Sunday, July 10, 2016

Building a Splunk Dashboard by parsing Palo Alto events – “THREAT” Logs

In this post, we will leverage Splunk – which I installed previously – to build a dashboard that allows us to get a quick overview of our Palo Alto “Threats” Logs.

In the previous post we looked at parsing the “TRAFFIC” Logs In this post we look at parsing the “THREAT” logs. Once again, before we can parse a log we need to understand the structure of the log file. From below we can see that this log event is “,” delimited. So looking at this log, let’s do our thing. If you looked at the previous post, the "THREAT" logs is structured basically the same as the "TRAFFIC" logs except for a few fields where the value differs such as the "sub type"

Jul  8 07:00:45 Jul  7 18:57:46 1,2016/07/07 18:57:46,001606042988,THREAT,vulnerability,1,2016/07/07 18:57:41,,107.xx.xx.21,99.xx.xx.63,,Web Traffic,,,web-browsing,vsys1,TRUSTED_LAN_L3,INTERNET,vlan,ethernet1/1,Security Monitoring,2016/07/07 18:57:46,7691,1,60316,80,30074,80,0x400000,tcp,alert,"",HTTP OPTIONS Method(30520),any,informational,client-to-server,825,0x0,,United States,0,

using the search query below we can parse the Threat logs

host="" THREAT | rex field=_raw ".*,THREAT,(?<fw_threat_subtype>\w+),.*?,(?<fw_srcIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),(?<fw_dstIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),.*?,.*?,.*?,.*?,.*?,.*?,.*?,.*?,.*?,.*?,.*?,.*?,.*?,.*?,.*?,(?<fw_dstPort>\w+),.*?,.*?,.*?,.*?,(?<fw_protocol>\w+),(?<fw_action>\w+),.*?,(?<fw_msg>.*?),.*?,.*?,(?<fw_direction>\w+),.*?,.*?,(?<fw_geolocation>.*?)," | stats count by fw_threat_subtype, fw_srcIP, fw_dstIP, fw_dstPort, fw_protocol, fw_action, fw_msg, fw_direction, fw_geolocation | sort count | reverse

Taking another example, let’s look at vulnerabilities which have been seen over the past … however long we got some logs for …

host="" THREAT | rex field=_raw ".*,THREAT,(?<fw_threat_subtype>\w+),.*?,(?<fw_srcIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),(?<fw_dstIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),.*?,.*?,.*?,.*?,.*?,.*?,.*?,.*?,.*?,.*?,.*?,.*?,.*?,.*?,.*?,(?<fw_dstPort>\w+),.*?,.*?,.*?,.*?,(?<fw_protocol>\w+),(?<fw_action>\w+),.*?,(?<fw_msg>.*?),.*?,.*?,(?<fw_direction>\w+),.*?,.*?,(?<fw_geolocation>.*?)," | stats count by fw_msg | sort count | reverse

Ok enough of this. In this series we built a monitoring solution and then used Splunk to prase some Palo Alto logs.

Hope you enjoyed and do leave a comment if you find this series useful.

All Posts In This Series.

Building a monitoring solution – Hardening the OS - CentOS 7 (Linux)
Building a monitoring solution – Forwarding Palo Alto Logs
Building a monitoring solution - Parsing Palo Alto 200 - TRAFFIC (Firewall) Logs
Building a Splunk Dashboard by parsing Palo Alto events – “THREAT” Logs


  1. Nice blog its very informative and useful blog thanks for sharing.
    Know more about Splunk Training

  2. I really appreciate the information shared above. It’s of great help. If someone wants to learn Online (Virtual) instructor lead live training in Splunk TECHNOLOGY, kindly contact us
    MaxMunus Offer World Class Virtual Instructor-led training on TECHNOLOGY. We have industry expert trainer. We provide Training Material and Software Support. MaxMunus has successfully conducted 100000+ pieces of training in India, USA, UK, Australia, Switzerland, Qatar, Saudi Arabia, Bangladesh, Bahrain and UAE etc.
    For Demo Contact us.
    Pratik Shekhar
    Ph:(0) +91 9066268701