width": "auto" + }, + { + "field": "app", + "width": "auto" + }, + { + "field": "palo.alto.panorama.apprisk", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 26, + "width": 12, + "height": 4 + } + } + ], + "template_variables": [ + { + "name": "Device_Serial_Number", + "prefix": "@serial", + "available_values": [], + "default": "*" + }, + { + "name": "Subtype", + "prefix": "@subtype", + "available_values": [], + "default": "*" + }, + { + "name": "Action", + "prefix": "@palo.alto.panorama.action", + "available_values": [], + "default": "*" + }, + { + "name": "Severity", + "prefix": "@severity", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/palo_alto_panorama/assets/dashboards/palo_alto_panorama_traffic.json b/palo_alto_panorama/assets/dashboards/palo_alto_panorama_traffic.json new file mode 100644 index 0000000000000..e64301c7c9481 --- /dev/null +++ b/palo_alto_panorama/assets/dashboards/palo_alto_panorama_traffic.json @@ -0,0 +1,1568 @@ +{ + "title": "Palo Alto Panorama: Traffic", + "description": null, + "widgets": [ + { + "id": 3092474590624262, + "definition": { + "type": "image", + "url": "https://upload.wikimedia.org/wikipedia/commons/thumb/d/de/PaloAltoNetworks_2020_Logo.svg/220px-PaloAltoNetworks_2020_Logo.svg.png", + "url_dark_theme": "https://upload.wikimedia.org/wikipedia/commons/thumb/d/de/PaloAltoNetworks_2020_Logo.svg/220px-PaloAltoNetworks_2020_Logo.svg.png", + "sizing": "scale-down", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 4688297178923336, + "definition": { + "type": "note", + "content": "## Overview\n- This dashboard gives insights about traffic related logs.\n- Traffic logs displays source and destination zones, addresses, and ports; security rule applied to the traffic flow; rule action (allow, deny, or drop); number of bytes; session end reason; etc.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 3, + "y": 0, + "width": 4, + "height": 2 + } + }, + { + "id": 8599185040282124, + "definition": { + "type": "note", + "content": "## Widgets\n2. Total Traffic Events\n3. Traffic Events Overtime\n5. Bytes Activity Overtime\n6. Packets Activity Overtime\n7. Top Source Users\n8. Top Destination Users\n9. Top Sources\n10. Top Destinations\n11. Application vs Technology Breakdown\n12. Traffic by Application\n13. Source Zone Distribution\n14. Destination Zone Distribution\n15. Action Distribution\n16. Top Reasons for Session End\n17. Top Rules\n18. Top Flags\n19. Top Policies\n20. Tunnel Type Distribution \n21. Protocol Distribution\n22. App details with Risk\n23. Log Details\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 7, + "y": 0, + "width": 5, + "height": 2 + } + }, + { + "id": 345407825527640, + "definition": { + "title": "Total Traffic Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 2, + "width": 3, + "height": 3 + } + }, + { + "id": 6804421863386286, + "definition": { + "title": "Traffic Events Overtime", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "TRAFFIC", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@subtype", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 2, + "width": 9, + "height": 3 + } + }, + { + "id": 1262858690778924, + "definition": { + "title": "Bytes Activity Overtime", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Total Bytes", + "formula": "query1" + }, + { + "alias": "Bytes Read", + "formula": "query2" + }, + { + "alias": "Bytes Written", + "formula": "query3" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "sum", + "metric": "@bytes" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + }, + { + "data_source": "logs", + "name": "query2", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "sum", + "metric": "@network.bytes_read" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + }, + { + "data_source": "logs", + "name": "query3", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "sum", + "metric": "@network.bytes_written" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 5, + "width": 12, + "height": 3 + } + }, + { + "id": 4755645693815292, + "definition": { + "title": "Packets Activity Overtime", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Total Packets", + "formula": "query1" + }, + { + "alias": "Packets Received", + "formula": "query2" + }, + { + "alias": "Packets Sent", + "formula": "query3" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "sum", + "metric": "@palo.alto.panorama.pkt" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + }, + { + "data_source": "logs", + "name": "query2", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "sum", + "metric": "@palo.alto.panorama.pktrcvd" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + }, + { + "data_source": "logs", + "name": "query3", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "sum", + "metric": "@palo.alto.panorama.pktsent" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 3 + } + }, + { + "id": 4555792593992804, + "definition": { + "title": "Top Source Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@suser", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 3, + "height": 3 + } + }, + { + "id": 1125426737335600, + "definition": { + "title": "Top Destination Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@duser", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 11, + "width": 3, + "height": 3 + } + }, + { + "id": 4842646254107800, + "definition": { + "title": "Top Sources", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@src", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 11, + "width": 3, + "height": 3 + } + }, + { + "id": 5074642991254010, + "definition": { + "title": "Top Destinations", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@dst", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 11, + "width": 3, + "height": 3 + } + }, + { + "id": 1017889768747050, + "definition": { + "title": "Application vs Technology Breakdown", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@apptech", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@app", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 14, + "width": 6, + "height": 4 + } + }, + { + "id": 847936980174736, + "definition": { + "title": "Traffic by Application ", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "sum", + "metric": "@palo.alto.panorama.pkt" + }, + "group_by": [ + { + "facet": "@app", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "sum", + "metric": "@bytes" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + }, + { + "data_source": "logs", + "name": "query2", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "sum", + "metric": "@bytes" + }, + "group_by": [ + { + "facet": "@app", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "sum", + "metric": "@bytes" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "Total Packets", + "formula": "query1" + }, + { + "cell_display_mode": "bar", + "alias": "Total Bytes", + "formula": "query2", + "limit": { + "count": 20, + "order": "desc" + } + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 6, + "y": 14, + "width": 6, + "height": 4 + } + }, + { + "id": 8681469698339168, + "definition": { + "title": "Source Zone Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@srczone", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 18, + "width": 3, + "height": 3 + } + }, + { + "id": 1561976797598968, + "definition": { + "title": "Destination Zone Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@dstzone", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 3, + "y": 18, + "width": 3, + "height": 3 + } + }, + { + "id": 6072982711177336, + "definition": { + "title": "Action Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@palo.alto.panorama.action", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 18, + "width": 6, + "height": 3 + } + }, + { + "id": 3127493630425506, + "definition": { + "title": "Top Reasons for Session End", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@sessionendreason", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 21, + "width": 3, + "height": 3 + } + }, + { + "id": 7727127522985056, + "definition": { + "title": "Top Rules", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 21, + "width": 3, + "height": 3 + } + }, + { + "id": 8291612460816156, + "definition": { + "title": "Top Flags", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@flags", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 21, + "width": 3, + "height": 3 + } + }, + { + "id": 528357851839282, + "definition": { + "title": "Top Policies", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@policyid", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 21, + "width": 3, + "height": 3 + } + }, + { + "id": 2607404900043900, + "definition": { + "title": "Tunnel Type Distribution ", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@tunnel", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 24, + "width": 6, + "height": 3 + } + }, + { + "id": 5772405259988610, + "definition": { + "title": "Protocol Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@proto", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 24, + "width": 6, + "height": 3 + } + }, + { + "id": 5436272002600982, + "definition": { + "title": "App details with Risk", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "avg", + "metric": "@palo.alto.panorama.apprisk" + }, + "group_by": [ + { + "facet": "@app", + "limit": 5, + "sort": { + "order": "desc", + "aggregation": "avg", + "metric": "@palo.alto.panorama.apprisk" + } + }, + { + "facet": "@apptech", + "limit": 5, + "sort": { + "order": "desc", + "aggregation": "avg", + "metric": "@palo.alto.panorama.apprisk" + } + }, + { + "facet": "@appcat", + "limit": 5, + "sort": { + "order": "desc", + "aggregation": "avg", + "metric": "@palo.alto.panorama.apprisk" + } + }, + { + "facet": "@appsaas", + "limit": 5, + "sort": { + "order": "desc", + "aggregation": "avg", + "metric": "@palo.alto.panorama.apprisk" + } + }, + { + "facet": "@appstate", + "limit": 5, + "sort": { + "order": "desc", + "aggregation": "avg", + "metric": "@palo.alto.panorama.apprisk" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "text_formats": [ + [], + [ + { + "match": { + "type": "is", + "value": "" + }, + "palette": "white_on_green" + } + ] + ], + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "App Risk", + "formula": "query1", + "limit": { + "count": 3125, + "order": "desc" + } + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 27, + "width": 12, + "height": 3 + } + }, + { + "id": 5804081654824820, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:palo-alto-panorama @type:TRAFFIC $Device_Serial_Number $Subtype $Action", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "serial", + "width": "auto" + }, + { + "field": "time_generated", + "width": "auto" + }, + { + "field": "subtype", + "width": "auto" + }, + { + "field": "palo.alto.panorama.action", + "width": "auto" + }, + { + "field": "src", + "width": "auto" + }, + { + "field": "dst", + "width": "auto" + }, + { + "field": "rule", + "width": "auto" + }, + { + "field": "suser", + "width": "auto" + }, + { + "field": "duser", + "width": "auto" + }, + { + "field": "app", + "width": "auto" + }, + { + "field": "bytes", + "width": "auto" + }, + { + "field": "palo.alto.panorama.pkt", + "width": "auto" + }, + { + "field": "srczone", + "width": "auto" + }, + { + "field": "dstzone", + "width": "auto" + }, + { + "field": "proto", + "width": "auto" + }, + { + "field": "sessionendreason", + "width": "auto" + }, + { + "field": "tunnel", + "width": "auto" + }, + { + "field": "policyid", + "width": "auto" + }, + { + "field": "apptech", + "width": "auto" + }, + { + "field": "palo.alto.panorama.apprisk", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 30, + "width": 12, + "height": 5 + } + } + ], + "template_variables": [ + { + "name": "Device_Serial_Number", + "prefix": "@serial", + "available_values": [], + "default": "*" + }, + { + "name": "Subtype", + "prefix": "@subtype", + "available_values": [], + "default": "*" + }, + { + "name": "Action", + "prefix": "@palo.alto.panorama.action", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/palo_alto_panorama/assets/dashboards/palo_alto_panorama_tunnel_inspection.json b/palo_alto_panorama/assets/dashboards/palo_alto_panorama_tunnel_inspection.json new file mode 100644 index 0000000000000..52415b67e6455 --- /dev/null +++ b/palo_alto_panorama/assets/dashboards/palo_alto_panorama_tunnel_inspection.json @@ -0,0 +1,2522 @@ +{ + "title": "Palo Alto Panorama: Tunnel Inspection", + "description": "", + "widgets": [ + { + "id": 3092474590624262, + "definition": { + "type": "image", + "url": "https://upload.wikimedia.org/wikipedia/commons/thumb/d/de/PaloAltoNetworks_2020_Logo.svg/220px-PaloAltoNetworks_2020_Logo.svg.png", + "url_dark_theme": "https://upload.wikimedia.org/wikipedia/commons/thumb/d/de/PaloAltoNetworks_2020_Logo.svg/220px-PaloAltoNetworks_2020_Logo.svg.png", + "sizing": "scale-down", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 4688297178923336, + "definition": { + "type": "note", + "content": "## Overview\n- This dashboard gives insights about tunnel inspection logs.\n- Tunnel inspection logs are like traffic logs for tunnel sessions; they display entries of non-encrypted tunnel sessions.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 3, + "y": 0, + "width": 4, + "height": 2 + } + }, + { + "id": 8599185040282124, + "definition": { + "type": "note", + "content": "## Widgets\n1. Total Tunnel Inspection Events\n2. Tunnel Inspection Events Overtime\n3. Bytes Activity Overtime\n4. Packets Activity Overtime\n5. Action Distribution\n6. Top Rules\n7. Top Flags\n8. Tunnel Type Distribution \n9. Severity Distribution\n10. Top Inbound Interfaces\n11. Top Outbound Interfaces\n12. Top Source Users\n13. Top Destination Users\n14. Top Sources\n15. Top Destinations\n16. Source Zone Distribution\n17. Destination Zone Distribution\n18. Top Source Locations\n19. Top Destination Locations\n20. Source Geolocations\n21. Destination Geolocations\n22. Top Applications\n23. Application Technologies\n24. Appplication Categories\n25. Application Subcategories\n26. SAAS Applications\n27. Sanctioned Applications\n28. Distribution by Application Risk\n29. Top Application Characteristics\n30. Session End Reasons\n31. Virtual Systems\n32. Top Application Container\n33. Top IP Protocols\n34. Total Packets Transferred\n35. Packets Dropped (Max Encapulation)\n36. Packets Dropped (Unknown Protocol)\n37. Packets Dropped (Tunnel Fragment)\n38. Packets Dropped (Strict Checking)\n39. Log Details", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 7, + "y": 0, + "width": 5, + "height": 2 + } + }, + { + "id": 345407825527640, + "definition": { + "title": "Total Tunnel Inspection Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 2, + "width": 3, + "height": 3 + } + }, + { + "id": 6804421863386286, + "definition": { + "title": "Tunnel Inspection Events Overtime", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Tunnel Inspection", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@subtype", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 2, + "width": 9, + "height": 3 + } + }, + { + "id": 3127493630425506, + "definition": { + "title": "Bytes Activity Overtime", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Total Bytes", + "formula": "query1" + }, + { + "alias": "Bytes Written", + "formula": "query2" + }, + { + "alias": "Bytes Read", + "formula": "query3" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "sum", + "metric": "@bytes" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + }, + { + "data_source": "logs", + "name": "query2", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "sum", + "metric": "@network.bytes_written" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + }, + { + "data_source": "logs", + "name": "query3", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "sum", + "metric": "@network.bytes_read" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 3793573630078020, + "definition": { + "title": "Packets Activity Overtime", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Total Packets", + "formula": "query1" + }, + { + "alias": "Packets Received", + "formula": "query2" + }, + { + "alias": "Packets Sent", + "formula": "query3" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "sum", + "metric": "@palo.alto.panorama.pkt" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + }, + { + "data_source": "logs", + "name": "query2", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "sum", + "metric": "@pkts_received" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + }, + { + "data_source": "logs", + "name": "query3", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "sum", + "metric": "@pkts_sent" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 6205045309047866, + "definition": { + "title": "Action Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@action_source", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@palo.alto.panorama.action", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 9, + "width": 6, + "height": 3 + } + }, + { + "id": 7727127522985056, + "definition": { + "title": "Top Rules", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 9, + "width": 3, + "height": 3 + } + }, + { + "id": 8291612460816156, + "definition": { + "title": "Top Flags", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@flags", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 9, + "width": 3, + "height": 3 + } + }, + { + "id": 2607404900043900, + "definition": { + "title": "Tunnel Type Distribution ", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@tunnel", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 12, + "width": 3, + "height": 3 + } + }, + { + "id": 2339075263211366, + "definition": { + "title": "Severity Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@severity", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 3, + "y": 12, + "width": 3, + "height": 3 + } + }, + { + "id": 528357851839282, + "definition": { + "title": "Top Inbound Interfaces", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@inbound_if", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 12, + "width": 3, + "height": 3 + } + }, + { + "id": 5772405259988610, + "definition": { + "title": "Top Outbound Interfaces", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@outbound_if", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 12, + "width": 3, + "height": 3 + } + }, + { + "id": 4555792593992804, + "definition": { + "title": "Top Source Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@srcuser", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 15, + "width": 3, + "height": 3 + } + }, + { + "id": 1125426737335600, + "definition": { + "title": "Top Destination Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@dstuser", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 15, + "width": 3, + "height": 3 + } + }, + { + "id": 4842646254107800, + "definition": { + "title": "Top Sources", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@src", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 15, + "width": 3, + "height": 3 + } + }, + { + "id": 5074642991254010, + "definition": { + "title": "Top Destinations", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@dst", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 15, + "width": 3, + "height": 3 + } + }, + { + "id": 8681469698339168, + "definition": { + "title": "Source Zone Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@srczone", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 18, + "width": 3, + "height": 3 + } + }, + { + "id": 1561976797598968, + "definition": { + "title": "Destination Zone Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@dstzone", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 3, + "y": 18, + "width": 3, + "height": 3 + } + }, + { + "id": 1724800236216840, + "definition": { + "title": "Top Source Locations", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@srcloc", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 18, + "width": 3, + "height": 3 + } + }, + { + "id": 7400182896416460, + "definition": { + "title": "Top Destination Locations", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@dstloc", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 18, + "width": 3, + "height": 3 + } + }, + { + "id": 995832136782352, + "definition": { + "title": "Source Geolocations", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ] + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 21, + "width": 6, + "height": 4 + } + }, + { + "id": 5058233593718580, + "definition": { + "title": "Destination Geolocations", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.destination.geoip.country.iso_code", + "limit": 250, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ] + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 6, + "y": 21, + "width": 6, + "height": 4 + } + }, + { + "id": 8962919707691370, + "definition": { + "title": "Top Applications", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@app", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 25, + "width": 3, + "height": 3 + } + }, + { + "id": 5548477814612748, + "definition": { + "title": "Application Technologies", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@technology_of_app", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 3, + "y": 25, + "width": 3, + "height": 3 + } + }, + { + "id": 7260671878336116, + "definition": { + "title": "Appplication Categories", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@category_of_app", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 6, + "y": 25, + "width": 3, + "height": 3 + } + }, + { + "id": 2537904190555568, + "definition": { + "title": "Application Subcategories", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@subcategory_of_app", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 9, + "y": 25, + "width": 3, + "height": 3 + } + }, + { + "id": 3246299556105570, + "definition": { + "title": "SAAS Applications", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) @is_saas_of_app:1 $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 0, + "y": 28, + "width": 2, + "height": 3 + } + }, + { + "id": 3509417777103854, + "definition": { + "title": "Sanctioned Applications", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) @sanctioned_state_of_app:1 $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 2, + "y": 28, + "width": 2, + "height": 3 + } + }, + { + "id": 7541289981861842, + "definition": { + "title": "Distribution by Application Risk", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@app", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@risk_of_app", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "Count", + "formula": "query1", + "limit": { + "count": 100, + "order": "desc" + } + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 4, + "y": 28, + "width": 4, + "height": 3 + } + }, + { + "id": 1454243730487964, + "definition": { + "title": "Top Application Characteristics", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@characteristic_of_app", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 28, + "width": 4, + "height": 3 + } + }, + { + "id": 4623822485828052, + "definition": { + "title": "Session End Reasons", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@session_end_reason", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 31, + "width": 3, + "height": 3 + } + }, + { + "id": 3258590195437586, + "definition": { + "title": "Virtual Systems", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@palo.alto.panorama.vsys", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 3, + "y": 31, + "width": 3, + "height": 3 + } + }, + { + "id": 12198085516410, + "definition": { + "title": "Top Application Container", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@container_of_app", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 31, + "width": 3, + "height": 3 + } + }, + { + "id": 8593934912781418, + "definition": { + "title": "Top IP Protocols", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@proto", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 31, + "width": 3, + "height": 3 + } + }, + { + "id": 3943003895948684, + "definition": { + "title": "Total Packets Transferred", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "sum", + "metric": "@palo.alto.panorama.pkt" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 0, + "y": 34, + "width": 4, + "height": 4 + } + }, + { + "id": 7315514970930934, + "definition": { + "title": "Packets Dropped (Max Encapulation)", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "sum", + "metric": "@palo.alto.panorama.max_encap" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 4, + "y": 34, + "width": 4, + "height": 2 + } + }, + { + "id": 4952436989350624, + "definition": { + "title": "Packets Dropped (Unknown Protocol)", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "sum", + "metric": "@palo.alto.panorama.unknown_proto" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 8, + "y": 34, + "width": 4, + "height": 2 + } + }, + { + "id": 7257554664235076, + "definition": { + "title": "Packets Dropped (Tunnel Fragment)", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "sum", + "metric": "@palo.alto.panorama.tunnel_fragment" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 4, + "y": 36, + "width": 4, + "height": 2 + } + }, + { + "id": 6560919975776724, + "definition": { + "title": "Packets Dropped (Strict Checking)", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "sum", + "metric": "@palo.alto.panorama.strict_check" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 8, + "y": 36, + "width": 4, + "height": 2 + } + }, + { + "id": 8298072862374932, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:palo-alto-panorama @type:(START OR END) $Device_Serial_Number $Subtype $Action $Severity", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "time_generated", + "width": "auto" + }, + { + "field": "subtype", + "width": "auto" + }, + { + "field": "palo.alto.panorama.action", + "width": "auto" + }, + { + "field": "action_source", + "width": "auto" + }, + { + "field": "severity", + "width": "auto" + }, + { + "field": "src", + "width": "auto" + }, + { + "field": "dst", + "width": "auto" + }, + { + "field": "srcuser", + "width": "auto" + }, + { + "field": "dstuser", + "width": "auto" + }, + { + "field": "rule", + "width": "auto" + }, + { + "field": "flags", + "width": "auto" + }, + { + "field": "srczone", + "width": "auto" + }, + { + "field": "dstzone", + "width": "auto" + }, + { + "field": "tunnel", + "width": "auto" + }, + { + "field": "srcloc", + "width": "auto" + }, + { + "field": "dstloc", + "width": "auto" + }, + { + "field": "proto", + "width": "auto" + }, + { + "field": "bytes", + "width": "auto" + }, + { + "field": "palo.alto.panorama.pkt", + "width": "auto" + }, + { + "field": "app", + "width": "auto" + }, + { + "field": "technology_of_app", + "width": "auto" + }, + { + "field": "category_of_app", + "width": "auto" + }, + { + "field": "risk_of_app", + "width": "auto" + }, + { + "field": "session_end_reason", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 38, + "width": 12, + "height": 4 + } + } + ], + "template_variables": [ + { + "name": "Device_Serial_Number", + "prefix": "@serial", + "available_values": [], + "default": "*" + }, + { + "name": "Subtype", + "prefix": "@subtype", + "available_values": [], + "default": "*" + }, + { + "name": "Action", + "prefix": "@palo.alto.panorama.action", + "available_values": [], + "default": "*" + }, + { + "name": "Severity", + "prefix": "@severity", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/palo_alto_panorama/assets/dashboards/palo_alto_panorama_user_id.json b/palo_alto_panorama/assets/dashboards/palo_alto_panorama_user_id.json new file mode 100644 index 0000000000000..b8135507afca7 --- /dev/null +++ b/palo_alto_panorama/assets/dashboards/palo_alto_panorama_user_id.json @@ -0,0 +1,565 @@ +{ + "title": "Palo Alto Panorama: User ID", + "description": "", + "widgets": [ + { + "id": 3092474590624262, + "definition": { + "type": "image", + "url": "https://upload.wikimedia.org/wikipedia/commons/thumb/d/de/PaloAltoNetworks_2020_Logo.svg/220px-PaloAltoNetworks_2020_Logo.svg.png", + "url_dark_theme": "https://upload.wikimedia.org/wikipedia/commons/thumb/d/de/PaloAltoNetworks_2020_Logo.svg/220px-PaloAltoNetworks_2020_Logo.svg.png", + "sizing": "scale-down", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 4688297178923336, + "definition": { + "type": "note", + "content": "## Overview\n- This dashboard gives insights about User ID logs.\n- User-ID logs display information about IP address-to-username mappings and authentication.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 3, + "y": 0, + "width": 4, + "height": 2 + } + }, + { + "id": 8599185040282124, + "definition": { + "type": "note", + "content": "## Widgets\n1. Total User-ID Events\n2. User-ID Events Overtime\n3. Top Users\n4. Top Data Source Names\n5. Distribution by Virtual System\n6. Top Source IPs\n7. Source IP Geo Distribution\n8. Log Details", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 7, + "y": 0, + "width": 5, + "height": 2 + } + }, + { + "id": 345407825527640, + "definition": { + "title": "Total User-ID Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:palo-alto-panorama @type:USERID $Device_Serial_Number $Subtype" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 2, + "width": 3, + "height": 3 + } + }, + { + "id": 6804421863386286, + "definition": { + "title": "User-ID Events Overtime", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "User-ID", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@subtype", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:USERID $Device_Serial_Number $Subtype" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 2, + "width": 9, + "height": 3 + } + }, + { + "id": 5074642991254010, + "definition": { + "title": "Top Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:USERID $Device_Serial_Number $Subtype" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 4, + "height": 4 + } + }, + { + "id": 1561976797598968, + "definition": { + "title": "Top Data Source Names", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@datasourcename", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:USERID $Device_Serial_Number $Subtype" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 5, + "width": 4, + "height": 4 + } + }, + { + "id": 6205045309047866, + "definition": { + "title": "Distribution by Virtual System", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@palo.alto.panorama.vsys", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:USERID $Device_Serial_Number $Subtype" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 8, + "y": 5, + "width": 4, + "height": 4 + } + }, + { + "id": 8681469698339168, + "definition": { + "title": "Top Source IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 10, + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:USERID $Device_Serial_Number $Subtype" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 9, + "width": 4, + "height": 4 + } + }, + { + "id": 995832136782352, + "definition": { + "title": "Source IP Geo Distribution", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "count": 500, + "order": "desc" + } + } + ], + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-panorama @type:USERID $Device_Serial_Number $Subtype" + }, + "storage": "hot" + } + ] + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 4, + "y": 9, + "width": 8, + "height": 4 + } + }, + { + "id": 2669721022694840, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:palo-alto-panorama @type:USERID $Device_Serial_Number $Subtype", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "time_generated", + "width": "auto" + }, + { + "field": "subtype", + "width": "auto" + }, + { + "field": "usr.name", + "width": "auto" + }, + { + "field": "datasourcename", + "width": "auto" + }, + { + "field": "datasource", + "width": "auto" + }, + { + "field": "network.client.ip", + "width": "auto" + }, + { + "field": "palo.alto.panorama.vsys", + "width": "auto" + }, + { + "field": "factortype", + "width": "auto" + }, + { + "field": "factorno", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 13, + "width": 12, + "height": 4 + } + } + ], + "template_variables": [ + { + "name": "Device_Serial_Number", + "prefix": "@serial", + "available_values": [], + "default": "*" + }, + { + "name": "Subtype", + "prefix": "@subtype", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/palo_alto_panorama/assets/logs/palo-alto-panorama.yaml b/palo_alto_panorama/assets/logs/palo-alto-panorama.yaml new file mode 100644 index 0000000000000..04bb8f1e84e5a --- /dev/null +++ b/palo_alto_panorama/assets/logs/palo-alto-panorama.yaml @@ -0,0 +1,1068 @@ +id: palo-alto-panorama +metric_id: palo-alto-panorama +backend_only: false +facets: + - groups: + - Web Access + name: Method + path: http.method + source: log + - groups: + - Web Access + name: User-Agent + path: http.useragent + source: log + - groups: + - Web Access + name: Browser + path: http.useragent_details.browser.family + source: log + - groups: + - Web Access + name: Device + path: http.useragent_details.device.family + source: log + - groups: + - Web Access + name: OS + path: http.useragent_details.os.family + source: log + - groups: + - Geoip + name: City Name + path: network.client.geoip.city.name + source: log + - groups: + - Geoip + name: Continent Code + path: network.client.geoip.continent.code + source: log + - groups: + - Geoip + name: Continent Name + path: network.client.geoip.continent.name + source: log + - groups: + - Geoip + name: Country ISO Code + path: network.client.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Country Name + path: network.client.geoip.country.name + source: log + - groups: + - Geoip + name: Subdivision ISO Code + path: network.client.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Subdivision Name + path: network.client.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Client IP + path: network.client.ip + source: log + - groups: + - Web Access + name: Client Port + path: network.client.port + source: log + - groups: + - Geoip + name: Destination City Name + path: network.destination.geoip.city.name + source: log + - groups: + - Geoip + name: Destination Continent Code + path: network.destination.geoip.continent.code + source: log + - groups: + - Geoip + name: Destination Continent Name + path: network.destination.geoip.continent.name + source: log + - groups: + - Geoip + name: Destination Country ISO Code + path: network.destination.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Destination Country Name + path: network.destination.geoip.country.name + source: log + - groups: + - Geoip + name: Destination Subdivision ISO Code + path: network.destination.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Destination Subdivision Name + path: network.destination.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Destination IP + path: network.destination.ip + source: log + - groups: + - Web Access + name: Destination Port + path: network.destination.port + source: log + - groups: + - User + name: User Name + path: usr.name + source: log + - facetType: list + groups: + - Palo Alto Panorama + name: Action (Panorama) + path: palo.alto.panorama.action + source: log + type: string + - facetType: list + groups: + - Palo Alto Panorama + name: Application Characteristic + path: palo.alto.panorama.appchar + source: log + type: string + - facetType: list + groups: + - Palo Alto Panorama + name: Application Container + path: palo.alto.panorama.appcont + source: log + type: string + - facetType: list + groups: + - Palo Alto Panorama + name: Application Subcategory + path: palo.alto.panorama.appsubcat + source: log + type: string + - facetType: range + groups: + - Palo Alto Panorama + name: apprisk + path: palo.alto.panorama.apprisk + source: log + type: integer + - facetType: list + groups: + - Palo Alto Panorama + name: Authentication Result + path: palo.alto.panorama.event + source: log + type: string + - facetType: list + groups: + - Palo Alto Panorama + name: Destination Device Category + path: palo.alto.panorama.dcat + source: log + type: string + - facetType: list + groups: + - Palo Alto Panorama + name: Destination Device Mode + path: palo.alto.panorama.dmodel + source: log + type: string + - facetType: list + groups: + - Palo Alto Panorama + name: Destination Device OS Version + path: palo.alto.panorama.dosver + source: log + type: string + - facetType: list + groups: + - Palo Alto Panorama + name: Destination Device Profile + path: palo.alto.panorama.dprofile + source: log + type: string + - facetType: list + groups: + - Palo Alto Panorama + name: Destination Device Vendor + path: palo.alto.panorama.dven + source: log + type: string + - facetType: list + groups: + - Palo Alto Panorama + name: Destination Mac Address + path: palo.alto.panorama.dmac + source: log + type: string + - facetType: range + groups: + - Palo Alto Panorama + name: Maximum Encapsulation + path: palo.alto.panorama.max_encap + source: log + type: double + - facetType: range + groups: + - Palo Alto Panorama + name: Packets + path: palo.alto.panorama.pkt + source: log + type: integer + - facetType: range + groups: + - Palo Alto Panorama + name: Packets Received + path: palo.alto.panorama.pktrcvd + source: log + type: integer + - facetType: range + groups: + - Palo Alto Panorama + name: Packets Sent + path: palo.alto.panorama.pktsent + source: log + type: integer + - facetType: list + groups: + - Palo Alto Panorama + name: Source Device Category + path: palo.alto.panorama.scat + source: log + type: string + - facetType: list + groups: + - Palo Alto Panorama + name: Source Device Model + path: palo.alto.panorama.smodel + source: log + type: string + - facetType: list + groups: + - Palo Alto Panorama + name: Source Device OS Version + path: palo.alto.panorama.sosver + source: log + type: string + - facetType: list + groups: + - Palo Alto Panorama + name: Source Device Profile + path: palo.alto.panorama.sprofile + source: log + type: string + - facetType: list + groups: + - Palo Alto Panorama + name: Source Device Vendor + path: palo.alto.panorama.sven + source: log + type: string + - facetType: range + groups: + - Palo Alto Panorama + name: Strict Checking + path: palo.alto.panorama.strict_check + source: log + type: double + - facetType: range + groups: + - Palo Alto Panorama + name: Tunnel Fragment + path: palo.alto.panorama.tunnel_fragment + source: log + type: integer + - facetType: range + groups: + - Palo Alto Panorama + name: Unknown Protocol + path: palo.alto.panorama.unknown_proto + source: log + type: integer + - facetType: list + groups: + - Palo Alto Panorama + name: Virtual System + path: palo.alto.panorama.vsys + source: log + type: string + - facetType: range + groups: + - Web Access + name: Network Bytes Read + path: network.bytes_read + source: log + type: double + unit: + family: bytes + name: byte + - facetType: range + groups: + - Web Access + name: Bytes Written + path: network.bytes_written + source: log + type: double + unit: + family: bytes + name: byte +pipeline: + type: pipeline + name: Palo Alto Panorama + enabled: true + filter: + query: "source:palo-alto-panorama" + processors: + - type: grok-parser + name: Parsing Palo Alto Panorama logs + enabled: true + source: message + samples: + - <190>Jan 18 12:46:54 PA-VM + serial=42808DUMMY733|type=TRAFFIC|subtype=end|time_generated=Jan 25 + 2024 11:02:57 + GMT|src=10.0.0.1|dst=10.0.0.2|natsrc=10.0.0.3|natdst=10.0.0.4|rule=LAN-WAN|suser=|duser=|app=incomplete|vsys=vsys1|from=LAN|to=WAN|inboundif=ethernet1/1|outboundif=ethernet1/2|logset=POC-Dash-DD-204-9099|sessionid=15281|repeatcnt=1|sport=42071|dport=233|natsport=46973|natdport=233|flags=0x40001b|proto=tcp|act=allow|bytes=134|bytes_sent=74|bytes_received=60|pkt=2|start=2024/01/18 + 12:46:45|elapsed=0|cat=any|seq=7288183648727243213|actflag=0x0|sloc=10.0.0.0-10.255.255.255|dloc=10.0.0.0-10.255.255.255|pktsent=1|pktrcvd=1|sessionendreason=tcp-rst-from-server|vsysname=|dvc=PA-VM|actsrc=from-policy|suuid=|duuid=|tunnelid=0|monitortag=|parentid=0|parentst=|tunnel=N/A|associd=0|chunk=0|chunksent=0|chunkrcvd=0|ruleuuid=9d526565-xxyy-4e35-9c2e-6f54430132ec|http2conn=0|appflap=0|policyid=|link=|dynusrgrp=|xffip=|scat=|sprofile=|smodel=|sven=|sosfam=|sosver=|shost=|smac=|dcat=|dprofile=|dmodel=|dven=|dosfam=|dosver=|dhost=|dmac=|contid=|podnamespace=|podname=|sedl=|dedl=|hostid=|srnum=|sdag=|ddag=|sessionown=|subcatapp=unknown|appcat=unknown|apptech=unknown|apprisk=1|appchar=|appcont=|tunneledapp=incomplete|appsaas=no|appstate=no|offloaded=0|flowtype=|cluster= + - <190>Jan 16 14:15:34 PA-VM + serial=42808DUMMY733|type=THREAT|subtype=url|time_generated=Jan 25 + 2024 11:02:57 + GMT|src=10.1.0.1|dst=10.1.0.2|natsrc=10.0.0.3|natdst=10.0.0.4|rule=Block + URL and + Apps|suser=|duser=|app=facebook-base|vsys=vsys1|from=LAN|to=WAN|inboundif=ethernet1/2|outboundif=ethernet1/1|logset=New_Log_Profile|sessionid=1553|repeatcnt=1|sport=49896|dport=443|natsport=16742|natdport=443|flags=0x403400|proto=tcp|act=block-url|misc=www.facebook.com/|threatid=9999(9999)|cat=social-networking|severity=informational|dir=client-to-server|seqno=7312400435275366420|actflags=0x0|sloc=10.0.0.0-10.255.255.255|dloc=India|contenttype=|pcapip=0|filedigest=|cloud=|urlidx=0|useragent=|filetype=|xff=|ref=|sender=|sub=|recipient=|reportid=0|vsysname=|dvc=PA-VM|suuid=|duuid=|http_method=|tunnelid=0|monitortag=|tunnel=N/A|thrcategory=N/A|contentver=AppThreat-0-0|ppid=4294967295|httpheaders=|urlcategory=social-networking,low-risk|ruleuuid=b77632fb-xxyy-49f2-b319-e02d91a826fc|http2conn=0|dynusrgrp=|xffip=|scat=|sprofile=|smodel=|sven=|sosfam=|sosver=|shost=|smac=|dcat=|dprofile=|dmodel=|dven=|dosfam=|dosver=|dhost=|dmac=|contid=|podnamespace=|podname=|hostid=|srnum=|reason=|justification=|subcatApp=social-networking|appcat=saas|apptech=browser-based|apprisk=4|appchar=used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use,is-saas,no-certifications|appcont=facebook|tunneledapp=facebook-base|appsaas=yes|appstate=no|cloudreportid=|cluster=|flowtype= + - > + <190>Jan 16 14:15:24 PA-VM receive_time=2024/01/16 + 11:27:19|serial=7051000206484|type=SYSTEM|subtype=general|time_generated=Jan + 25 2024 11:02:57 + GMT|vsys=|eventid=general|object=|module=general|severity=informational|opaque=User + admin performed a log export operation for config + log.|seqno=7288183790458945051|actionflags=0x0|dg_hier_level_1=0|dg_hier_level_2=0|dg_hier_level_3=0|dg_hier_level_4=0|vsys_name=|device_name=PA-VM|high_res_timestamp=2024-01-16T11:27:20.587+05:30 + - <190>Jan 16 14:15:24 PA-VM receive_time=2023/11/24 + 15:38:21|serial=42808DUMMY733|type=CONFIG|subtype=1|time_generated=Jan + 25 2024 11:02:57 + GMT|host=8.8.8.8|vsys=test1|cmd=audit-commit|admin=admin|client=Web|result=Succeeded|path=vsys + vsys1 rulebase nat rules + LAN-WAN|before-change-detail=d3669n472-xxyy-4d21-bf0f-ed099ecfbaad|after-change-detail=d3669472-xxyy-4d21-bf0f-ed099ecfbaad|seqno=7304913645853474846|actionflags=0x0|dg_hier_level_1=0|dg_hier_level_2=0|dg_hier_level_3=0|dg_hier_level_4=0|vsys_name=|device_name=PA-VM|dg_id=0|comment=LAN-WAN|high_res_timestamp=2024-01-16T14:15:34.518+05:30 + - <190>Jan 16 14:15:24 PA-VM receive_time=2024/01/16 + 14:15:34|serial=42808DUMMY733|type=START|subtype=Start|time_generated=Jan + 25 2024 11:02:57 + GMT|src=10.4.0.1|dst=8.8.8.8|natsrc=10.5.0.1|natdst=8.8.8.8|rule=RuleName|srcuser=DASH12|dstuser=SMT25|app=ssl|vsys=vsys2|from=LAN|to=WAN|inbound_if=ethernet1/2|outbound_if=ethernet1/1|logset=POC-Dash-DD-204-9099|sessionid=2298|repeatcnt=1|sport=53342|dport=443|natsport=53397|natdport=443|flags=0x02000000|proto=tcp|act=Allow|severity=informational|seqno=7324580429950879745|actionflags=0x0|srcloc=10.0.0.0-10.255.255.255|dstloc=United + States|dg_hier_level_1=0|dg_hier_level_2=0|dg_hier_level_3=0|dg_hier_level_4=0|vsys_name=vsys2|device_name=PA-VM|tunnelid=0|monitortag=420420123|parent_session_id=0|parent_start_time=2024/01/01 + 12:15:30|tunnel=IPsec|bytes=847|bytes_sent=781|bytes_received=66|pkt=4|pkts_sent=3|pkts_received=1|max_encap=1|unknown_proto=2|strict_check=2|tunnel_fragment=3|sessions_created=2|sessions_closed=3|session_end_reason=threat|action_source=allow|start=2024/01/01 + 12:30:15|elapsed=0|tunnel_insp_rule=insepction_rule_1|remote_user_ip=10.1.2.3|remote_user_id=40201234567|rule_uuid=731925f6-8e55-xxyy-b82f-910b26004dfd|pcap_id=1223xa155545|dynusergroup_name=agnet145|src_edl=10.0.1.2|dst_edl=10.0.3.4|high_res_timestamp=2024-01-16T14:15:34.518+05:30|nssai_sd=|nssai_sst=|pdu_session_id=1234758662|subcategory_of_app=encrypted-tunnel|category_of_app=business-systems|technology_of_app=browser-based|risk_of_app=1|characteristic_of_app=used-by-malware,able-to-transfer-file|container_of_app=google|is_saas_of_app=1|sanctioned_state_of_app=0|cluster_name=test-nw-cluster + grok: + supportRules: "" + matchRules: > + rule_panorama (<%{integer}>)?((%{date("MMM d HH:mm:ss")}|%{date("MMM + dd HH:mm:ss")}) (%{notSpace})?) %{data::keyvalue("="," \"/:,(){};+", + "", "|")} + - type: grok-parser + name: Parsing 'time_generated' to 'timestamp' (epoch) + enabled: true + source: time_generated + samples: + - Jan 24 2024 10:30:11 GMT + grok: + supportRules: "" + matchRules: date_rule %{date("MMM dd yyyy HH:mm:ss z"):timestamp} + - type: date-remapper + name: Define `timestamp` as the official date of the log + enabled: true + sources: + - timestamp + - type: service-remapper + name: Define `type` as the official service of the log + enabled: true + sources: + - type + - type: pipeline + name: Processors for `severity` field + enabled: true + filter: + query: '@type:("THREAT" OR "START" OR "END" OR "SYSTEM" OR "CORRELATION") ' + processors: + - name: Lookup for `severity` to `status` + enabled: true + source: severity + target: status + lookupTable: |- + informational, info + low, info + medium, warning + high, warning + critical, critical + type: lookup-processor + - type: status-remapper + name: Define `status` as the official status of the log + enabled: true + sources: + - status + - type: pipeline + name: Processors for "Decryption" OR "Traffic" OR "Threat" OR "Tunnel + Inspection" log types + enabled: true + filter: + query: '@type:("DECRYPTION" OR "TRAFFIC" OR "THREAT" OR "START" OR "END") ' + processors: + - type: attribute-remapper + name: Map `natsrc` to `network.client.ip` + enabled: true + sources: + - natsrc + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `natdst` to `network.destination.ip` + enabled: true + sources: + - natdst + sourceType: attribute + target: network.destination.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `natsport` to `network.client.port` + enabled: true + sources: + - natsport + sourceType: attribute + target: network.client.port + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `natdport` to `network.destination.port` + enabled: true + sources: + - natdport + sourceType: attribute + target: network.destination.port + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: geo-ip-parser + name: Map `network.client.ip` to `network.client.geoip` + enabled: true + sources: + - network.client.ip + target: network.client.geoip + ip_processing_behavior: do-nothing + - type: geo-ip-parser + name: Map `network.destination.ip` to `network.destination.geoip` + enabled: true + sources: + - network.destination.ip + target: network.destination.geoip + ip_processing_behavior: do-nothing + - type: attribute-remapper + name: Map `from` to `srczone` + enabled: true + sources: + - from + sourceType: attribute + target: srczone + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `to` to `dstzone` + enabled: true + sources: + - to + sourceType: attribute + target: dstzone + targetType: attribute + preserveSource: false + overrideOnConflict: false + - name: Map `flags` with `flag_details` + enabled: true + source: flags + target: flag_details + lookupTable: >- + 0x80000000,session has a packet capture (PCAP) + + 0x40000000,option is enabled to allow a client to use multiple paths to connect to a destination host + + 0x20000000,indicates whether a sample has been submitted for analysis using the WildFire public or private cloud channel + + 0x10000000,enterprise credential submission by end user detected + + 0x08000000,source for the flow is on the allow list and not subject to recon protection + + 0x02000000,IPv6 session + + 0x01000000,SSL session is decrypted (SSL Proxy) + + 0x00800000,session is denied via URL filtering + + 0x00400000,session has a NAT translation performed + + 0x00200000,user information for the session was captured through Authentication Portal + + 0x00100000,application traffic is on a non-standard destination port + + 0x00080000,X-Forwarded-For value from a proxy is in the source user field + + 0x00040000,log corresponds to a transaction within a http proxy session (Proxy Transaction) + + 0x00020000,Client to Server flow is subject to policy based forwarding + + 0x00010000,Server to Client flow is subject to policy based forwarding + + 0x00008000,session is a container page access (Container Page) + + 0x00002000,session has a temporary match on a rule for implicit application dependency handling + + 0x00000800,symmetric return is used to forward traffic for this session + + 0x00000400,decrypted traffic is being sent out clear text through a mirror port + + 0x00000100,payload of the outer tunnel is being inspected + type: lookup-processor + - type: attribute-remapper + name: Map `act` to `palo.alto.panorama.action` + enabled: true + sources: + - act + sourceType: attribute + target: palo.alto.panorama.action + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: Processors for "User ID" log type + enabled: true + filter: + query: '@type:"USERID" ' + processors: + - type: attribute-remapper + name: Map `ip` to `network.client.ip` + enabled: true + sources: + - ip + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `beginport` to `network.client.port` + enabled: true + sources: + - beginport + sourceType: attribute + target: network.client.port + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `endport` to `network.destination.port` + enabled: true + sources: + - endport + sourceType: attribute + target: network.destination.port + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: Processors for "Global Protect" log type + enabled: true + filter: + query: '@type:"GLOBALPROTECT" ' + processors: + - type: attribute-remapper + name: Map `client_os` to `http.useragent_details.os.family` + enabled: true + sources: + - client_os + sourceType: attribute + target: http.useragent_details.os.family + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `public_ip` to `network.client.ip` + enabled: true + sources: + - public_ip + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: geo-ip-parser + name: Map 'network.client.ip' to 'network.client.geoip' + enabled: true + sources: + - network.client.ip + target: network.client.geoip + ip_processing_behavior: do-nothing + - type: pipeline + name: Processors for "Traffic" AND "Tunnel Inspection" + enabled: true + filter: + query: '@type:("TRAFFIC" OR "START" OR "END") ' + processors: + - type: attribute-remapper + name: Map `bytes_sent` to `network.bytes_read` + enabled: true + sources: + - bytes_sent + sourceType: attribute + target: network.bytes_read + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `bytes_received` to `network.bytes_written` + enabled: true + sources: + - bytes_received + sourceType: attribute + target: network.bytes_written + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: Processors for "Authentication" log type + enabled: true + filter: + query: '@type:"AUTHENTICATION" ' + processors: + - type: attribute-remapper + name: Map `ip` to `network.client.ip` + enabled: true + sources: + - ip + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `user_agent` to `http.useragent` + enabled: true + sources: + - user_agent + sourceType: attribute + target: http.useragent + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: user-agent-parser + name: Parsing User Agent + enabled: true + sources: + - http.useragent + target: http.useragent_details + encoded: false + combineVersionDetails: false + - type: pipeline + name: Processors for 'Threat' log type + enabled: true + filter: + query: '@type:"THREAT" ' + processors: + - type: attribute-remapper + name: Map `http_method` to `http.method` + enabled: true + sources: + - http_method + sourceType: attribute + target: http.method + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: Processors for "Decryption" AND "Authentication" + enabled: true + filter: + query: '@type:("DECRYPTION" OR "AUTHENTICATION") ' + processors: + - type: attribute-remapper + name: Map `src_osfamily` to `http.useragent_details.os.family` + enabled: true + sources: + - src_osfamily + sourceType: attribute + target: http.useragent_details.os.family + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: Processors for "HIP Match" OR "Correlated Events" + enabled: true + filter: + query: '@type:("HIP-MATCH" OR "CORRELATION") ' + processors: + - type: attribute-remapper + name: Map `src` to `network.client.ip` + enabled: true + sources: + - src + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: geo-ip-parser + name: GeoIP Parser for `network.client.ip` + enabled: true + sources: + - network.client.ip + target: network.client.geoip + ip_processing_behavior: do-nothing + - type: pipeline + name: Processors for "HIP Match" log type + enabled: true + filter: + query: '@type:"HIP-MATCH" ' + processors: + - type: attribute-remapper + name: Map `os` to `http.useragent_details.os.family` + enabled: true + sources: + - os + sourceType: attribute + target: http.useragent_details.os.family + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: geo-ip-parser + name: Map 'network.client.ip' to 'network.client.geoip' + enabled: true + sources: + - network.client.ip + target: network.client.geoip + ip_processing_behavior: do-nothing + - type: pipeline + name: Processors for "Authentication" OR "User ID" log type + enabled: true + filter: + query: '@type:("AUTHENTICATION" OR "USERID") ' + processors: + - type: attribute-remapper + name: Map `user` to `usr.name` + enabled: true + sources: + - user + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: geo-ip-parser + name: Map 'network.client.ip' to 'network.client.geoip' + enabled: true + sources: + - network.client.ip + target: network.client.geoip + ip_processing_behavior: do-nothing + - type: pipeline + name: Processors for "HIP Match" OR "Correlated Events" OR "Global Protect" log + types + enabled: true + filter: + query: '@type:("HIP-MATCH" OR "CORRELATION" OR "GLOBALPROTECT") ' + processors: + - type: attribute-remapper + name: Map `srcuser` to `usr.name` + enabled: true + sources: + - srcuser + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: Processors for "Config" log type + enabled: true + filter: + query: '@type:"CONFIG" ' + processors: + - type: attribute-remapper + name: Map `admin` to `usr.name` + enabled: true + sources: + - admin + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `appchar` to `palo.alto.panorama.appchar` + enabled: true + sources: + - appchar + sourceType: attribute + target: palo.alto.panorama.appchar + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `appcont` to `palo.alto.panorama.appcont` + enabled: true + sources: + - appcont + sourceType: attribute + target: palo.alto.panorama.appcont + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `appchar` to `palo.alto.panorama.appchar` + enabled: true + sources: + - appchar + sourceType: attribute + target: palo.alto.panorama.appchar + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `appcont` to `palo.alto.panorama.appcont` + enabled: true + sources: + - appcont + sourceType: attribute + target: palo.alto.panorama.appcont + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `appsubcat` to `palo.alto.panorama.appsubcat` + enabled: true + sources: + - appsubcat + sourceType: attribute + target: palo.alto.panorama.appsubcat + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `apprisk` to `palo.alto.panorama.apprisk` + enabled: true + sources: + - apprisk + sourceType: attribute + target: palo.alto.panorama.apprisk + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `event` to `palo.alto.panorama.event` + enabled: true + sources: + - event + sourceType: attribute + target: palo.alto.panorama.event + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `dcat` to `palo.alto.panorama.dcat` + enabled: true + sources: + - dcat + sourceType: attribute + target: palo.alto.panorama.dcat + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `dmodel` to `palo.alto.panorama.dmodel` + enabled: true + sources: + - dmodel + sourceType: attribute + target: palo.alto.panorama.dmodel + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `dosver` to `palo.alto.panorama.dosver` + enabled: true + sources: + - dosver + sourceType: attribute + target: palo.alto.panorama.dosver + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `dprofile` to `palo.alto.panorama.dprofile` + enabled: true + sources: + - dprofile + sourceType: attribute + target: palo.alto.panorama.dprofile + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `dven` to `palo.alto.panorama.dven` + enabled: true + sources: + - dven + sourceType: attribute + target: palo.alto.panorama.dven + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `dmac` to `palo.alto.panorama.dmac` + enabled: true + sources: + - dmac + sourceType: attribute + target: palo.alto.panorama.dmac + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `max_encap` to `palo.alto.panorama.max_encap` + enabled: true + sources: + - max_encap + sourceType: attribute + target: palo.alto.panorama.max_encap + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `pkt` to `palo.alto.panorama.pkt` + enabled: true + sources: + - pkt + sourceType: attribute + target: palo.alto.panorama.pkt + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `pktrcvd` to `palo.alto.panorama.pktrcvd` + enabled: true + sources: + - pktrcvd + sourceType: attribute + target: palo.alto.panorama.pktrcvd + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `pktsent` to `palo.alto.panorama.pktsent` + enabled: true + sources: + - pktsent + sourceType: attribute + target: palo.alto.panorama.pktsent + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `scat` to `palo.alto.panorama.scat` + enabled: true + sources: + - scat + sourceType: attribute + target: palo.alto.panorama.scat + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `smodel` to `palo.alto.panorama.smodel` + enabled: true + sources: + - smodel + sourceType: attribute + target: palo.alto.panorama.smodel + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `sosver` to `palo.alto.panorama.sosver` + enabled: true + sources: + - sosver + sourceType: attribute + target: palo.alto.panorama.sosver + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `sprofile` to `palo.alto.panorama.sprofile` + enabled: true + sources: + - sprofile + sourceType: attribute + target: palo.alto.panorama.sprofile + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `sven` to `palo.alto.panorama.sven` + enabled: true + sources: + - sven + sourceType: attribute + target: palo.alto.panorama.sven + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `strict_check` to `palo.alto.panorama.strict_check` + enabled: true + sources: + - strict_check + sourceType: attribute + target: palo.alto.panorama.strict_check + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `tunnel_fragment` to `palo.alto.panorama.tunnel_fragment` + enabled: true + sources: + - tunnel_fragment + sourceType: attribute + target: palo.alto.panorama.tunnel_fragment + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `unknown_proto` to `palo.alto.panorama.unknown_proto` + enabled: true + sources: + - unknown_proto + sourceType: attribute + target: palo.alto.panorama.unknown_proto + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `vsys` to `palo.alto.panorama.vsys` + enabled: true + sources: + - vsys + sourceType: attribute + target: palo.alto.panorama.vsys + targetType: attribute + preserveSource: false + overrideOnConflict: false \ No newline at end of file diff --git a/palo_alto_panorama/assets/logs/palo-alto-panorama_tests.yaml b/palo_alto_panorama/assets/logs/palo-alto-panorama_tests.yaml new file mode 100644 index 0000000000000..fef38d568e31e --- /dev/null +++ b/palo_alto_panorama/assets/logs/palo-alto-panorama_tests.yaml @@ -0,0 +1,436 @@ +id: "palo-alto-panorama" +tests: + - + sample: "<190>Jan 18 12:46:54 PA-VM serial=42808DUMMY733|type=TRAFFIC|subtype=end|time_generated=Jan 25 2024 11:02:57 GMT|src=185.64.148.0|dst=185.64.148.0|natsrc=185.64.148.0|natdst=185.64.148.0|rule=LAN-WAN|suser=|duser=|app=incomplete|vsys=vsys1|from=LAN|to=WAN|inboundif=ethernet1/1|outboundif=ethernet1/2|logset=POC-Dash-DD-204-9099|sessionid=15281|repeatcnt=1|sport=42071|dport=233|natsport=46973|natdport=233|flags=0x40001b|proto=tcp|act=allow|bytes=134|bytes_sent=74|bytes_received=60|pkt=2|start=2024/01/18 12:46:45|elapsed=0|cat=any|seq=7288183648727243213|actflag=0x0|sloc=10.0.0.0-10.255.255.255|dloc=10.0.0.0-10.255.255.255|pktsent=1|pktrcvd=1|sessionendreason=tcp-rst-from-server|vsysname=|dvc=PA-VM|actsrc=from-policy|suuid=|duuid=|tunnelid=0|monitortag=|parentid=0|parentst=|tunnel=N/A|associd=0|chunk=0|chunksent=0|chunkrcvd=0|ruleuuid=9d526565-xxyy-4e35-9c2e-6f54430132ec|http2conn=0|appflap=0|policyid=|link=|dynusrgrp=|xffip=|scat=|sprofile=|smodel=|sven=|sosfam=|sosver=|shost=|smac=|dcat=|dprofile=|dmodel=|dven=|dosfam=|dosver=|dhost=|dmac=|contid=|podnamespace=|podname=|sedl=|dedl=|hostid=|srnum=|sdag=|ddag=|sessionown=|subcatapp=unknown|appcat=unknown|apptech=unknown|apprisk=1|appchar=|appcont=|tunneledapp=incomplete|appsaas=no|appstate=no|offloaded=0|flowtype=|cluster=" + result: + custom: + actflag: "0x0" + actsrc: "from-policy" + app: "incomplete" + appcat: "unknown" + appflap: 0 + appsaas: "no" + appstate: "no" + apptech: "unknown" + associd: 0 + bytes: 134 + cat: "any" + chunk: 0 + chunkrcvd: 0 + chunksent: 0 + dloc: "10.0.0.0-10.255.255.255" + dport: 233 + dst: "185.64.148.0" + dstzone: "WAN" + dvc: "PA-VM" + elapsed: 0 + flags: "0x40001b" + http2conn: 0 + inboundif: "ethernet1/1" + logset: "POC-Dash-DD-204-9099" + network: + bytes_read: 74 + bytes_written: 60 + client: + geoip: + city: + name: "Paris" + continent: + code: "EU" + name: "Europe" + country: + iso_code: "FR" + name: "France" + ipAddress: "185.64.148.0" + location: + latitude: 48.90654 + longitude: 2.33339 + subdivision: + iso_code: "FR-IDF" + name: "Île-de-France" + timezone: "Europe/Paris" + ip: "185.64.148.0" + port: 46973 + destination: + geoip: + city: + name: "Paris" + continent: + code: "EU" + name: "Europe" + country: + iso_code: "FR" + name: "France" + ipAddress: "185.64.148.0" + location: + latitude: 48.90654 + longitude: 2.33339 + subdivision: + iso_code: "FR-IDF" + name: "Île-de-France" + timezone: "Europe/Paris" + ip: "185.64.148.0" + port: 233 + offloaded: 0 + outboundif: "ethernet1/2" + palo: + alto: + panorama: + action: "allow" + apprisk: 1 + pkt: 2 + pktrcvd: 1 + pktsent: 1 + vsys: "vsys1" + parentid: 0 + proto: "tcp" + repeatcnt: 1 + rule: "LAN-WAN" + ruleuuid: "9d526565-xxyy-4e35-9c2e-6f54430132ec" + seq: 7288183648727243213 + serial: "42808DUMMY733" + sessionendreason: "tcp-rst-from-server" + sessionid: 15281 + sloc: "10.0.0.0-10.255.255.255" + sport: 42071 + src: "185.64.148.0" + srczone: "LAN" + start: "2024/01/18 12:46:45" + subcatapp: "unknown" + subtype: "end" + time_generated: "Jan 25 2024 11:02:57 GMT" + timestamp: 1706180577000 + tunnel: "N/A" + tunneledapp: "incomplete" + tunnelid: 0 + type: "TRAFFIC" + message: "<190>Jan 18 12:46:54 PA-VM serial=42808DUMMY733|type=TRAFFIC|subtype=end|time_generated=Jan 25 2024 11:02:57 GMT|src=185.64.148.0|dst=185.64.148.0|natsrc=185.64.148.0|natdst=185.64.148.0|rule=LAN-WAN|suser=|duser=|app=incomplete|vsys=vsys1|from=LAN|to=WAN|inboundif=ethernet1/1|outboundif=ethernet1/2|logset=POC-Dash-DD-204-9099|sessionid=15281|repeatcnt=1|sport=42071|dport=233|natsport=46973|natdport=233|flags=0x40001b|proto=tcp|act=allow|bytes=134|bytes_sent=74|bytes_received=60|pkt=2|start=2024/01/18 12:46:45|elapsed=0|cat=any|seq=7288183648727243213|actflag=0x0|sloc=10.0.0.0-10.255.255.255|dloc=10.0.0.0-10.255.255.255|pktsent=1|pktrcvd=1|sessionendreason=tcp-rst-from-server|vsysname=|dvc=PA-VM|actsrc=from-policy|suuid=|duuid=|tunnelid=0|monitortag=|parentid=0|parentst=|tunnel=N/A|associd=0|chunk=0|chunksent=0|chunkrcvd=0|ruleuuid=9d526565-xxyy-4e35-9c2e-6f54430132ec|http2conn=0|appflap=0|policyid=|link=|dynusrgrp=|xffip=|scat=|sprofile=|smodel=|sven=|sosfam=|sosver=|shost=|smac=|dcat=|dprofile=|dmodel=|dven=|dosfam=|dosver=|dhost=|dmac=|contid=|podnamespace=|podname=|sedl=|dedl=|hostid=|srnum=|sdag=|ddag=|sessionown=|subcatapp=unknown|appcat=unknown|apptech=unknown|apprisk=1|appchar=|appcont=|tunneledapp=incomplete|appsaas=no|appstate=no|offloaded=0|flowtype=|cluster=" + service: "TRAFFIC" + tags: + - "source:LOGS_SOURCE" + timestamp: 1706180577000 + - + sample: "<190>Jan 16 14:15:34 PA-VM serial=42808DUMMY733|type=THREAT|subtype=url|time_generated=Jan 25 2024 11:02:57 GMT|src=185.64.148.0|dst=185.64.148.0|natsrc=185.64.148.0|natdst=185.64.148.0|rule=Block URL and Apps|suser=|duser=|app=facebook-base|vsys=vsys1|from=LAN|to=WAN|inboundif=ethernet1/2|outboundif=ethernet1/1|logset=New_Log_Profile|sessionid=1553|repeatcnt=1|sport=49896|dport=443|natsport=16742|natdport=443|flags=0x403400|proto=tcp|act=block-url|misc=www.facebook.com/|threatid=9999(9999)|cat=social-networking|severity=informational|dir=client-to-server|seqno=7312400435275366420|actflags=0x0|sloc=10.0.0.0-10.255.255.255|dloc=India|contenttype=|pcapip=0|filedigest=|cloud=|urlidx=0|useragent=|filetype=|xff=|ref=|sender=|sub=|recipient=|reportid=0|vsysname=|dvc=PA-VM|suuid=|duuid=|http_method=|tunnelid=0|monitortag=|tunnel=N/A|thrcategory=N/A|contentver=AppThreat-0-0|ppid=4294967295|httpheaders=|urlcategory=social-networking,low-risk|ruleuuid=b77632fb-xxyy-49f2-b319-e02d91a826fc|http2conn=0|dynusrgrp=|xffip=|scat=|sprofile=|smodel=|sven=|sosfam=|sosver=|shost=|smac=|dcat=|dprofile=|dmodel=|dven=|dosfam=|dosver=|dhost=|dmac=|contid=|podnamespace=|podname=|hostid=|srnum=|reason=|justification=|subcatApp=social-networking|appcat=saas|apptech=browser-based|apprisk=4|appchar=used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use,is-saas,no-certifications|appcont=facebook|tunneledapp=facebook-base|appsaas=yes|appstate=no|cloudreportid=|cluster=|flowtype=" + result: + custom: + actflags: "0x0" + app: "facebook-base" + appcat: "saas" + appsaas: "yes" + appstate: "no" + apptech: "browser-based" + cat: "social-networking" + contentver: "AppThreat-0-0" + dir: "client-to-server" + dloc: "India" + dport: 443 + dst: "185.64.148.0" + dstzone: "WAN" + dvc: "PA-VM" + flags: "0x403400" + http2conn: 0 + inboundif: "ethernet1/2" + logset: "New_Log_Profile" + misc: "www.facebook.com/" + network: + client: + geoip: + city: + name: "Paris" + continent: + code: "EU" + name: "Europe" + country: + iso_code: "FR" + name: "France" + ipAddress: "185.64.148.0" + location: + latitude: 48.90654 + longitude: 2.33339 + subdivision: + iso_code: "FR-IDF" + name: "Île-de-France" + timezone: "Europe/Paris" + ip: "185.64.148.0" + port: 16742 + destination: + geoip: + city: + name: "Paris" + continent: + code: "EU" + name: "Europe" + country: + iso_code: "FR" + name: "France" + ipAddress: "185.64.148.0" + location: + latitude: 48.90654 + longitude: 2.33339 + subdivision: + iso_code: "FR-IDF" + name: "Île-de-France" + timezone: "Europe/Paris" + ip: "185.64.148.0" + port: 443 + outboundif: "ethernet1/1" + palo: + alto: + panorama: + action: "block-url" + appchar: "used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use,is-saas,no-certifications" + appcont: "facebook" + apprisk: 4 + vsys: "vsys1" + pcapip: 0 + ppid: 4294967295 + proto: "tcp" + repeatcnt: 1 + reportid: 0 + rule: "Block URL and Apps" + ruleuuid: "b77632fb-xxyy-49f2-b319-e02d91a826fc" + seqno: 7312400435275366420 + serial: "42808DUMMY733" + sessionid: 1553 + severity: "informational" + sloc: "10.0.0.0-10.255.255.255" + sport: 49896 + src: "185.64.148.0" + srczone: "LAN" + status: "info" + subcatApp: "social-networking" + subtype: "url" + thrcategory: "N/A" + threatid: "9999(9999)" + time_generated: "Jan 25 2024 11:02:57 GMT" + timestamp: 1706180577000 + tunnel: "N/A" + tunneledapp: "facebook-base" + tunnelid: 0 + type: "THREAT" + urlcategory: "social-networking,low-risk" + urlidx: 0 + message: "<190>Jan 16 14:15:34 PA-VM serial=42808DUMMY733|type=THREAT|subtype=url|time_generated=Jan 25 2024 11:02:57 GMT|src=185.64.148.0|dst=185.64.148.0|natsrc=185.64.148.0|natdst=185.64.148.0|rule=Block URL and Apps|suser=|duser=|app=facebook-base|vsys=vsys1|from=LAN|to=WAN|inboundif=ethernet1/2|outboundif=ethernet1/1|logset=New_Log_Profile|sessionid=1553|repeatcnt=1|sport=49896|dport=443|natsport=16742|natdport=443|flags=0x403400|proto=tcp|act=block-url|misc=www.facebook.com/|threatid=9999(9999)|cat=social-networking|severity=informational|dir=client-to-server|seqno=7312400435275366420|actflags=0x0|sloc=10.0.0.0-10.255.255.255|dloc=India|contenttype=|pcapip=0|filedigest=|cloud=|urlidx=0|useragent=|filetype=|xff=|ref=|sender=|sub=|recipient=|reportid=0|vsysname=|dvc=PA-VM|suuid=|duuid=|http_method=|tunnelid=0|monitortag=|tunnel=N/A|thrcategory=N/A|contentver=AppThreat-0-0|ppid=4294967295|httpheaders=|urlcategory=social-networking,low-risk|ruleuuid=b77632fb-xxyy-49f2-b319-e02d91a826fc|http2conn=0|dynusrgrp=|xffip=|scat=|sprofile=|smodel=|sven=|sosfam=|sosver=|shost=|smac=|dcat=|dprofile=|dmodel=|dven=|dosfam=|dosver=|dhost=|dmac=|contid=|podnamespace=|podname=|hostid=|srnum=|reason=|justification=|subcatApp=social-networking|appcat=saas|apptech=browser-based|apprisk=4|appchar=used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use,is-saas,no-certifications|appcont=facebook|tunneledapp=facebook-base|appsaas=yes|appstate=no|cloudreportid=|cluster=|flowtype=" + service: "THREAT" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1706180577000 + - + sample: "<190>Jan 16 14:15:34 PA-VM serial=42808DUMMY733|type=DECRYPTION|subtype=|configver=10.2.5-h5|time_generated=Jan 25 2024 11:02:57 GMT|src=185.64.148.03|dst=185.64.148.0|natsrc=185.64.148.0|natdst=185.64.148.0|rule=DNS|suser=sruser1|duser=dstuser1|app=ssl|vsys=vsys3|from=LAN|to=WAN|inboundif=ethernet1/2|outboundif=ethernet1/1|logset=POC-Dash-DD-204-9099|time_received=2024/01/01 11:20:30|sessionid=1578|repeatcnt=1|sport=5347|dport=7007|natsport=5431|natdport=7001|flags=0x02000000|proto=tcp|act=deny|tunnel=bi-tunnel|suuid=9d526565-ba09-yyxx-9c2e-6f54430132ac|duuid=9d526565-ba09-aabb-9c2e-6f54430132dc|ruleuuid=9d526565-ba01-4e35-1234-6f54430032er|hsstagec2f=Client Hello|hsstagef2s=Server Finished|tlsver=1|tlskeyxchg=RSA|tlsenc=AES-128-CBC|tlsauth=SHA|policyname=CLI Command|eccurve=test_ec_curve|errindex=Cipher|rootstatus=trusted|chainstatus=Uninspected|proxytype=Forward|certserial=XYZ420|fingerprint=test-9d526565-ba01-4e35-9c2e-6f54430032er|notbefore=1704068400|notafter=1704069400|certver=v1|certsize=65536|cnlen=33000|issuerlen=532|rootcnlen=895|snilen=99|certflags=padding3|cn=YM204|issuercn=FRID|rootcn=Yiffi|sni=server1|err=failed validation|contid=fashfgdshkfgdskfsh21515|podnamespace=pod_namespace|podname=pod_name|sedl=src_edl|dedl=dst_edl|sdag=src_dag|ddag=dst_dag|scat=network|sprofile=roaming_comp|smodel=lenovo-win|sven=win|src_osfamily=windows|sosver=1803|shost=WIN45|smac=00:11:22:33:44:55|dcat=firewall|dprofile=router|dmodel=44OS|dven=cisfo|dosfam=windows|dosver=1809|dhost=DE423|dmac=BE:EF:57:33:13:C4|seqno=7288183790458945051|actflag=0x0|vsysname=vsys2|dvc=PA-VM|vsysid=5455545|appsubcat=encrypted-tunnel|appcat=business-systems|apptech=browser-based|apprisk=1|appchar=used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use|appcont=docker|appsaas=1|appstate=1|cluster=CLN0" + result: + custom: + actflag: "0x0" + app: "ssl" + appcat: "business-systems" + appsaas: 1 + appstate: 1 + apptech: "browser-based" + certflags: "padding3" + certserial: "XYZ420" + certsize: 65536 + certver: "v1" + chainstatus: "Uninspected" + cluster: "CLN0" + cn: "YM204" + cnlen: 33000 + configver: "10.2.5-h5" + contid: "fashfgdshkfgdskfsh21515" + ddag: "dst_dag" + dedl: "dst_edl" + dhost: "DE423" + dosfam: "windows" + dport: 7007 + dst: "185.64.148.0" + dstzone: "WAN" + duser: "dstuser1" + duuid: "9d526565-ba09-aabb-9c2e-6f54430132dc" + dvc: "PA-VM" + eccurve: "test_ec_curve" + err: "failed validation" + errindex: "Cipher" + fingerprint: "test-9d526565-ba01-4e35-9c2e-6f54430032er" + flag_details: "IPv6 session" + flags: "0x02000000" + hsstagec2f: "Client Hello" + hsstagef2s: "Server Finished" + http: + useragent_details: + os: + family: "windows" + inboundif: "ethernet1/2" + issuercn: "FRID" + issuerlen: 532 + logset: "POC-Dash-DD-204-9099" + network: + client: + geoip: + city: + name: "Paris" + continent: + code: "EU" + name: "Europe" + country: + iso_code: "FR" + name: "France" + ipAddress: "185.64.148.0" + location: + latitude: 48.90654 + longitude: 2.33339 + subdivision: + iso_code: "FR-IDF" + name: "Île-de-France" + timezone: "Europe/Paris" + ip: "185.64.148.0" + port: 5431 + destination: + geoip: + city: + name: "Paris" + continent: + code: "EU" + name: "Europe" + country: + iso_code: "FR" + name: "France" + ipAddress: "185.64.148.0" + location: + latitude: 48.90654 + longitude: 2.33339 + subdivision: + iso_code: "FR-IDF" + name: "Île-de-France" + timezone: "Europe/Paris" + ip: "185.64.148.0" + port: 7001 + notafter: 1704069400 + notbefore: 1704068400 + outboundif: "ethernet1/1" + palo: + alto: + panorama: + action: "deny" + appchar: "used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use" + appcont: "docker" + apprisk: 1 + appsubcat: "encrypted-tunnel" + dcat: "firewall" + dmac: "BE:EF:57:33:13:C4" + dmodel: "44OS" + dosver: 1809 + dprofile: "router" + dven: "cisfo" + scat: "network" + smodel: "lenovo-win" + sosver: 1803 + sprofile: "roaming_comp" + sven: "win" + vsys: "vsys3" + podname: "pod_name" + podnamespace: "pod_namespace" + policyname: "CLI Command" + proto: "tcp" + proxytype: "Forward" + repeatcnt: 1 + rootcn: "Yiffi" + rootcnlen: 895 + rootstatus: "trusted" + rule: "DNS" + ruleuuid: "9d526565-ba01-4e35-1234-6f54430032er" + sdag: "src_dag" + sedl: "src_edl" + seqno: 7288183790458945051 + serial: "42808DUMMY733" + sessionid: 1578 + shost: "WIN45" + smac: "00:11:22:33:44:55" + sni: "server1" + snilen: 99 + sport: 5347 + src: "185.64.148.03" + srczone: "LAN" + suser: "sruser1" + suuid: "9d526565-ba09-yyxx-9c2e-6f54430132ac" + time_generated: "Jan 25 2024 11:02:57 GMT" + time_received: "2024/01/01 11:20:30" + timestamp: 1706180577000 + tlsauth: "SHA" + tlsenc: "AES-128-CBC" + tlskeyxchg: "RSA" + tlsver: 1 + tunnel: "bi-tunnel" + type: "DECRYPTION" + vsysid: 5455545 + vsysname: "vsys2" + message: "<190>Jan 16 14:15:34 PA-VM serial=42808DUMMY733|type=DECRYPTION|subtype=|configver=10.2.5-h5|time_generated=Jan 25 2024 11:02:57 GMT|src=185.64.148.03|dst=185.64.148.0|natsrc=185.64.148.0|natdst=185.64.148.0|rule=DNS|suser=sruser1|duser=dstuser1|app=ssl|vsys=vsys3|from=LAN|to=WAN|inboundif=ethernet1/2|outboundif=ethernet1/1|logset=POC-Dash-DD-204-9099|time_received=2024/01/01 11:20:30|sessionid=1578|repeatcnt=1|sport=5347|dport=7007|natsport=5431|natdport=7001|flags=0x02000000|proto=tcp|act=deny|tunnel=bi-tunnel|suuid=9d526565-ba09-yyxx-9c2e-6f54430132ac|duuid=9d526565-ba09-aabb-9c2e-6f54430132dc|ruleuuid=9d526565-ba01-4e35-1234-6f54430032er|hsstagec2f=Client Hello|hsstagef2s=Server Finished|tlsver=1|tlskeyxchg=RSA|tlsenc=AES-128-CBC|tlsauth=SHA|policyname=CLI Command|eccurve=test_ec_curve|errindex=Cipher|rootstatus=trusted|chainstatus=Uninspected|proxytype=Forward|certserial=XYZ420|fingerprint=test-9d526565-ba01-4e35-9c2e-6f54430032er|notbefore=1704068400|notafter=1704069400|certver=v1|certsize=65536|cnlen=33000|issuerlen=532|rootcnlen=895|snilen=99|certflags=padding3|cn=YM204|issuercn=FRID|rootcn=Yiffi|sni=server1|err=failed validation|contid=fashfgdshkfgdskfsh21515|podnamespace=pod_namespace|podname=pod_name|sedl=src_edl|dedl=dst_edl|sdag=src_dag|ddag=dst_dag|scat=network|sprofile=roaming_comp|smodel=lenovo-win|sven=win|src_osfamily=windows|sosver=1803|shost=WIN45|smac=00:11:22:33:44:55|dcat=firewall|dprofile=router|dmodel=44OS|dven=cisfo|dosfam=windows|dosver=1809|dhost=DE423|dmac=BE:EF:57:33:13:C4|seqno=7288183790458945051|actflag=0x0|vsysname=vsys2|dvc=PA-VM|vsysid=5455545|appsubcat=encrypted-tunnel|appcat=business-systems|apptech=browser-based|apprisk=1|appchar=used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use|appcont=docker|appsaas=1|appstate=1|cluster=CLN0" + service: "DECRYPTION" + tags: + - "source:LOGS_SOURCE" + timestamp: 1706180577000 + - + sample: "<190>Jan 16 14:15:24 PA-VM receive_time=2024/01/16 11:27:19|serial=7051000206484|type=SYSTEM|subtype=general|time_generated=Jan 25 2024 11:02:57 GMT|vsys=|eventid=general|object=|module=general|severity=informational|opaque=User admin performed a log export operation for config log.|seqno=7288183790458945051|actionflags=0x0|dg_hier_level_1=0|dg_hier_level_2=0|dg_hier_level_3=0|dg_hier_level_4=0|vsys_name=|device_name=PA-VM|high_res_timestamp=2024-01-16T11:27:20.587+05:30" + result: + custom: + actionflags: "0x0" + device_name: "PA-VM" + dg_hier_level_1: 0 + dg_hier_level_2: 0 + dg_hier_level_3: 0 + dg_hier_level_4: 0 + eventid: "general" + high_res_timestamp: "2024-01-16T11:27:20.587+05:30" + module: "general" + opaque: "User admin performed a log export operation for config log." + receive_time: "2024/01/16 11:27:19" + seqno: 7288183790458945051 + serial: 7051000206484 + severity: "informational" + status: "info" + subtype: "general" + time_generated: "Jan 25 2024 11:02:57 GMT" + timestamp: 1706180577000 + type: "SYSTEM" + message: "<190>Jan 16 14:15:24 PA-VM receive_time=2024/01/16 11:27:19|serial=7051000206484|type=SYSTEM|subtype=general|time_generated=Jan 25 2024 11:02:57 GMT|vsys=|eventid=general|object=|module=general|severity=informational|opaque=User admin performed a log export operation for config log.|seqno=7288183790458945051|actionflags=0x0|dg_hier_level_1=0|dg_hier_level_2=0|dg_hier_level_3=0|dg_hier_level_4=0|vsys_name=|device_name=PA-VM|high_res_timestamp=2024-01-16T11:27:20.587+05:30" + service: "SYSTEM" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1706180577000 + - + sample: "<190>Jan 16 14:15:24 PA-VM receive_time=2023/11/24 15:38:21|serial=42808DUMMY733|type=CONFIG|subtype=1|time_generated=Jan 25 2024 11:02:57 GMT|host=8.8.8.8|vsys=test1|cmd=audit-commit|admin=admin|client=Web|result=Succeeded|path=vsys vsys1 rulebase nat rules LAN-WAN|before-change-detail=d3669n472-xxyy-4d21-bf0f-ed099ecfbaad|after-change-detail=d3669472-xxyy-4d21-bf0f-ed099ecfbaad|seqno=7304913645853474846|actionflags=0x0|dg_hier_level_1=0|dg_hier_level_2=0|dg_hier_level_3=0|dg_hier_level_4=0|vsys_name=|device_name=PA-VM|dg_id=0|comment=LAN-WAN|high_res_timestamp=2024-01-16T14:15:34.518+05:30" + result: + custom: + actionflags: "0x0" + after-change-detail: "d3669472-xxyy-4d21-bf0f-ed099ecfbaad" + before-change-detail: "d3669n472-xxyy-4d21-bf0f-ed099ecfbaad" + client: "Web" + cmd: "audit-commit" + comment: "LAN-WAN" + device_name: "PA-VM" + dg_hier_level_1: 0 + dg_hier_level_2: 0 + dg_hier_level_3: 0 + dg_hier_level_4: 0 + dg_id: 0 + high_res_timestamp: "2024-01-16T14:15:34.518+05:30" + host: "8.8.8.8" + palo: + alto: + panorama: + vsys: "test1" + path: "vsys vsys1 rulebase nat rules LAN-WAN" + receive_time: "2023/11/24 15:38:21" + result: "Succeeded" + seqno: 7304913645853474846 + serial: "42808DUMMY733" + subtype: 1 + time_generated: "Jan 25 2024 11:02:57 GMT" + timestamp: 1706180577000 + type: "CONFIG" + usr: + name: "admin" + message: "<190>Jan 16 14:15:24 PA-VM receive_time=2023/11/24 15:38:21|serial=42808DUMMY733|type=CONFIG|subtype=1|time_generated=Jan 25 2024 11:02:57 GMT|host=8.8.8.8|vsys=test1|cmd=audit-commit|admin=admin|client=Web|result=Succeeded|path=vsys vsys1 rulebase nat rules LAN-WAN|before-change-detail=d3669n472-xxyy-4d21-bf0f-ed099ecfbaad|after-change-detail=d3669472-xxyy-4d21-bf0f-ed099ecfbaad|seqno=7304913645853474846|actionflags=0x0|dg_hier_level_1=0|dg_hier_level_2=0|dg_hier_level_3=0|dg_hier_level_4=0|vsys_name=|device_name=PA-VM|dg_id=0|comment=LAN-WAN|high_res_timestamp=2024-01-16T14:15:34.518+05:30" + service: "CONFIG" + tags: + - "source:LOGS_SOURCE" + timestamp: 1706180577000 \ No newline at end of file diff --git a/palo_alto_panorama/assets/service_checks.json b/palo_alto_panorama/assets/service_checks.json new file mode 100644 index 0000000000000..fe51488c7066f --- /dev/null +++ b/palo_alto_panorama/assets/service_checks.json @@ -0,0 +1 @@ +[] diff --git a/palo_alto_panorama/changelog.d/16748.added b/palo_alto_panorama/changelog.d/16748.added new file mode 100644 index 0000000000000..aa949b47b7b41 --- /dev/null +++ b/palo_alto_panorama/changelog.d/16748.added @@ -0,0 +1 @@ +Initial Release \ No newline at end of file diff --git a/palo_alto_panorama/datadog_checks/__init__.py b/palo_alto_panorama/datadog_checks/__init__.py new file mode 100644 index 0000000000000..1517d901c0aae --- /dev/null +++ b/palo_alto_panorama/datadog_checks/__init__.py @@ -0,0 +1,4 @@ +# (C) Datadog, Inc. 2024-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +__path__ = __import__('pkgutil').extend_path(__path__, __name__) # type: ignore diff --git a/palo_alto_panorama/datadog_checks/palo_alto_panorama/__about__.py b/palo_alto_panorama/datadog_checks/palo_alto_panorama/__about__.py new file mode 100644 index 0000000000000..e9541ce83e9e5 --- /dev/null +++ b/palo_alto_panorama/datadog_checks/palo_alto_panorama/__about__.py @@ -0,0 +1,4 @@ +# (C) Datadog, Inc. 2024-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +__version__ = '0.0.1' diff --git a/palo_alto_panorama/datadog_checks/palo_alto_panorama/__init__.py b/palo_alto_panorama/datadog_checks/palo_alto_panorama/__init__.py new file mode 100644 index 0000000000000..e3e1909cdf383 --- /dev/null +++ b/palo_alto_panorama/datadog_checks/palo_alto_panorama/__init__.py @@ -0,0 +1,6 @@ +# (C) Datadog, Inc. 2024-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +from .__about__ import __version__ + +__all__ = ['__version__'] diff --git a/palo_alto_panorama/datadog_checks/palo_alto_panorama/data/conf.yaml.example b/palo_alto_panorama/datadog_checks/palo_alto_panorama/data/conf.yaml.example new file mode 100644 index 0000000000000..f373d8a0bb246 --- /dev/null +++ b/palo_alto_panorama/datadog_checks/palo_alto_panorama/data/conf.yaml.example @@ -0,0 +1,20 @@ +## Log Section +## +## type - required - Type of log input source (tcp / udp / file / windows_event). +## port / path / channel_path - required - Set port if type is tcp or udp. +## Set path if type is file. +## Set channel_path if type is windows_event. +## source - required - Attribute that defines which integration sent the logs. +## encoding - optional - For file specifies the file encoding. Default is utf-8. Other +## possible values are utf-16-le and utf-16-be. +## service - optional - The name of the service that generates the log. +## Overrides any `service` defined in the `init_config` section. +## tags - optional - Add tags to the collected logs. +## +## Discover Datadog log collection: https://docs.datadoghq.com/logs/log_collection/ +# +# logs: +# - type: udp/tcp +# port: +# service: palo-alto-panorama +# source: palo-alto-panorama diff --git a/palo_alto_panorama/images/palo_alto_panorama_authentication.png b/palo_alto_panorama/images/palo_alto_panorama_authentication.png new file mode 100644 index 0000000000000..6aaa29a9f5787 Binary files /dev/null and b/palo_alto_panorama/images/palo_alto_panorama_authentication.png differ diff --git a/palo_alto_panorama/images/palo_alto_panorama_config.png b/palo_alto_panorama/images/palo_alto_panorama_config.png new file mode 100644 index 0000000000000..277e13313ae80 Binary files /dev/null and b/palo_alto_panorama/images/palo_alto_panorama_config.png differ diff --git a/palo_alto_panorama/images/palo_alto_panorama_decryption.png b/palo_alto_panorama/images/palo_alto_panorama_decryption.png new file mode 100644 index 0000000000000..8484205fb0bf2 Binary files /dev/null and b/palo_alto_panorama/images/palo_alto_panorama_decryption.png differ diff --git a/palo_alto_panorama/images/palo_alto_panorama_global_protect.png b/palo_alto_panorama/images/palo_alto_panorama_global_protect.png new file mode 100644 index 0000000000000..81c69b5636357 Binary files /dev/null and b/palo_alto_panorama/images/palo_alto_panorama_global_protect.png differ diff --git a/palo_alto_panorama/images/palo_alto_panorama_system.png b/palo_alto_panorama/images/palo_alto_panorama_system.png new file mode 100644 index 0000000000000..1101f06aad9f0 Binary files /dev/null and b/palo_alto_panorama/images/palo_alto_panorama_system.png differ diff --git a/palo_alto_panorama/images/palo_alto_panorama_threat.png b/palo_alto_panorama/images/palo_alto_panorama_threat.png new file mode 100644 index 0000000000000..480cc2801bcfe Binary files /dev/null and b/palo_alto_panorama/images/palo_alto_panorama_threat.png differ diff --git a/palo_alto_panorama/images/palo_alto_panorama_traffic.png b/palo_alto_panorama/images/palo_alto_panorama_traffic.png new file mode 100644 index 0000000000000..320a01f619bbd Binary files /dev/null and b/palo_alto_panorama/images/palo_alto_panorama_traffic.png differ diff --git a/palo_alto_panorama/images/palo_alto_panorama_tunnel_inspection.png b/palo_alto_panorama/images/palo_alto_panorama_tunnel_inspection.png new file mode 100644 index 0000000000000..7b36f093def89 Binary files /dev/null and b/palo_alto_panorama/images/palo_alto_panorama_tunnel_inspection.png differ diff --git a/palo_alto_panorama/manifest.json b/palo_alto_panorama/manifest.json new file mode 100644 index 0000000000000..4eea43f783f22 --- /dev/null +++ b/palo_alto_panorama/manifest.json @@ -0,0 +1,103 @@ +{ + "manifest_version": "2.0.0", + "app_uuid": "08e3eb08-944f-4f58-94db-b8235b7ebb5e", + "app_id": "palo-alto-panorama", + "display_on_public_website": false, + "tile": { + "overview": "README.md#Overview", + "configuration": "README.md#Setup", + "support": "README.md#Support", + "changelog": "CHANGELOG.md", + "description": "Gain insights into the panorama firewall logs. Connect to Cloud SIEM", + "title": "palo-alto-panorama", + "media": [ + { + "caption": "Palo Alto Panorama: Traffic", + "image_url": "images/palo_alto_panorama_traffic.png", + "media_type": "image" + }, + { + "caption": "Palo Alto Panorama: Threat", + "image_url": "images/palo_alto_panorama_threat.png", + "media_type": "image" + }, + { + "caption": "Palo Alto Panorama: Config", + "image_url": "images/palo_alto_panorama_config.png", + "media_type": "image" + }, + { + "caption": "Palo Alto Panorama: System", + "image_url": "images/palo_alto_panorama_system.png", + "media_type": "image" + }, + { + "caption": "Palo Alto Panorama: Decryption", + "image_url": "images/palo_alto_panorama_decryption.png", + "media_type": "image" + }, + { + "caption": "Palo Alto Panorama: Global Protect", + "image_url": "images/palo_alto_panorama_global_protect.png", + "media_type": "image" + }, + { + "caption": "Palo Alto Panorama: Tunnel Inspection", + "image_url": "images/palo_alto_panorama_tunnel_inspection.png", + "media_type": "image" + }, + { + "caption": "Palo Alto Panorama: Authentication", + "image_url": "images/palo_alto_panorama_authentication.png", + "media_type": "image" + } + ], + "classifier_tags": [ + "Supported OS::Linux", + "Supported OS::Windows", + "Supported OS::macOS", + "Category::Security", + "Category::Network", + "Offering::Integration", + "Submitted Data Type::Logs" + ] + }, + "assets": { + "integration": { + "auto_install": true, + "source_type_id": 6661801, + "source_type_name": "palo-alto-panorama", + "configuration": { + "spec": "assets/configuration/spec.yaml" + }, + "events": { + "creates_events": false + }, + "service_checks": { + "metadata_path": "assets/service_checks.json" + } + }, + "dashboards": { + "Palo Alto Panorama: Traffic": "assets/dashboards/palo_alto_panorama_traffic.json", + "Palo Alto Panorama: Threat": "assets/dashboards/palo_alto_panorama_threat.json", + "Palo Alto Panorama: Config": "assets/dashboards/palo_alto_panorama_config.json", + "Palo Alto Panorama: System": "assets/dashboards/palo_alto_panorama_system.json", + "Palo Alto Panorama: Decryption": "assets/dashboards/palo_alto_panorama_decryption.json", + "Palo Alto Panorama: Global Protect": "assets/dashboards/palo_alto_panorama_globalprotect.json", + "Palo Alto Panorama: Tunnel Inspection": "assets/dashboards/palo_alto_panorama_tunnel_inspection.json", + "Palo Alto Panorama: Authentication": "assets/dashboards/palo_alto_panorama_authentication.json", + "Palo Alto Panorama: Correlated Events": "assets/dashboards/palo_alto_panorama_correlated_events.json", + "Palo Alto Panorama: HIP Match": "assets/dashboards/palo_alto_panorama_hip_match.json", + "Palo Alto Panorama: User ID": "assets/dashboards/palo_alto_panorama_user_id.json" + }, + "logs": { + "source": "palo-alto-panorama" + } + }, + "author": { + "support_email": "help@datadoghq.com", + "name": "Datadog", + "homepage": "https://www.datadoghq.com", + "sales_email": "info@datadoghq.com" + } +} \ No newline at end of file diff --git a/palo_alto_panorama/pyproject.toml b/palo_alto_panorama/pyproject.toml new file mode 100644 index 0000000000000..2fe312ddd5df0 --- /dev/null +++ b/palo_alto_panorama/pyproject.toml @@ -0,0 +1,58 @@ +[build-system] +requires = [ + "hatchling>=0.13.0", +] +build-backend = "hatchling.build" + +[project] +name = "datadog-palo-alto-panorama" +description = "The palo-alto-panorama check" +readme = "README.md" +license = "BSD-3-Clause" +keywords = [ + "datadog", + "datadog agent", + "datadog check", + "palo_alto_panorama", +] +authors = [ + { name = "Datadog", email = "packages@datadoghq.com" }, +] +classifiers = [ + "Development Status :: 5 - Production/Stable", + "Intended Audience :: Developers", + "Intended Audience :: System Administrators", + "License :: OSI Approved :: BSD License", + "Private :: Do Not Upload", + "Topic :: System :: Monitoring", +] +dependencies = [ + "datadog-checks-base>=4.2.0", +] +dynamic = [ + "version", +] + +[project.optional-dependencies] +deps = [] + +[project.urls] +Source = "https://github.com/DataDog/integrations-core" + +[tool.hatch.version] +path = "datadog_checks/palo_alto_panorama/__about__.py" + +[tool.hatch.build.targets.sdist] +include = [ + "/datadog_checks", + "/tests", + "/manifest.json", +] + +[tool.hatch.build.targets.wheel] +include = [ + "/datadog_checks/palo_alto_panorama", +] +dev-mode-dirs = [ + ".", +] \ No newline at end of file